dslreports logo


40.0 Security

(Thanks to DSLrgm See Profile for this info.)

You really CAN NOT turn off the SSID field in the beacon. The SSID is a mandatory to send field in the BEACON and PROBE RESPONSE. So for systems that did not have the concept of an SSID, they allowed for a NULL SSID, i.e. x00 in all 32 bytes of the SSID field.

Also, you cannot turn off the beacon. You can vary its periodicity, but not eliminate it. The beacon provides the timings and other parameters need to run a BSS.

The NULL SSID option was included in the original spec for some vendors products that did not even have the concept of SSIDs. This allowed for reasonable migration to everyone using SSIDs.

Of course this "feature" was never taken out, and then, I think it was ORiNOCO or Enterasys came up with the idea that they can make their customers think they are better off by using NULL instead of the real SSID.

Then ISS jumped up and claimed that the SSID was a password sent in the clear, and the rest is history.

In short, although WIFI routers sometimes have a 'turn off SSID feature' it does not provide any security (unless one calls it correctly as false security).   An analogy might be that turning off SSID is like turning off the porch light, over the front door at your home.   The light (on/off) has no bearing on the status of lock on the door - and anybody with a WIFI scanner can 'turn the porch light back on' anyway.  

SSID for practical purposes (besides the technical workings) is a communication piece that allows all to share the spectrum, in an area, responsibly or not.  For example (2.4GHZ spectrum), if I note a neighbour is using Channel 1, I would choose 6 or 12.

More technical detail:

First, an AP MUST send a BEACON frame. Per clause 7.2.3.1 a BEACON MUST contain the following fields:

Timestamp
Beacon interval
Capability information
SSID
Supported rates
FH Parameter Set \
DS Parameter Set > Just one of these
CF Parameter Set /
IBSS Parameter Set - for stations in AdHoc (yes they send BEACONs too)
TIM - for APs

The BEACON is sent every Interval. It annouces the BSS and defines how stations are to operate in the BSS.

There are two "types" of SSIDs: A string up to 32 characters or NULL.

Now, on to the operation so stations in a BSS.

Stations may scan for APs passively, or actively. That is they can either just listen for BEACONs, or send a PROBE REQUEST. Passive scanning only works if the BEACON contains the SSID, and not NULL.

If the station does not detect a BEACON with an SSID, or the desired SSID, it SHOULD send a PROBE REQUEST. This frame also has the SSID field in it. The station MAY either put NULL or the SSID in the REQUEST. If NULL is used an AP MAY respond with a PROBE RESPONSE with its SSID, or it MAY ignore this REQUEST. If the REQUEST contains the SSID of the AP, the AP MUST send a RESPONSE with its SSID.

Now let's look at this operationally. An AP is set to operate on a specific channel. It is sending its BEACONs out on the channel. If a station passively scans, it receives on each channel in turn for long enough to receive a BEACON. If the station actively scans, it sends a REQUEST on each channel in turn. Passive scanning can be done 'in background'. Active scanning interupts other activity to work.

Microsoft has defaulted XP to only actively scan. SOME vendor drivers will passively scan (like Symbol's, who knows better than Microsoft). All wireless phones passively scan first. Why is this?

Active scanning MAY take upwards to 2 sec. Passive scanning MAY build up the AP neighbor table with NO interruption to usage. So roaming can be VERY time intensive with Active scanning, but frequently 'painless' with passive scanning.

So in response to your point at the beginning of this missive.

It is probably the case that your system is always actively PROBING for APs with your SSID. In so doing, it is announcing your SSID. Now it only does this when it needs to find an AP to ASSOCIATE with. Once ASSOCIATEd, it is just fat and happy. But if it looses signal, it PROBEs again, sending out your SSID.

Thus you really cannot hide your SSID, even if you set your AP to send a NULL in the SSID field of the BEACON.

IF there is no activity on your network, you are "hidden," but if ONE station is ASSOCIATEd and transmitting, the attacker forges a DISASSOCIATE from the AP to your station. Your station then promptly starts PROBING and exposes your SSID.



Feedback received on this FAQ entry:
  • An SSID is NOT a string of up to 32 characters. It is a field of up to 32 octets/bytes of information. It is indeed often interpreted as a C string, but that is actually a mistake as the null character ('\0') is a valid byte value in the field. If you insist that it is a string, then it can only have up to 31 characters as C, the language used for most Wi-Fi routers, uses a null character as it's final delimiter. Such character would occupy the 32th position in the string buffer, unless the code for the router properly converts the buffer into a string by adding the null in the 33rd position. An assumption no one should make given the poor understanding of what SSID encoding actually is.

    2014-07-11 10:02:19

by No_Strings See Profile edited by Anav See Profile
last modified: 2018-02-26 08:46:54


The most commonly suggested tool is AirSnare. It works by reporting the existence of non-approved devices as identified by MAC address.

»home.comcast.net/~jay.de ··· irsnare/

Another option is Look@LAN. From the author: "The program can monitor the nodes and alert you of any changes (new nodes, offline nodes etc.). The main window lists all available nodes and detailed statistics and scan results are available for each individual machine, including a real-time traceroute report, ping results, active services (open ports) and more." Note that our readers discovered that systems not reponding to ICMP pings will be stealthed. The thread is here: »Very cool LAN tool

»www.lookatlan.com/home.html

by No_Strings See Profile
last modified: 2006-01-02 10:21:47

This HOWTO provides an excellent explanation of 802.1x as well as how to set up port-based authentication using FreeRADIUS and XSupplicant.  In short it is a recognized standard that is used for limiting access to a LAN or WAN via a controlled/authorized list of users (normally stored on a server).

»tldp.org/HOWTO/8021X-HOW ··· dex.html

by No_Strings See Profile edited by Anav See Profile
last modified: 2018-02-26 09:01:52

The Unofficial 802.11 Security Web Page - »www.drizzle.com/~aboba/IEEE/ - has a wealth of information and links related to wireless security.

Authentication, encryption, performance, vulnerabilities and more are linked on this page.

Also don't forget to visit the Wireless Security Forum here at BBR:

»Security

by No_Strings See Profile edited by adsldude See Profile
last modified: 2005-02-19 12:21:22

This article from Microsoft provides a nice overview for anyone wanting to use PEAP and passwords to secure a wireless LAN. Since a RADIUS server is involved, the target audience is likely to be businesses or very advanced home users.

»www.microsoft.com/techne ··· p_0.mspx

The introduction is particularly informative, spelling out many of the terms you'll need to understand in order to secure a wireless setup. Threats, benefits and alternatives are discussed.

»www.microsoft.com/techne ··· int.mspx

Thanks to BeesTea See Profile for finding the article.

by No_Strings See Profile
last modified: 2005-03-14 15:34:03

For the best chance of success, do these steps in this order:

1. On your wireless router or access point (AP), change your SSID to something that you have never used before.
2. On your wireless AP, configure the security that you want.
3. Unplug power to your AP.
4. Remove all saved profiles for that AP from your wireless computers.
5. Reboot your wireless computers.
6. Restore power to your AP.
7. Using your wireless computers, associate with the new SSID and input the new security information.

Why these steps help: The wireless parameters of a network are stored by SSID and ESSID (MAC Address). Choosing a new SSID, deleting the previous profiles, and rebooting help erase any previous memory of the wireless network and allows your software to create a single wireless profile with the correct connection and security parameters.

by funchords See Profile edited by No_Strings See Profile
last modified: 2006-08-06 23:34:12