|More about Lisa|
Every wireless LAN has a service set identifier (SSID) - a unique name that allows stations to connect to the desired network. Despite this apparently simple purpose, SSIDs have been widely misunderstood.
The name gameWireless stations communicating with one access point (AP) form a basic service set (BSS). Several BSSs tethered together to create a single logical LAN forms an extended service set (ESS). SSID is merely the name of an ESS - a case-sensitive alphanumeric string, up to 32 characters.
SSIDs help stations find and connect to APs in one ESS, ignoring APs in other ESSs. Every AP advertises itself by repeatedly broadcasting beacon frames that carry SSID. Stations discover APs by passively listening for beacons with the desired SSID or by actively sending probe frames to search for APs with that SSID. Stations connect to the "best" AP by sending an associate request that carries SSID. The AP sends back an associate response that also contains SSID.
SSIDs are analogous to Windows workgroup names. PCs use those names to browse a network neighborhood and discover others in the same workgroup. When a PC actually tries to access a fileshare, permission is determined by computer name, user name and password. Similarly, stations use SSID to discover APs in the same ESS, but access depends upon other parameters like the station's address, WEP keys and 802.1X credentials. Access requests must carry the right name, but the workgroup or ESS name is not a password – it identifies the resource to be accessed.
Resistance is futileMany people (including myself) have tried to "hide" SSID as a security measure. Unfortunately, efforts to hide SSID ultimately fail and degrade overall WLAN performance.
Some APs can be configured to send beacons with a zero-length SSID instead of the actual SSID. This "hides" the SSID because stations cannot passively learn the actual SSID from beacons. Stumblers that listen only to beacons may not display SSID but still discover the AP because beacons are sent many times per second. In other words, the AP now shouts "I'm here! I'm here!" instead of "ABC here! ABC here!"
If a station cannot hear an AP beaconing with the desired SSID, it must send probe requests on all channels to find an AP with the right SSID. These probes increase overhead – not only when the station first associates, but over time as stations continually try to locate other APs with better signal strength. You might argue that overhead is worth added security, but security really has not been improved:
- A station that wants the SSID need only ask for it. If a station's probe request carries a zero-length SSID, the AP must return its actual SSID in the probe response. Some products can be configured to require the station to present the actual SSID. But this "Closed System" mode helps only briefly because…
- Every associate request and response carries the actual SSID. A station can passively observe frames sent by other stations to learn the SSID. Several discovery tools take advantage of this behavior, listening to all frames to identify the WLAN's actual SSID.
As a result, an AP that does not send its SSID in beacons and ignores probes without the actual SSID will keep the ESS name hidden only so long as the WLAN remains unused. As soon as a legitimate station associates, the actual SSID can be obtained from captured traffic. An attacker that gets impatient can force a station to (re)associate by sending a forged disassociate.
SSID "hiding" therefore provides little-to-no security gain and a tangible performance penalty – especially in busy WLANs. A lightly-used home WLAN might benefit from hiding SSID during when nobody is home, but even this is debatable. If you're not convinced, read "The Myth of Hiding SSIDs" by Bob Moskowitz. Or hide SSID and use a tool like AirMagnet to see how long it takes to discover the SSID.
Picking a good SSIDNonetheless, you should still select a good SSID. You'll be blasting that name out to the world, so pick a value that exposes little about your network.
- Never use the default SSID. First, this may result in accidental associations when you and your neighbor both purchase Linksys WAPs (for example). Second, the default invites probing - attackers target these APs because owners are less likely to have applied security measures.
- Unless you're operating a public hotspot, avoid SSIDs that disclose the AP's location or owner. This information just makes it easier for someone who wants to attack you.
- Pick values that are 8+ characters and unique to reduce accidental associations and trivial war driving. It doesn't hurt to raise the bar slightly when doing so doesn't cost you anything.
Do you have comments about this article, or suggestions for Lisa to write about in future columns? Let us know!
This was first published in April 2003