Is broadcasting SSID mandatory?

[generator]

Hi folks,
I recommend that my customers, friends, etc not broadcast their wireless network SSID for security reasons.
I was disappointed to find that while trying to connect my grand kids new Raspberry Pi units to their dad's wireless router (the wifi dongle is a rail ink RT5370), it would not connect until we re-enabled SSID broadcasting on the router.
Is this a limitation of the RPi?, the real ink? Or the Raspbian?
Is there a workaround that will allow us to connect the RPi wirelessly without inviting casual discovery of the access point?
I'm new to the Linux environment and would appreciate input from someone better informed.
Thanks,
Generator

[joan]

It's not necessary, but neither do I think it's worth the battle to suppress the SSID. As far as I'm aware it's still broadcast in management messages. Suppression only works against people who can't be bothered to run another program to sniff out the SSID.

[generator]

Are you saying that the ssid must be broadcast in order to have the RPi connect via the Ralink adapter?
I don't catch your drift on "worth the battle." Are you saying that it is possible to do what I wish to do but that it is difficult?
When configuring I typed in the SSID along with the password. The scan function could see the wireless signal. It just would not connect until I reconfigured the router re-enabling the SSID broadcast.
I was disappointed earlier to see that my wife's nook also won't connect unless the SSID is being broadcast.
Generator

[joan]

I used to suppress the SSID on my router but found that it seemed to cause problems with reconnecting after a dropped connection (on Linux boxes). In the end I decided it wasn't worth the time and effort to find a solution. This would be 3 or 4 years ago when Linux had a much harder time with wireless networks (becuase of proprietary firmware).

[tonyhughes]

Broadcasting the SSID is quite normal.

Hiding the SSID doesn't make all that much difference. People looking to hack networks won't be slowed by the lack of a broadcast SSID.

[pjc123]

Certainly, a hacker can bypass a hidden SSID, even WPA2 protection can be cracked with enough time. But it is worth keeping it hidden as part of a layered approach. The equivalent scenario of this is a robber; they will pick the house with the unlocked doors before messing around and wasting time with the one that is locked and has deadbolts.

Is there a workaround that will allow us to connect the RPi wirelessly without inviting casual discovery of the access point?

Absolutely, and it is not a workaround, but a feature of wpa_supplicant. My raspberry pi is set up for hidden SSID's and works fine. Assuming you are using wpa_supplicant, add "scan_ssid=1" to the /etc/wpa_supplicant/wpa_supplicant.conf file in the "network" section. Here is an example (Do not add the other parameters because they are specific to my application):

Code: Select all

network={
	ssid="Connectify-pi"
	scan_ssid=1
	mode=0
	proto=WPA2
	auth_alg=OPEN
	pairwise=CCMP
	group=CCMP
	key_mgmt=WPA-PSK
	psk="ENTER PASSWORD HERE"
	id_str="win7"
	priority=1
}

[generator]

Thank you pjc123,
This sort of config file modification is what I would have expected to find.
Where might I find documentation of this and other configuration files and their possible entries?
Respectfully,
Generator

[pjc123]

Thank you pjc123,
This sort of config file modification is what I would have expected to find.
Where might I find documentation of this and other configuration files and their possible entries?
Respectfully,
Generator

The documentation is located on the pi in the /usr/share/doc/wpa_supplicant directory. There are various examples and explanations of all the parameters. /usr/share/doc has document sub-directories for many different applications. Other than that, look at the "man", "info", etc. commands for the documentation and usage of various programs, commands and settings.

[technion]

Certainly, a hacker can bypass a hidden SSID, even WPA2 protection can be cracked with enough time.

The difference is that cracking WPA2 is infeasible, and finding a hidden SSID is trivial.

I'm very strong on security. But this is like taking a bank vault, with six foot of steel, and placing a piece of tissue paper on top of it as part of a "layered approach".

Really, don't bother.

[Mobius]

But this is like taking a bank vault, with six foot of steel, and placing a piece of tissue paper on top of it as part of a "layered approach".

How about if the tissue paper is triple-ply and extra absorbent?

[bulletmark]

I recommend that my customers, friends, etc not broadcast their wireless network SSID for security reasons.

Many years ago, this was a touted security "meme" which most people followed. However it makes little difference to security and is just plain inconvenient for setup and diagnosis etc, so that meme died long ago.

[efflandt]

The ESSID is included in the clear in wireless traffic whether broadcast or hidden, so it is easy to sniff it out when there is "any" wireless traffic. How else would an access point know what wireless traffic to respond to?

But hiding the ESSID can result in delays, because clients cannot tell if the access point is still up, and may disconnect or go into power save mode. So there can be delays and additional WiFi traffic re-establishing a connection. It can also make it more difficult to initially connect unless you know exactly what the ESSID is and whether upper or lower case matters.

So I partially rely on security through obscurity, with my wireless/modem/router in basement, which connects through both floors of my home, but cannot get out horizontally more than a few feet beyond the walls of my home. And I am using the same old unique ESSID that I used to use for totally different brand of hardware.

[RobHenry]

Hi folks,
I recommend that my customers, friends, etc not broadcast their wireless network SSID for security reasons.

Hiding your SSID may seem a good idea but is counter productive for security reasons.

In fact, it makes you more likely to expose your 'home' SSID when out of range of your router because any devices that know the SSID search for it in the clear, as opposed to waiting for it to come into range.

I suggest you tactfully retract the recommendations you have made to your customers, friends, etc.

Use Google if you are don't believe me.

[generator]

I've read the comments and referenced articles provided here by folks who seem adament that I should broadcast my wireless router's SSID. I'm not convinced.

I'll not even address the arguments of those who've simply stated an opinion without any basis in logic. Those are the "it's not worth the hassle", "Hackers will have tools that can find the SSID anyway" stuff.

I'm still of the opinion that by not broadcasting my router's SSID, I'm less likely to attract those with intent to connect.

If I enable SSID 100% of the people with smartphones, ipads, laptops who are within range of my router will see my SSID when their device is within range of the routers broadcast. People who know the network exists 100%

If I do not broadcast my SSID, only those users who are actively seeking to find hidden networks and employ specialized software will be know that a wireless network is present. What percentage of people are actively employing these tools to find non-broadcasting wireless access points? Let's say an incredible 50% of people do so (not likely.)

My networks existence is known to half of those it would have been known to by broadcasting it. Net improvement 50%.

It has been noted that when a wireless network's SSID is not broadcast, connecting clients may/will broadcast the SSID in the clear. That may be true, but again what percentage of the time will wireless clients be attempting to "find" the autoconnect wireless network that is not broadcasting it's SSID? Let's say it's an incredible 75% of the time.


SSID Broadcast scenario:
Time window where broadcast SSID is visible 100%
People in range who know it exists when broadcasting SSID? 100%

Non Broadcast scenario:
Time window when SSID is visible to intentional hackers with special software running 75%
Percentage of people within range included in that group 50%

Most of the supporting documentation on the internet that recommends against hiding the SSID emphasises that it is not intended as security tool. Several make the "straw man" statement "don't turn off SSID broadcasting as a security measure, use WEP2 and a strong password instead."

This statement assumes that proponents must select one or the other "method." I don't know of anyone who would choose not to brodcast their SSID then choose not to apply encryption and configure a password requirement.

Broadcasting the SSID will not improve my security by any measure.

Not broadcasting my SSID would diminish my access point's visibility to those with intent and with the motivation to acquire and activate detection software who happen to be within range of my network or a client trying to make a connection to my network. Even under the implausibly great percentages I've cited above, that would be half the people 75% of the time as opposed to all the people, all of the time.

Now if a hacker with detection software were to not only acquire my SSID, but also receive my WEP2 security password in the clear, that would be a different matter.
I've seen no indication in my research that would indicate that to be the case.

Admitedly there are devices which have difficulty connecting when the SSID is not broadcast. My wife's nook for example. I chalk that up to lazy programmers on the design team. I see no reason why their assumption of broadcast SSIDs should dictate my strategy for deploying my network equipment.

It's no secret that router manufacturers configure their routers and access points as "open" (no passwords, broadcasting their SSID often with the manufacturers name so anyone can find the deault admin password with a simple google search). It sure does make connecting to these networks convenient.

Is this in the best interest of the network owner? I think not. It is done so that the support team at the manufacturer's support site does not have to field phone calls from uninformed consumers who haven't bothered to read the manual and call to have someone spoon feed them the information therein. The manufacturers care not one bit that your network is wide open and anyone with a cellphone or laptop can access the internet through your network without any skills beyond knowing how to use a browser.

Convenient? Perhaps for the client users. Wise? Certainly not for anyone on that network who's computer contains sensitive data.

As of this posting, there were 7 individuals apart from myself who offered a comment.
I thank pjc123, the only person to answer the question I asked.

A nod to Mobius for trying to inject some humor.

I Acknowledge the info from Rob Henry, who rightly notes that while I'm in the Starbucks twenty miles from my router, my laptop might broadcast the SSID of my network in the clear visible to anyone sniffing the network. It would, however, not reveal the location of my network as would the broadcast of the network SSID to anyone in range. (It's right here and its name is XXXXXX!).

I'm ambivelent about the comments of the 5 persons who did not answer my question but chose to dismiss my question with comments suggesting that I was at best "being silly" and at worst "stupid" for wanting to restrict the broadcast of my network router's SSID. It seems they assume I'm without any significant amount of knowledge and will benefit from their opinion apart from any substantive supporting documentation.

While new to Linux, I'm not new to networking. I've been a network engineer for years. I make my decisions on the basis of fact, not opinion.

Regards to all.

[tonyhughes]

lol

Unwatching.

[SirLagz]

The way I see it -
Hiding the network makes it more difficult for myself.
Hiding the network breaks standards - probably the reason why some devices don't work with hidden networks.
If someone is not looking for my network, whether it's hidden or not it won't make a difference as they won't care.
If someone is wardriving to find networks, they will find a network whether it's hidden or not.
If someone IS looking for networks to get into, IMHO a hidden network presents a more interesting target.

Let us know if the scan_ssid configuration works though.
I'll add it into my WebGUI if it does

[joan]

The way I see it -
Hiding the network makes it more difficult for myself.
Hiding the network breaks standards - probably the reason why some devices don't work with hidden networks.
If someone is not looking for my network, whether it's hidden or not it won't make a difference as they won't care.
If someone is wardriving to find networks, they will find a network whether it's hidden or not.
If someone IS looking for networks to get into, IMHO a hidden network presents a more interesting target.

Let us know if the scan_ssid configuration works though.
I'll add it into my WebGUI if it does

Ditto.

The only security advice should be use WPA2 or better and use the longest password allowed.

Not broadcasting SSID adds no value and may make

1) the user complacent, so doesn't bother with a good password
2) the network more attractive to a hacker, as they assume 1)

[pjc123]

As of this posting, there were 7 individuals apart from myself who offered a comment.
I thank pjc123, the only person to answer the question I asked.

Glad I could help.

Unwatching.

Couldn't have said it better; it takes time away from working on my pi..

[RobHenry]

I should resist the urge to comment on this thread, but I can't.

while I'm in the Starbucks twenty miles from my router, my laptop might broadcast the SSID of my network in the clear visible to anyone sniffing the network. It would, however, not reveal the location of my network as would the broadcast of the network SSID to anyone in range. (It's right here and its name is XXXXXX!).

You don't need to give away the location of your top-secret network because you've just given away an SSID to which your device will attempt to connect automatically, irrespective of how far your are from home. This, in theory, could compromise the device and any network traffic that passes through it. Theory may not be far from reality - a well known coffee chain with 'free' wifi is probably a much better place to take advantage of security weaknesses in people's home networks given that the attacker doesn't have to bother going round to his or her victims' homes.

I've been a network engineer for years. I make my decisions on the basis of fact, not opinion.
Regards to all.

I'm sorry to decry your beautifully crafted thesis but its conclusions appear to be contrary to the wisdom of those who know far more about network engineering than you or me. Your essay is your own opinion of the facts - others, with different opinions of the facts, appear to be in the majority.

I think if you really feel strongly about the matter then you should expound your opinions in fora that are dedicated to network security and try to bring everyone round to your argument. Please let me know if you do this as I'd love to read the discussion.

[Burngate]

OK, let's ask another question: should I lock my car when I leave it?

We all know that bad guys can get into my car whether or not I lock it - it only takes about ten seconds for an old-fashioned car.
And even with the most modern locking system, all they need is the latest scanner, and they'll have the key-code, what ever you do.

There are four sorts of people walking past yur car.
There's the ordinary bloke who won't steal your car even if you leave the keys in and the engine running, and a big sign saying "Steal Me"
Then there's the bloke who drives off in it thinking it's his own car, 'cos it's the same make and colour.
And then there's the bloke looking for a joy-ride, who'll go for the unlocked car rather than the one next to it 'cos it's easier.
And finally there's the agent from the foreign government, who's targetting you because you're the key to their plans for infiltrating the CIA and ultimately taking over the world.

Locking your car won't stop that last guy, so why lock your car?

[joan]

OK, let's ask another question: should I lock my car when I leave it?

We all know that bad guys can get into my car whether or not I lock it - it only takes about ten seconds for an old-fashioned car.
And even with the most modern locking system, all they need is the latest scanner, and they'll have the key-code, what ever you do.

There are four sorts of people walking past yur car.
There's the ordinary bloke who won't steal your car even if you leave the keys in and the engine running, and a big sign saying "Steal Me"
Then there's the bloke who drives off in it thinking it's his own car, 'cos it's the same make and colour.
And then there's the bloke looking for a joy-ride, who'll go for the unlocked car rather than the one next to it 'cos it's easier.
And finally there's the agent from the foreign government, who's targetting you because you're the key to their plans for infiltrating the CIA and ultimately taking over the world.

Locking your car won't stop that last guy, so why lock your car?

Because locking the car is the equivalent of the password. Not broadcasting SSID is like leaving a note saying please don't steal my car.

[RaspISteve]

Guys,

A year on and another wild goose chase to resolve this one. Yes my ssID is 'hidden' and Yes adding the scan...=1 works but why can't the clever people take it as read that not everyone will have got the memo that hiding things isn't really all it used to be and include options that keep things working.

In the default case a Wifi connected Pi will drop out if the ssID goes hidden and stay dropped even if the ssID re-appears. Would call this a bit fragile.

Had a previous wild goose chase when my laptop's Unbuntu 12.4 died. The clever people enforced the new thinking that my old laptop shouldn't be allowed to re-install a DVD version 12 by fixing the pre-loader to barf. Apparently my laptop didn't have some new whizzy and necessary feature but this didn't stop the routine updates getting me from 9.?? to 12.4 before I lost it.

Anyway, thanks for the fix.

[lazarus78]

OK, let's ask another question: should I lock my car when I leave it?

Locking your car is not the same as hiding its existence. Broadcasting your SSID is just your AP saying "Here I am.". If you turn it off and manually connect from a device, the device has to broadcast "Where are you?", but it does that all the time, even when you are away from home, because it doesn't know better.

Hiding your SSID might stop casual browsers, but its not the casual browsers that are the threat. If your Wi-Fi is password protected, then those casual browsers can't get in, so hiding your SSID from them doesn't really do anything, they couldn't get on your Wi-Fi anyway.