Home wireless network, SSID Broadcast okay?

[John Doe]

My HomePortal is used for DSL and also usable for wireless. Is
there any significant risk in the "SSID Broadcast" being enabled?
It's using the default "64-bit Encryption Key". My
understanding/experience is that eavesdroppers could detect the
wireless Internet broadcast, but that they wouldn't be able to use
it?

 

[Mike Easter]

My HomePortal is used for DSL and also usable for wireless. Is
there any significant risk in the "SSID Broadcast" being enabled?
It's using the default "64-bit Encryption Key". My
understanding/experience is that eavesdroppers could detect the
wireless Internet broadcast, but that they wouldn't be able to use
it?

The unfortunate situation is that a determined adversary can discover
your wireless signal even if it doesn't broadcast its SSID, however the
following 'layers' of security work to your advantage ergo the
'opposite' works to your security disadvantage.

It is better to not broadcast the SSID than broadcast it.
It is better to use WPA than WEP.
It is better to use a 'more secure' password/phrase than a less secure
one and more bits of encryption than less.

I'm not familiar with your HomePortal device or exactly what kind of
security you are using.

I see a manual for a 2wire calling itself HomePortal.

 

[Paul]

The unfortunate situation is that a determined adversary can discover
your wireless signal even if it doesn't broadcast its SSID, however the
following 'layers' of security work to your advantage ergo the
'opposite' works to your security disadvantage.

It is better to not broadcast the SSID than broadcast it.
It is better to use WPA than WEP.
It is better to use a 'more secure' password/phrase than a less secure
one and more bits of encryption than less.

I'm not familiar with your HomePortal device or exactly what kind of
security you are using.

I see a manual for a 2wire calling itself HomePortal.

I don't have anything to add to this, except to suggest
a certain approach.

When network boxes include more than one function, and some of the
functions suck, you can turn them off. Then, buy a newer box for
the functions that weren't working so well, and carry on.

For example, my home setup is like this. The router on the box on the
left sucks, so it got turned off, and the modem/router just runs
as a modem. And if I wanted to add Wifi to this (no Wifi currently),
I could slap another box onto this mess. The router in the middle
has 100BT Ethernet ports, and I have a GbE switch downstream,
so comp #1 and comp #2 can exchange files faster. This setup
wastes a lot of power, but allows tailoring the solution over time.
The router in the middle, has a nice web interface that makes
it easy to manage, which is why I keep it. It replaces a Linksys
router that needed to be reset two or three times a day.

ADSL2+ modem/router ------ my regular router ---- GbE switch ---- comp #1
(Router turned off, ---- comp #2
switch ports not used,
bridged mode)

I could probably find a box that does all of this in the one box,
but I'm not about to run out and do that. Because of the risk some
part of the box just doesn't work the way I want it to.

Before deciding to keep your HomePortal, you'd Google the model number,
and see if any security experts had found problems with security aspects
other than the Wifi. For example, the first ISP I used for ADSL, distributed
rental modems (and you couldn't use your own). A check on the web, showed
the modems had gaping security holes. But, since the holes were known,
and the ISP could "push out" new firmware, it wasn't as much of a problem
as it might have been if I bought and maintained the same model of modem
myself. The ISP had the buying power, to get tech support.

An example of a gaping hole, in my mind, is when you get your pretty, new
networking box, and it turns out the stupid thing allows password based
access from the WAN side. Imagine script kiddies scanning your box, trying
passwords all day long. That's an example of an unacceptable feature. If
my left-most box had that problem, it would be in a garbage can right now.

If your HomePortal has some feature that still works good, keep it. But
if all the features are flawed, look for a more modern one. One downside
of shopping for "new" ADSL, is they're ADSL2+ capable (24Mbit/sec max),
and they waste more power than boxes that can only do ADSL 8Mbit/sec standard
as their max speed.

ADSL (G.Lite) 2048/448 kbit/s 1998
ADSL (G.DMT) 8192/1024 kbit/s 1999 <--- first modem, ran cool
ADSL2 12288/1440 kbit/s 2002
ADSL2+ 24576/3584 kbit/s 2003 <--- current modem, wastes power.
(my service is no where near this
rate. My download "goodput" is
only 312KB/sec.)

Paul

 

[Yousuf Khan]

My HomePortal is used for DSL and also usable for wireless. Is
there any significant risk in the "SSID Broadcast" being enabled?
It's using the default "64-bit Encryption Key". My
understanding/experience is that eavesdroppers could detect the
wireless Internet broadcast, but that they wouldn't be able to use
it?

I personally think hiding the SSID is useless. I know in the past many
people used to suggest doing this, but it's really a primitive form of
security which only gives you a false sense of security rather than any
real security. The lack of SSID only makes it more inconvenient for you
rather than any hacker.

You're better off using the more modern WPA encryption technology rather
than the old WEP which is generally regarded as useless now.

And use an extremely long password. The longer the better. Here's a site
that tells you how to create easily remembered super-strong passwords:

GRC's | Password Haystacks: How Well Hidden is Your Needle?
https://www.grc.com/haystack.htm

Yousuf Khan

 

[DevilsPGD]

The unfortunate situation is that a determined adversary can discover
your wireless signal even if it doesn't broadcast its SSID, however the
following 'layers' of security work to your advantage ergo the
'opposite' works to your security disadvantage.

It is better to not broadcast the SSID than broadcast it.

I'd disagree with this, wholeheartedly. Without broadcasting your SSID,
the client and computer can never find each other, so in practice,
setting your router to not broadcast it's SSID causes the clients to
start shouting "Hello hidden-SSID, are you here?" at all times whenever
they're not connected.

Most importantly the SSID is still occasionally broadcast as part of the
handshake when a client connects, so it's a false sense of... something.
It's not really even a sense of security.

 

[Mike Easter]

Mike Easter

I'd disagree with this, wholeheartedly. Without broadcasting your SSID,
the client and computer can never find each other, so in practice,
setting your router to not broadcast it's SSID causes the clients to
start shouting "Hello hidden-SSID, are you here?" at all times whenever
they're not connected.

Most importantly the SSID is still occasionally broadcast as part of the
handshake when a client connects, so it's a false sense of... something.
It's not really even a sense of security.

I accept the point you are making, but...

.... your premise/argument presumes a set of wifi cracking strategies and
tools on the part of the interloper.

I can imagine my own hypothetical scenario (which I believe far more
common than yours) in which the hypothetical interloper has very little
in the way of wifi cracking strategies and s/he is 'simply' looking for
available broadcast SSIDs particularly those which are broadcasting
familiar default SSIDs. Sorta like early war-driving before the days of
more sophisticated war-flying model drones with onboard tiny computer
configured to crack.

Such a default broadcast SSID is often/ may be/ associated with the
wifi's default insecurity.

Thus in my imaginary/hypothetical scenario, unlike your own hypothetical
imaginary scenario, it /would/ have been more secure to have changed
from the defaults which defaults include broadcasting a default SSID and
thus hinting/suggestion no security (a plum for the picking) to instead
changing the defaults and not broadcasting the SSID plus using WPA
security configuration.

Many trivial interlopers are going to be looking for the broadcast SSIDs
to work on.

 

[DK]

I'd disagree with this, wholeheartedly. Without broadcasting your SSID,
the client and computer can never find each other, so in practice,
setting your router to not broadcast it's SSID causes the clients to
start shouting "Hello hidden-SSID, are you here?" at all times whenever
they're not connected.

Not true. My router is set to not broadcast SSID and two printers,
three laptops and one cell phone all don't have any trouble picking
up the signal. True, I have to enable broadcast for a new device
to get the SSID and memorize password for it. Once done, I disable
broadcast again.

One retarded tablet (Samsung Galaxy) refused to see wireless
unless SSID is broadcast. It went back to store soon afterwards

DK

 

[SC Tom]

I accept the point you are making, but...

... your premise/argument presumes a set of wifi cracking strategies and
tools on the part of the interloper.

I can imagine my own hypothetical scenario (which I believe far more
common than yours) in which the hypothetical interloper has very little in
the way of wifi cracking strategies and s/he is 'simply' looking for
available broadcast SSIDs particularly those which are broadcasting
familiar default SSIDs. Sorta like early war-driving before the days of
more sophisticated war-flying model drones with onboard tiny computer
configured to crack.

Such a default broadcast SSID is often/ may be/ associated with the wifi's
default insecurity.

Thus in my imaginary/hypothetical scenario, unlike your own hypothetical
imaginary scenario, it /would/ have been more secure to have changed from
the defaults which defaults include broadcasting a default SSID and thus
hinting/suggestion no security (a plum for the picking) to instead
changing the defaults and not broadcasting the SSID plus using WPA
security configuration.

Many trivial interlopers are going to be looking for the broadcast SSIDs
to work on.

One free and easy to use tool is inSSIDer from MetaGeek:
http://www.metageek.net/products/inssider/

If you have this installed on your laptop (Windows or Mac) or your Android,
you can view wifi in the area, along with the SSID, signal strength, type of
security, etc. From my house, I can see nine broadcasts (including mine),
and 3 are WPA2, 2 are WPA, 1 is WEP, and 3 are Open. Granted, from my
location, the signal strength of everything but mine is pretty weak, but if
I was mobile, I'd sure be looking at those Open ones (if I was in the market
for some free wifi).

I had originally installed this to check my signal strength on an old, OLD
wireless switch I had, and to see if maybe someone near was broadcasting at
near the same strength and channel (that wasn't the problem- long and
different story). I never bothered to uninstall it, and fire it up
occasionally to see if anyone new has moved into the neighborhood.

 

[SC Tom]

Not true. My router is set to not broadcast SSID and two printers,
three laptops and one cell phone all don't have any trouble picking
up the signal. True, I have to enable broadcast for a new device
to get the SSID and memorize password for it. Once done, I disable
broadcast again.

One retarded tablet (Samsung Galaxy) refused to see wireless
unless SSID is broadcast. It went back to store soon afterwards

You say "Not true" but you pretty much prove his point (to an extent) in
your line "I have to enable broadcast for a new device. . ." Once it's set
up, and you've logged in for the first time (assuming you're using some
security on it and a passphrase), you then disable it, but in the time it
took you to do that, the SSID is being broadcast for anyone in the area to
see. Granted, the chances of anyone picking up on it and piggybacking on
your network are slim, but the chance is still there.

I do agree with you that once a device has connected, it should remember the
SSID without having to turn broadcasting on each time. If it doesn't
remember it, there's a problem somewhere, either with the network
configuration or the device itself, but that hasn't happened enough to me
for it to be a problem; I find myself having to go in and delete some of the
old ones, not because it causes a problem or anything, but just for regular
maintenance (it's hell being OC sometimes ).

I agree that turning broadcasting off may be a more secure scheme than
leaving it broadcasting all the time, but I feel it's a somewhat false sense
of security. I think leaving broadcasting on and using a secure passphrase
(and changing it regularly) is a more secure method, and makes it a little
easier for you to maintain. If you want to see if anyone's on your network,
you can use something like ipscan http://www.angryziber.com/ , or check
your router's "connected devices" page.

 

[Mike Easter]

"Mike Easter"

One free and easy to use tool is inSSIDer from MetaGeek:
http://www.metageek.net/products/inssider/

inSSIDer can see broadcast and not broadcast SSIDs. And there are others.

If you have this installed on your laptop (Windows or Mac) or your
Android, you can view wifi in the area, along with the SSID, signal
strength, type of security, etc. From my house, I can see nine
broadcasts (including mine), and 3 are WPA2, 2 are WPA, 1 is WEP, and 3
are Open. Granted, from my location, the signal strength of everything
but mine is pretty weak, but if I was mobile, I'd sure be looking at
those Open ones (if I was in the market for some free wifi).

I had originally installed this to check my signal strength on an old,
OLD wireless switch I had, and to see if maybe someone near was
broadcasting at near the same strength and channel (that wasn't the
problem- long and different story). I never bothered to uninstall it,
and fire it up occasionally to see if anyone new has moved into the
neighborhood.

I have similarly used netstumbler and vistumbler for XP and Vista/7 resp.

Kismet will perform that duty for linux.

 

[DK]

You say "Not true" but you pretty much prove his point (to an extent) in
your line "I have to enable broadcast for a new device. . ." Once it's set
up, and you've logged in for the first time (assuming you're using some
security on it and a passphrase), you then disable it, but in the time it
took you to do that, the SSID is being broadcast for anyone in the area to
see. Granted, the chances of anyone picking up on it and piggybacking on
your network are slim, but the chance is still there.

Generously, it takes no more than 5 min to enable SSID broardcast,
connect a new device then turn SSID broadcast off. If someone
monitors my house to pick that 5 min interval that happens maybe
few times a year, and if that someone also manages to break WPA
security during that 5 min, I am quite confident I have a lot more to
worry about than my wireless network being hacked into )

DK

 

[Mike Easter]

Generously, it takes no more than 5 min to enable SSID broardcast,
connect a new device then turn SSID broadcast off. If someone
monitors my house to pick that 5 min interval that happens maybe
few times a year, and if that someone also manages to break WPA
security during that 5 min, I am quite confident I have a lot more to
worry about than my wireless network being hacked into )

I sense that 'we' tinw thereisnowe are debating/discussing an issue
related to 'layers' of security.

My reading/understanding of security concepts generalized is that layers
are good -- and obviously some layers are going to be much stronger or
more powerful than other layers which may be trivial or negligible or
whatever one wants to call the weak layers, especially the very weak
layers in the face of typical cracker tools.

That doesn't mean that weak layers are useless or that weak layers give
some kind of false sense of security or false sense of some other
unidentified concept. It simply means that weak layers are weak
compared to stronger layers' and it doesn't mean that one should neglect
stronger layers of security in 'favor of' just using a very weak layer
instead.

One could argue that some disadvantage of turning off SSID which is a
very weak layer doesn't outweigh the weak security aspect of it for some
particular and specific situation.

If a weak security layer is 'a lot of trouble' and 'inconvenient' and
'distracting' and causing expenditure of resources of some kind that
completely outweigh its value, then it is a 'bad' layer and should be
discarded on the basis of its negativity, not its weakness. There are
some security efforts such as airport security which has been
characterized as weak and misdirected. Or shipping container security.

Hiding the SSID is a weak layer. If it causes someone some
inconvenience which is not outweighed by its weak 'value' then
doing/using that layer is not worth the inconvenience.

It is a lot more important to have good security re WPA than none or WEP
than it is to hide the SSID, that's for sure.

 

[SC Tom]

Generously, it takes no more than 5 min to enable SSID broardcast,
connect a new device then turn SSID broadcast off. If someone
monitors my house to pick that 5 min interval that happens maybe
few times a year, and if that someone also manages to break WPA
security during that 5 min, I am quite confident I have a lot more to
worry about than my wireless network being hacked into )

True, but it's still a PITA, if you have to do it regularly. Not so much for
you since it's only a few times a year, but what about others that have to
do it a few times a week? It would be a pain, and really not all that
advantageous.

What it really boils down to is "to each his own." Whatever the individual
is comfortable with is what's going to be done anyhow. It's like the ones
who leave admin and password as their router login; no matter what you tell
them, it'll never happen to them

Don't get me wrong, I have nothing against your method, but when I was doing
PC and laptop repair, your method would definitely been a royal pain.

 

[DevilsPGD]

Not true. My router is set to not broadcast SSID and two printers,
three laptops and one cell phone all don't have any trouble picking
up the signal. True, I have to enable broadcast for a new device
to get the SSID and memorize password for it. Once done, I disable
broadcast again.

Right. But the way this works is by the clients knowing to shout "Is
SSID 'xyz' out there?" once in a while if they're not currently
connected, otherwise they have no way to know when they're in range of a
particular network.

 

[DevilsPGD]

I accept the point you are making, but...

... your premise/argument presumes a set of wifi cracking strategies and
tools on the part of the interloper.

I can imagine my own hypothetical scenario (which I believe far more
common than yours) in which the hypothetical interloper has very little
in the way of wifi cracking strategies and s/he is 'simply' looking for
available broadcast SSIDs particularly those which are broadcasting
familiar default SSIDs. Sorta like early war-driving before the days of
more sophisticated war-flying model drones with onboard tiny computer
configured to crack.

So change your default SSID. That's a very good idea, and should be part
of the initial setup of any network, if only to avoid conflicting with
your neighbour's network when they buy the same brand of hardware.

Such a default broadcast SSID is often/ may be/ associated with the
wifi's default insecurity.

It might. However, since determining the router's manufacturer it
trivial without knowing the SSID, it's moot. More importantly, if all
you do is hide the SSID, you'll be open to anyone else who already has
their system configured to use unsecured non-broadcasting access points
that answer to "LINKSYS"

The problem with hiding the SSID is that it potentially gives a false
sense of security (with the associated inconvenience) to the owner of
the access point, without really providing any significant barriers to a
malicious user; by offering a false sense of security, the user may fail
to take steps that actually secure the network.

 

[Mike Easter]

The problem with hiding the SSID is that it potentially gives a false
sense of security (with the associated inconvenience) to the owner of
the access point, without really providing any significant barriers to a
malicious user; by offering a false sense of security, the user may fail
to take steps that actually secure the network.

I don't agree that an additional (weak) layer of security is a false
sense of security nor that hiding it would lead to/ cause/ the
configurer to not take the more important and essential proper security
measures.

I do agree that it has/adds some additional inconvenience.

Not that it is important for the sake of the discussion, but I do not
turn off my SSID (on my access point), however I do turn off my wifi on
my router since the position of the AP is more useful for my network's wifi.

 

[DevilsPGD]

I don't agree that an additional (weak) layer of security is a false
sense of security nor that hiding it would lead to/ cause/ the
configurer to not take the more important and essential proper security
measures.

A lot of people get the mindset that "No one can see my network, so the
rest doesn't matter"

In other words, it makes people start to treat a publicly accessible
identifier as a secret/password, which is an extremely bad security
practice.