Disable SSID Broadcast or Not?
Wireless networks are identified by the service set identifier (SSID), used as a network name. However, should SSID broadcast be enabled or disabled? If you’re taking the Security+ exam, that’s an important concept you should understand. More, you can expect to see two different perspectives on whether SSID broadcast should be disabled or not.
At some point, someone stated that the SSID was a password and many IT professionals latched onto the idea that you can increase security by disabling the SSID broadcast. Others say that the SSID has nothing to do with security and disabling the broadcast reduces usability but does not increase security.
Master Security+ Performance Based Questions Video
First, the SSID is not a password.
A password is used for authentication to prove an identity. For example, a user can use a password with a username. The username is the claimed identity, and the password proves the user’s identity. However, a SSID is a network name and all users must use the same SSID. None of the users are authenticated with the SSID. Adding authentication to wireless connections certainly provides stronger security, but you do so with an 802.1x or RADIUS server.
Second, attackers can easily discover SSIDs, even when SSID broadcast is disabled.
WAPs must regularly send out a beacon frame to ensure interoperability with other devices in the wireless network. This beacon frame includes the SSID and if the SSID broadcast is disabled, the SSID entry is blank. However, even if SSID broadcast is disabled the WAP includes the SSID in Probe responses sent in response to Probe requests from authorized wireless clients. Because of this, it’s easy for an attacker with a wireless sniffer to listen for the Probe responses and detect the SSID.
In short, disabling the SSID does not provide any security. It’s a trivial matter for an attacker to discover it if it is enabled or disabled. Steve Riley wrote in a security blog titled “Myth vs. reality: Wireless SSIDs“ that disabling the SSID for security “is a myth that needs to be forcibly dragged out behind the woodshed, strangled until it wheezes its last labored breath, then shot several times for good measure.”
What you should know for Security+.
If you’re taking the CompTIA Security+ exam, you may like to know about two perspectives.
- The SY0-201 exam (that retired December 31, 2011) came out in 2008 when the idea of disabling the SSID broadcast was more prevalent. Questions and answers clearly indicated that CompTIA test writers believed that disabling the SSID broadcast provides security.
- The SY0-301 exam (that retired December 31, 2014) tended to lean towards disabling the SSID broadcast doesn’t provide any security since an attacker can easily discover it anyway.
- The SY0-401 exam still includes “Disable SSID broadcast” within a wireless security objective, but CompTIA seems to have moved away from asking questions that indicate this provides security protection. However, it still does hide the wireless network from casual users.
While I’m talking about wireless security, it’s worth mentioning MAC filtering, supported by most WAPs. You can configure the WAP to allow traffic only from clients using specific MAC addresses. While this sounds good, it’s also easily circumvented by an attacker. An attacker with a wireless sniffer can capture packets and identify MAC addresses that are accepted. The attacker can then modify the operating system to spoof the MAC address bypassing the MAC filter.