Are there any pitfalls to using SSID cloaking?
Many organizations use SSID cloaking as a mechanism to add a layer of security to the WLAN. This technique requires that all users have knowledge of the SSID to connect to the wireless network. While this is commonly viewed as a mechanism to improve the security of the WLAN and is a recommended best-practice by the PCI Data Security Standard, it can reduce the effective security of the WLAN.
Early wireless network deployments relied on SSID cloaking as a mechanism to prevent unauthorized users from accessing the wireless network. Even though this was never intended to be used as an authentication mechanism, some organizations have adopted cryptic SSID's that are distributed as shared secrets. Tools such as ESSID-Jack and Kismet observe and report the SSID from legitimate stations, allowing attackers to deduce the SSID and easily bypass the intended security mechanism.
When the network SSID is cloaked, users will be unable to consult the list of available wireless networks for the WLAN. This could prompt users to select other networks which could expose vulnerable clients, or even be construed as computer trespass in some US states.
Attack tools such as KARMA take advantage of the WLAN probing techniques used by wireless clients. When a station probes for a WLAN in their preferred network list (PNL), the station discloses the SSID to a listening attacker. The KARMA attack uses the disclosed SSID to impersonate a legitimate WLAN, luring the station to the attacker.
With the Windows XP SP2 wireless client update hotfix described in KB917021, Windows workstations change the behavior of how they probe for wireless networks. Users and administrators can now mark an entry in the PNL as "nonbroadcast". When the "Connect even if this network is not broadcasting" option is not selected, the station will not disclose the SSID information when probing for a network, mitigating the KARMA attack. In order for the station to identify the availability of the network however, the AP must have the SSID cloaking feature disabled. If the AP does cloak the SSID, the station must revert to the active network probing mechanism, making SSID cloaking the less-secure option.
Rss FeedRss Feed
The Leader in Network Knowledge
Comments (3)
SSID questionsBy Anonymous on March 6, 2007, 2:51 amA couple of questions: 1) Correct me if I'm wrong here, but isn't the SSID, when not cloaked, picked up anyways? What's to stop an exploit from picking up the...
Reply | Read entire comment
SSID cloaking doesn't add really add securityBy katebush on March 16, 2007, 9:29 amEven when the AP/Wireless Router doesn't specify the SSID in its beacon packets, the SSID is published in Probe Request/Response exchange, so anyone with a wireless...
Reply | Read entire comment
ssid access keyBy Anonymous on August 10, 2008, 5:21 pmhow can i find my access code if ive forgotten it i have a linkys wag 54g
Reply | Read entire comment
View all comments