Is hiding your home SSID actually a privacy flaw (broadcasting yourhome SSID at public hotspots)?

SUMMARY:
* Hiding your home SSID (apparently) violates your public hotspot privacy!

WinXP SP3 WZC clients "configured to connect to non-broadcast networks
are constantly disclosing the SSID of those networks, even when those
networks are not in range!"

REQUEST:
Can/would the intelligentsia on alt.internet.wireless (Jeff Lieberman
perhaps?) comment on whether that statement has merit based on what I
just read at technet.microsoft.com (quoted above & reference at the end
of this post).

BACKGROUND:
We all well know that hiding my home-network broadcast SSID does not
effectively increase my home-network privacy or security (so we do not
need to belabor that concept in this thread).

However, I did not (until now) realize that hiding my home-network SSID
might actually REDUCE my public hotspot privacy (i.e., away from home!).

PROBLEM:
According to the reference article, the WinXP SP3 WZC client is
"periodically disclosing its set of preferred non-broadcast wireless
networks".

Therefore, my epiphany goes, the "bad guy" could easily determine my home
network SSID from my single visit to a local public hotspot and, with
enough determination, correlate my preferred non-broadcast wireless
networks to my laptop computer (even if I've changed my MAC address,
hostname, username, proxy server, and SSH tunnel, daily).

QUESTION:
Is it true that hiding the SSID in one place actually broadcasts it in
all others?

That is, by turning of my wireless router SSID broadcast at home, am I,
in effect, now broadcasting that SSID at every public hotspot I
subsequently visit with my WinXP SP3 laptop computer?

REFERENCE:
Why Non-broadcast Networks are not a Security Feature
* http://technet.microsoft.com/en-us/l.../bb726942.aspx

Notes:
* I do realize that the realm of "privacy" protection entails a
thoughtful multi-layered approach, including proxys, SSH tunneling, TORs,
encryption, spoofing, etc.

Therefore, I request the astute advice from the team stay on the specific
topic of whether or not hiding the SSID on your home wireless router
actually broadcasts that SSID at all hotspots on your WinXP SP3 laptop.

On Wed, 16 Feb 2011 21:25:47 +0000, Aaron FIsher wrote:
> That is, by turning of my wireless router SSID broadcast at home, am I,
> in effect, now broadcasting that SSID at every public hotspot I
> subsequently visit with my WinXP SP3 laptop computer?

I don't think modern Linux distributions automaticaly probe by shouting
the service set identifier.

I believe Linuxes only probe if you manually attempt to connect to a
hidden network via the network connections pulldown menu.

So your privacy solution is to switch from Windoze to something like
Ubuntu.

On Wed, 16 Feb 2011 21:25:47 +0000 (UTC), Aaron FIsher
<(E-Mail Removed)> wrote:

>REQUEST:
>Can/would the intelligentsia on alt.internet.wireless (Jeff Lieberman
>perhaps?) comment on whether that statement has merit based on what I
>just read at technet.microsoft.com (quoted above & reference at the end
>of this post).

Spell my name correctly and I promise not to bite your head off. Full
moon Friday night and I'm already getting hungry.
<http://802.11junk.com/jeffl/pics/jeffl/slides/jeffl-wolf.html>

>PROBLEM:
>According to the reference article, the WinXP SP3 WZC client is
>"periodically disclosing its set of preferred non-broadcast wireless
>networks".

Sigh. Yes, WZC and probably some other wireless clients try to
connect to the preferred network SSID first. Since encryption is
established AFTER the initial association with the access point, the
SSID is contained inside the association request frame and is NOT
encrypted. See:
<http://www.wi-fiplanet.com/tutorials/article.php/1447501/Understanding-80211-Frame-Types.htm>
However, once your laptop associates successfully with the coffee shop
access point, all such broadcasts cease. Should your laptop go into
standby, when it wakes up, it will NOT try to connect to the preferred
SSID, but instead try to reconnect to the previous SSID (the coffee
shop hot spot). Incidentally, this algorithm is the source of the all
too common problem of coming home and discovering that your laptop
still things it's at the coffee shop, and will not connect to your
home network until you scan for networks and intentionally connect to
your home SSID.

>Therefore, my epiphany goes, the "bad guy" could easily determine my home
>network SSID from my single visit to a local public hotspot

Yep, he could. He would need to know your laptops MAC address in
order to filter the traffic to just see your connection requests.
That's not too difficult but you could easily change your MAC address
for the ocassion and drive the sniffer nuts.

>and, with
>enough determination, correlate my preferred non-broadcast wireless
>networks to my laptop computer (even if I've changed my MAC address,
>hostname, username, proxy server, and SSH tunnel, daily).

Nope. The only things that can be sniffed are the MAC address of your
wireless contrivance and your preferred SSID. All the other junk only
becomes useful after successful association with the access point.

However, hiding your SSID is nothing more than security by obscurity.
Same with juggling your MAC address. It creates more obstacles to
overcome, but doesn't actually add much to your overall security. It's
like the username and password problem. It's generally assumed that
the username (or login name) is generally accessible or guessable.
Only the password needs to be secure. It's the same with wireless.
The ONLY thing that needs to be secure is the WPA2 pass phrase. You
can post all the other info on a sign outside your house and without
the WPA2 pass phase, nobody will be able to do much with your wireless
connection.

The whole issue is not terribly relevent because it's easy to sniff
the association/dassociation and authentication/deauthentication
frames, which contain the access point SSID. If I wanted to break
into your home wireless system, I wouldn't do so at a coffee shop. I
would do it at your home.

If you want to go witch hunting for privacy issues, start by getting
rid of all the Post-it notes on your monitor. Most of them probably
contain various passwords. After that, consider how many machines
have your WPA2 pass phrase on them. Ask yourself how many of those
machines have been in the hands of evil hackers like myself. Then
read about recovering the hash codes for WPA2 access from these
machines.
<http://www.nirsoft.net/utils/wireless_key.html>
Give me a few minutes with your laptop and your WPA2 key is mine. Have
you left your laptop unattended and in the presence of known hackers?
Start worrying. All it takes is about 5 seconds and a USB memory
thing with an autorun.inf file setup to extract
HKLMACHINE\SOFTWARE\Microsoft\WZCSVC\Parameters\In terfaces\*
keys from your registry and your shared key is all mine.

Want a fix? Start thinking about NOT using a pre-shared key, but
using a server assigned (RADIUS) delivered key. Each is unique for
each session, and each user. There's nothing saved on the laptop. You
will need a RADIUS server, or RADIUS service provider, a login, and
yet another password.

>QUESTION:
>Is it true that hiding the SSID in one place actually broadcasts it in
>all others?

No. If you did NOT hide your SSID, and broadcast it regularly so that
your neighbors don't land on top of your network and spew trash on the
channel you're using, then when you arrive at the coffee shop, your
laptop will still try to initially connect to the saved preferred
SSID. In other words, you have the same problem with or without a
hidden SSID.

>Why Non-broadcast Networks are not a Security Feature
>* http://technet.microsoft.com/en-us/l.../bb726942.aspx

Actually, a very nice article on some obscure issues some of which I
hadn't considered.

>Notes:
>* I do realize that the realm of "privacy" protection entails a
>thoughtful multi-layered approach, including proxys, SSH tunneling, TORs,
>encryption, spoofing, etc.

Security and privacy are similar but not identical. Security is
preventing anyone from entering your network and then playing tourist.
Privacy is preventing anyone from determining how much porno or warez
you're downloading on your wireless network.

>Therefore, I request the astute advice from the team stay on the specific
>topic of whether or not hiding the SSID on your home wireless router
>actually broadcasts that SSID at all hotspots on your WinXP SP3 laptop.

"...broadcasts that SSID at all hotspots..." is kinda misleading.
Broadcasts are never aimed at a particular device. They're sent to
anyone or anything that's listening. They're not intended to be
hidden, secret, protected, encrypted, private, or obscured.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Wed, 16 Feb 2011 21:28:11 -0800, Jeff Liebermann wrote:
> Spell my name correctly ...

Ouch. < embarrassed > Mea culpa. Two f's; two n's. Sorry. Thanks Jeff.

> ... encryption is established AFTER ... initial association
> ... the SSID is ... is NOT encrypted.
> See: Understanding-80211-Frame-Types.htm [by Jim Geier]
> ... once your laptop associates successfully ...
> ... all such broadcasts cease ...
> ... ... ... ... ... ... ... ... ...
> ... If you did NOT hide your SSID...
> ... then when you arrive at the coffee shop
> ... your laptop will still try to initially connect ...
> ... to the saved preferred SSID.
> ... you have the same problem with or without a hidden SSID

Interesting. I did not realize the laptop wireless client, whether Linux
or Windoze, will always send initial probes shouting out the preferred
SSID of its previous connection (whether or not the previous router
connection hid the SSID broadcast).

I also did not realize that all this shouting (i.e., probing) is in the
initial stages only. That is, when connected at the public hotspot, the
home (hidden or not) SSID is no longer disclosed to all.

While I realize hiding your home SSID at a public hotspot is only a very
minor step toward privacy (security by obscurity) ... I guess the next
step ... if I am to continue in this vein ... is for me to try to figure
out a way NOT to shout "any" SSID whatsoever, when I go to a public
hotspot.

Or, if I'm going to shout an SSID no matter what, how to get the laptop
(dual boot, Windoze or Linux) to shout, in effect, a random SSID in its
initial probes.

> ... The only things that can be sniffed are the MAC address...
> ... and your preferred SSID ...
> ... The ONLY thing that needs to be secure is the WPA2 pass phrase.

I don't disagree with you Jeff (that the WPA2 passphrase is paramount).

But I am still striving to figure out how to (at least) hide the home SSID
shouting (i.e., probing) at the subsequent public hotspot.

> ... privacy issues, start by getting rid of ... the Post-it notes
> ... consider how many machines have your WPA2 pass phrase on them
> ... how many of those machines have been in the hands of evil hackers
> ... read about recovering the hash codes for WPA2 access
> See: http://www.nirsoft.net/utils/wireless_key.html
> ... Give me a few minutes with your laptop and your WPA2 key is mine.

Yikes! I presume that also works from a few feet away at a public hotspot,
especially one which is "open" and unencrypted! < scared >

> Want a fix? ... using a server assigned (RADIUS) delivered key
> ... There's nothing saved on the laptop. ...
> You will need a RADIUS server, or RADIUS service provider

I have your basic Linksys WRT54G wireless router, which, from the
documentation, says it supports "RADIUS server".

All my wireless clients support WPA2 so I will do some research to see if/
how that's all I need to set up my home WRT54G as a RADIUS server.

In summary:
* I had not realized the last-connected SSID was always shouted (probed)!
* I did not know this last-connected preferred SSID probe stopped after
the initial connection at the public hotspot.
* I have more reason to research how to PREVENT the last-connected SSID
from being shouted (under all public hotspot circumstances), if possible.
* And, I have more reason to see if the Linksys WRT54G can be set up at
home as a RADIUS server!

On Wed, 16 Feb 2011 21:28:11 -0800, Jeff Liebermann wrote:
> See: Understanding-80211-Frame-Types.htm [by Jim Geier]

Hi Jeff Liebermann and others,

I read the suggested article (over and over). Then I tried to organize
what (I think) it says specifically about disclosure of the previously-
connected service set identifier (SSID) into the typical sequence of
events.

For a typical unencrypted browser-authenticated public wireless hotspot
access point (AP) connection, did I get the scenario below correct,
specifically with respect to discloser of the previously-connected home
SSID?

a. Good guy disconnects from home network (which had SSID = home_ssid).
b. Good guy drives to "open" public hotspot (which has SSID = open_ssid).
c. Good guy powers up dual-boot laptop with an 802.11 radio NIC.

A. AP periodically sends "beacon frames" disclosing its "open_ssid".
B. Radio NIC scans all 802.11 radio channels & is aware of "open_ssid".
C. However, in most cases, "open_ssid" is not (yet) the "preferred SSID".

Firstly ...
1. Radio NIC sends a single "authentication" frame disclosing the NIC MAC.
2. Hotspot AP responds with a single authentication acceptance frame.

Unfortunately ...
3. Radio NIC sends an "association request" to the hotspot access point.
4. This request shouts out the "preferred SSID", namely "home_ssid"!
5. AP sends an "association response frame" rejecting that request.

Meanwhile ...
I. AP periodically sends "beacon frames" disclosing its "open_ssid".
II. Radio NIC scans all 802.11 radio channels & is aware of "open_ssid".

Confusingly ...
6. Radio NIC sends a "probe request" frame to all access points in range.
7. AP replies with a probe response frame (does this contain an AP SSID?).

Finally ...
8. Radio NIC sends an association request frame with the correct AP SSID.
9. This request shouts out the new preferred SSID namely "open_ssid".

Then ...
10. AP receives the request, for "open_ssid", and accepts that request.
11. AP allocates resources & establishes an association ID for radio NIC.
12. AP sends an "association response frame" accepting that request.

So ...
13. The radio NIC can now "communicate" with the AP ethernet LAN.

Where ...
i. Data frames and acknowledgement frames are passed back and forth.
ii. Authentication is typically forced on port 80 of a web browser.
iii. Only now will OS, HOSTNAME, USERNAME & other data be disclosed.

In summary:
* I'm not sure what purpose or disclosures a "probe request" performs.
* The AP "beacon frame" does not seem to prevent previous-SSID disclosure!
* The radio NIC "probe request" first discloses the NIC MAC address.
* Sadly, the first NIC "association request" discloses the previous SSID!
* Only after receiving a negative association request from the AP, does
the radio NIC belatedly send out an association request that no longer
contains the previously used SSID!

Is my understanding (so far) correct?
If so, the quest will be to randomize the previously connected SSID!

Ooops. I sent that before it was ready.

Is this correct (yet)?

a. Good guy disconnects from home network (which had SSID = home_ssid).
b. Good guy drives to "open" public hotspot (which has SSID =
c. Good guy powers up dual-boot laptop with an 802.11 radio NIC.

A. AP periodically sends "beacon frames" disclosing its "open_ssid".
B. Radio NIC scans all 802.11 radio channels & is aware of "open_ssid".
C. However, in most cases, "open_ssid" is not (yet) the "preferred SSID".

For starters ...
1. Radio NIC sends a single "authentication" frame disclosing the NIC MAC.
2. Hotspot AP responds with a single authentication acceptance frame.

Unfortunately ...
3. Radio NIC sends an "association request" to the hotspot access point.
4. This request shouts out the "preferred SSID", namely "home_ssid"! 5.
AP sends an "association response frame" rejecting that request.

Meanwhile ...
I. AP periodically sends "beacon frames" disclosing its "open_ssid".
II. Radio NIC scans all 802.11 radio channels & is aware of "open_ssid".

Confusingly ...
6. Radio NIC sends a "probe request" frame asking for AP information.
7. AP replies with a probe response frame (data rates, power, etc.).

Finally ...
8. Radio NIC sends an association request frame with the correct AP SSID.
9. This request shouts out the new preferred SSID namely, "open_ssid".

Then ...
10. AP receives the request, for "open_ssid", and accepts that request.
11. AP allocates resources & establishes an association ID for radio NIC.
12. AP sends an "association response frame" accepting that request.

So ...
13. The radio NIC can now "communicate" with the AP ethernet LAN.

Where ...
i. Data frames and acknowledgement frames are passed back and forth.
ii. Authentication is typically forced on port 80 of a web browser.
iii. Only now will OS, HOSTNAME, USERNAME & other data be disclosed.

In summary:
* The AP "beacon frame" does not seem to prevent previous-SSID disclosure!
* The radio NIC "probe request" first discloses the NIC MAC address.
* The first NIC "association request" discloses the previous SSID!
* Only after receiving a negative association request from the AP, does
the radio NIC belatedly send out an association request that no longer
contains the previously used SSID!

If correct, the quest will be to randomize the previously-connected SSID
so that it is no longer disclosed (as the "preferred SSID") in the first
radio NIC "association request".

On Thu, 17 Feb 2011 19:36:13 +0000 (UTC), Aaron FIsher
<(E-Mail Removed)> wrote:

>While I realize hiding your home SSID at a public hotspot is only a very
>minor step toward privacy (security by obscurity) ... I guess the next
>step ... if I am to continue in this vein ... is for me to try to figure
>out a way NOT to shout "any" SSID whatsoever, when I go to a public
>hotspot.

The part I don't understand is why you think disclosing the previous
SSID is a privacy or security concern. Can you explain that, please?

On Thu, 17 Feb 2011 19:36:13 +0000 (UTC), Aaron FIsher
<(E-Mail Removed)> wrote:

Short reply. Busy today with customers and paper shuffling.

>Interesting. I did not realize the laptop wireless client, whether Linux
>or Windoze, will always send initial probes shouting out the preferred
>SSID of its previous connection (whether or not the previous router
>connection hid the SSID broadcast).

No, not always. You can disable the preferred network connection
feature in WZC. You can also switch to something better than WZC such
as Intel Proset (for Intel wireless cards only), and Buffalo or
various 3rd party connection managers.
<http://www.avanquest.com/USA/software/avanquest-connection-manager-107347>
<http://www.buffalotech.com/technology/buffalo-advantage/client-manager-3/>

>I also did not realize that all this shouting (i.e., probing) is in the
>initial stages only. That is, when connected at the public hotspot, the
>home (hidden or not) SSID is no longer disclosed to all.

Well, sorta. In the basic Windoze connection manager, the client
stops looking for other access points with which to connect once it
has associated with a single access point. That's not the case with
various seamless roaming schemes, where the client maintains a list of
prospective access point connections, and in some implimentations,
does a "pre-connect". This is roughly how 802.11r works:
<http://en.wikipedia.org/wiki/IEEE_802.11r-2008>

>I don't disagree with you Jeff (that the WPA2 passphrase is paramount).

Fine, but please realize that you're trying to fix a non-problem.
Also, please recognize that security and privacy are quite different.
Various encryption schemes were intended to insure security, not
privacy.

>> See: http://www.nirsoft.net/utils/wireless_key.html
>> ... Give me a few minutes with your laptop and your WPA2 key is mine.
>
>Yikes! I presume that also works from a few feet away at a public hotspot,
>especially one which is "open" and unencrypted! < scared >

Read it again. In order to use this (and other) WPA/WPA2 hash code
extraction tools, I would need to have access to several keys in your
registry. I can't do that via wireless. I have to be either at your
computer running the program, or at a my machine, after having
extracted the keys from your computer.

>> Want a fix? ... using a server assigned (RADIUS) delivered key
>> ... There's nothing saved on the laptop. ...
>> You will need a RADIUS server, or RADIUS service provider
>
>I have your basic Linksys WRT54G wireless router, which, from the
>documentation, says it supports "RADIUS server".

It's not that easy. There are a few routers that have built in RADIUS
servers. ZyXEL G-2000 Plus is one that has a built in PEAP server. In
general, you'll have to either build a Linux box running Free RADIUS,
or subscribe to an online service. I run two small online RADIUS
severs for my customers. I don't have an up to date shopping list,
but here's one Google found:
<http://www.nowiressecurity.com>
Hmmm... login using an email address. So much for privacy.

>All my wireless clients support WPA2 so I will do some research to see if/
>how that's all I need to set up my home WRT54G as a RADIUS server.

WPA2 is encryption which provides your main level of security. WPA
has been cracked for security, but WPA2 is still good with long pass
phrases.
<http://www.aircrack-ng.org/doku.php?id=cracking_wpa>

>In summary:
>* I had not realized the last-connected SSID was always shouted (probed)!

Not always. Just with automatic preferred connections and WZC. Other
connection managers may not do that. Dunno, and am too lazy to check.
<http://compnetworking.about.com/od/windowsxpnetworking/a/automaticwifixp.htm>

>* I did not know this last-connected preferred SSID probe stopped after
>the initial connection at the public hotspot.

Yep, but not if your client and network supports seamless roaming.

>* I have more reason to research how to PREVENT the last-connected SSID
>from being shouted (under all public hotspot circumstances), if possible.

Just turn off automatic preferred network connections and be done with
it.

>* And, I have more reason to see if the Linksys WRT54G can be set up at
>home as a RADIUS server!

Maintaining a RADIUS server is fairly easy. Building one from scratch
is not. However, it does solve the problem of having your pre-shared
key leaked, which is a very real security issue.

--
# Jeff Liebermann 150 Felker St #D Santa Cruz CA 95060
# 831-336-2558
# http://802.11junk.com (E-Mail Removed)
# http://www.LearnByDestroying.com AE6KS

On Thu, 17 Feb 2011 17:30:25 -0600, Char Jackson wrote:
> The part I don't understand is why you think disclosing the previous
> SSID is a privacy or security concern. Can you explain that, please?

Years ago, I wanted to send a nastigram to the head of my company about
what I thought about some, shall we say, questionable activities, within
the company.

Fearing for my livelihood, I researched, at the time, how to send email
anonymously on the web (this was well before public open hotspots were
common but after Yahoo and probably just around the time Gmail free mail
accounts existed).

A set of the tricks I learned in that search, to hide where the email
originated, was to change the MAC address, the host ID, the username, the
browser identification string, etc. of the company computer I was using
to send the email (yea, I know. Using a company computer was folly in the
first place ... but it was all I had at the time).

But, I had never thought about SSID's (actually, those days, I home
wireless routers were not common so I probably hadn't even heard of an
SSID).

From then, 'till now, I thought I knew what needed to be changed to
protect my identity when I needed to be anonymous.

I just realized that all the things I thought I knew about SSIDs are
wrong!

1. I thought I should pick an SSID that was hard to guess; now I realize
I should use something like "NETGEAR" or whatever is the most common SSID
out there!

2. I thought I should hide my SSID at my home router; now I realize I
should broadcast it (see #1 above) for all the world to see (since it's
getting broadcast everywhere I go anyway).

3. I thought only the MAC was disclosed to the router; but now I know the
SSID is also disclosed to the router (although both the MAC and the SSID
go no further than the router).

Losing privacy is by a thousand little things that track your identity or
your activities. Most of our privacy losses can't be prevented if we
first recognize that they exist - and then we take steps to safeguard
them.

Broadcasting your prior SSID is just one of these Orwellian flaws that
doesn't have to be.

On Thu, 17 Feb 2011 15:35:18 -0800, Jeff Liebermann wrote:
> You can disable the preferred network connection feature in WZC.

Hi Jeff,

Thanks for taking the time to help.

I "think" (but need to double check) that a "hidden" SSID has to be set
up as "preferred" for WZC to automatically connect at home. (But, I'll
need to actually test that out to be sure.)

> switch to something better than WZC such as Intel Proset (etc).

Finding & using smarter software is a good idea.

I'll have to see what works best on my dual-boot laptop so that the prior-
connection SSID isn't broadcast unnecessarily ... but ... the connection
to the router is still automatic.

> you're trying to fix a non-problem.
> security and privacy are quite different.

I do realize broadcasting your home SSID is a "small" privacy problem
(maybe even a "trivially small" privacy problem.

And, I do agree that security problems are much more important. Being a
WWII buff, I keep thinking about how both the Germans & Japanese thought
they were secure while we were reading their codes every day. They lost
the war, many people died, partly because they didn't think security was
worth their effort to look at from a different angle.

All I'm doing is looking at my hotspot privacy from a different angle. As
you've said many times, if I try to do to myself exactly what I'm trying
to prevent others from doing, I'll learn better how to protect myself.

> you'll have to either build a Linux box running Free RADIUS, or
> subscribe to an online service. I run two small online RADIUS severs
> for my customers.

Interesting. I live right near you. I should give you a call and see what
your company can do for me. It's 9pm so I won't bother you now (tomorrow
I'll call if that's your preferred method).

I will read, in detail, all the references you quoted and write back.