Wi-Fi Security Myths
Not broadcasting the SSID hides your Wi-Fi
Since the beginning of Wi-Fi, back when it was just called 802.11, just about all wireless routers and access points have allowed you to disable the broadcasting of the Service Set Identifier (SSID) to “hide” the network. As you may be aware, this is the name of the wireless network that appears in the list of available networks on Wi-Fi devices. Since one must know the SSID of a network in order to attempt connecting to it, it has been seen as a technique to help secure wireless networks.
However, what you might not know is that you cannot completely stop the SSID from being sent on a Wi-Fi network. On devices manually configured with the SSID, probe requests may be sent containing the SSID in order to find the network. That is just one of a few different places where the SSID is sent regardless if broadcasting is turned off. Although end-user devices, such as Windows computers or smartphones, don’t reveal the SSID from traffic like this, some wireless stumblers and analyzers will see the SSID and reveal it on the list of nearby networks. Depending upon the type and number of devices connected, this revealing can happen very quickly, and can also be triggered by some tools that send spoofed traffic.
In the early days of Wi-Fi, most end-user devices didn’t list “hidden” wireless networks on their list of nearby networks. Thus one could say their network is more secure since people don’t know it exists. However, again some wireless stumblers and most wireless analyzers have always listed the unnamed networks, regardless if SSID broadcasting is turned off. Furthermore, today most end-user devices will inform users of these types of networks in the list of nearby networks. Though the SSID isn’t shown, it’s recoverable with the right tools as I already discussed.
Not broadcasting your SSID can also have a negative impact on the wireless network’s performance. For instance, your devices may send more probe requests and responses, eating up valuable airtime and allowing less for data traffic.
Enabling MAC address filtering is secure
Just about all wireless routers and access points have also allowed you to restrict which particular computers and devices can connect. The restrictions are imposed by entering in the media access control (MAC) addresses of the devices. You can usually either enter authorized addresses on a whitelist and then deny all other addresses or enter unauthorized addresses on a blacklist and then allow all other addresses. The former is the approach usually referred to when talking about wireless security.
Some believe a network is more secure when you utilize whitelist MAC address filtering, since it prevents devices not using an authorized MAC address from connecting. I don’t fully disagree; it can provide some security at times.
However, keep in mind that MAC address spoofing is very easy to do; you can quickly change the MAC address of most Wi-Fi devices. Furthermore, the MAC addresses of connected devices can be easily revealed using some wireless stumblers and most wireless analyzers. Thus to bypass MAC address filtering one would just have to monitor the airwaves, spoof the MAC address of their device, and then they could attempt to connect. If other security, such as WPA2 is enabled, they’d reach a much tougher roadblock. However, if the network’s security is reliant on the filtering alone, they could likely fully connect to the network.
Limiting IP addresses prevents others from connecting
In order for a device to communicate on a network, it must have an IP address assigned to it, whether automatically assigned via DHCP from the network’s router or manually assigned a static IP on the device. It has been seen by some that limiting the number of IP addresses a router hands out is a security technique.
For example, if there are 10 authorized devices they’d limit the pool of IP addresses in DHCP of the router to 10 addresses. Thus if additional devices try to connect, they wouldn’t receive an IP address and thus not be able to communicate on the network. Another way is that they’d disable DHCP and then manually assign the 10 devices an IP address, so any additional devices must also be manually configured with an IP address in order to connect.
The problem with this security technique is that IP addresses can also be manually assigned to devices, regardless if DHCP is on or off. Furthermore, similar to MAC addresses, IP addresses can be revealed by snoopers using some wireless stumblers and most wireless analyzers. This technique might put a small speed bump in the process of hacking into Wi-Fi, but it surely isn’t a real security technique.
Personal (PSK) security is easier to use
As you may be aware, there are two very different modes of Wi-Fi Protected Access (WPA and WPA2) security. The personal mode, technically called Pre-shared key (PSK), is usually seen as the easier one to setup and use since all you have to do is create a password on the wireless router or access points and then enter that one password on computers and other Wi-Fi devices when attempting to connect. The other mode, usually referred to as the enterprise mode, is usually seen as much more complicated to setup and use since a RADIUS server must be used to enable the 802.1X authentication, which allows each Wi-Fi device and user to use their own unique login credentials when connecting.
I certainly agree the personal mode of WPA and WPA2 is much easier to initially setup; however it can also easily be the hardest and most time consuming mode over time to properly secure on business type networks. This is all because there’s only a single global password for the Wi-Fi, which is also usually saved on the devices you connect from. Thus if an employee or staff member leaves the organization, they take the password with them. Furthermore, if a mobile device is lost or stolen, the password and ability to connect might fall into the wrong hands. Of course, you can always change the Wi-Fi password after these situations occur, but that takes time and energy, and it just might be overlooked or ignored.
Though the enterprise mode of WPA and WPA2 requires a RADIUS server or service and requires managing login credentials for each individual device or user, it’s much easier and secure to change one user’s login credentials than to distribute a new global password to all with the personal mode.
Remember, not broadcasting the SSID of a network doesn’t fully hide the network’s name; it can be revealed by the right tools. MAC address filtering can be easily bypassed with spoofing and IP address limiting can quickly be avoiding as well. Enabling WPA2 security with AES encryption is the best approach, but typically with the enterprise mode that utilizes 802.1X authentication via a RADIUS server.