Hidden SSID is Security Risk?

[Davoud]

I opened my iPhone's WiFi settings to choose a different one of my
several wireless networks, all of which have hidden SSIDs. I saw the
message "Using a hidden network can expose personally identifiable
information. Configure your router to broadcast this network."

Huh? What personal information?

I'm not laboring under any delusions about hidden SSIDs providing a lot
of extra security紀 do that with proper passwords誼ut I wasn't
expecting to see that a hidden SSID may compromise security.

--
I agree with almost everything that you have said and almost everything that
you will say in your entire life.

usenet *at* davidillig dawt cawm

[nospam]

In article <270920162120121208%st...@sky.net>, Davoud <st...@sky.net>
wrote:

> I opened my iPhone's WiFi settings to choose a different one of my
> several wireless networks, all of which have hidden SSIDs. I saw the
> message "Using a hidden network can expose personally identifiable
> information. Configure your router to broadcast this network."
>
> Huh? What personal information?

ignore it.

> I'm not laboring under any delusions about hidden SSIDs providing a lot
> of extra security紀 do that with proper passwords誼ut I wasn't
> expecting to see that a hidden SSID may compromise security.

it doesn't.

[Jolly Roger]

Davoud <st...@sky.net> wrote:
> I opened my iPhone's WiFi settings to choose a different one of my
> several wireless networks, all of which have hidden SSIDs. I saw the
> message "Using a hidden network can expose personally identifiable
> information. Configure your router to broadcast this network."
>
> Huh? What personal information?
>
> I'm not laboring under any delusions about hidden SSIDs providing a lot

> of extra security‹I do that with proper passwords‹but I wasn't

> expecting to see that a hidden SSID may compromise security.

iOS and macOS remember the SSIDs of each network to which you connect.
Later, when the device scans for available networks, they broadcast those
SSIDs (including hidden ones) as part of the probe. The owner of a network
with a hidden SSID might not want that hidden SSID to be seen in those
probes, which is what that message is about.

--
E-mail sent to this address may be devoured by my ravenous SPAM filter.
I often ignore posts from Google. Use a real news client instead.

JR

[nospam]

In article <e50l0f...@mid.individual.net>, Jolly Roger

<jolly...@pobox.com> wrote:

> > I opened my iPhone's WiFi settings to choose a different one of my
> > several wireless networks, all of which have hidden SSIDs. I saw the
> > message "Using a hidden network can expose personally identifiable
> > information. Configure your router to broadcast this network."
> >
> > Huh? What personal information?
> >
> > I'm not laboring under any delusions about hidden SSIDs providing a lot

> > of extra security?I do that with proper passwords?but I wasn't

> > expecting to see that a hidden SSID may compromise security.
>
> iOS and macOS remember the SSIDs of each network to which you connect.
> Later, when the device scans for available networks, they broadcast those
> SSIDs (including hidden ones) as part of the probe. The owner of a network
> with a hidden SSID might not want that hidden SSID to be seen in those
> probes, which is what that message is about.

but it doesn't broadcast where that network happens to be (or any other
ssid in the scan).

[Jolly Roger]

nospam <nos...@nospam.invalid> wrote:
> In article <270920162120121208%st...@sky.net>, Davoud <st...@sky.net>
> wrote:
>
>> I opened my iPhone's WiFi settings to choose a different one of my
>> several wireless networks, all of which have hidden SSIDs. I saw the
>> message "Using a hidden network can expose personally identifiable
>> information. Configure your router to broadcast this network."
>>
>> Huh? What personal information?
>
> ignore it.
>
>> I'm not laboring under any delusions about hidden SSIDs providing a lot

>> of extra security‹I do that with proper passwords‹but I wasn't

>> expecting to see that a hidden SSID may compromise security.
>
> it doesn't.

Yep. Hiding an SSID is a minimally effective way to deter only the most
casual users from seeing a network.

[Jolly Roger]

Yep; though if you happen to be in the area of the network with the
hidden SSID, you'd be broadcasting the hidden SSID to anyone nearby. I
suppose if someone decided to name their hidden SSID with some sort of
personal identifying information (which would be foolish, admittedly),
you'd be broadcasting that information any time the device searches for
networks. None of this seems worthy of a warning message to me, though.
If anything, the owner of the hidden network is the one who should be
concerned about such things, rather than the person connecting. It's
really strange that Apple worded it the warning way they did and saw fit
to put it there at all.

[Patty Winter]

In article <e50l0f...@mid.individual.net>,
Jolly Roger <jolly...@pobox.com> wrote:

>Davoud <st...@sky.net> wrote:
>> I opened my iPhone's WiFi settings to choose a different one of my
>> several wireless networks, all of which have hidden SSIDs. I saw the
>> message "Using a hidden network can expose personally identifiable
>> information. Configure your router to broadcast this network."
>>
>> Huh? What personal information?
>>
>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>> of extra security‹I do that with proper passwords‹but I wasn't
>> expecting to see that a hidden SSID may compromise security.
>
>iOS and macOS remember the SSIDs of each network to which you connect.
>Later, when the device scans for available networks, they broadcast those
>SSIDs (including hidden ones) as part of the probe. The owner of a network
>with a hidden SSID might not want that hidden SSID to be seen in those
>probes, which is what that message is about.

If they broadcast the SSIDs of both open and hidden networks, why doesn't
the message say something like, "Using a hidden network does not protect
the privacy of all personally identifiable information"? The existing
message makes it seem as though hidden networks are a greater security
risk than open ones.


Patty

[Patty Winter]

In article <e50n19...@mid.individual.net>,

Jolly Roger <jolly...@pobox.com> wrote:
>
>I suppose if someone decided to name their hidden SSID with some sort of
>personal identifying information (which would be foolish, admittedly),

Mine is named after my cat.


Patty

[Lewis]

In message <nsfhhj$2ma$1...@dont-email.me>

They are. Hidden networks are automatically a more tempting target.

--
These are the thoughts that kept me out of the really good schools. --
George Carlin

[Bernd Fröhlich]

Patty Winter <pat...@wintertime.com> wrote:

> Mine is named after my cat.

Cheshire? ;-)

[Jolly Roger]

The person who is running the hidden network is the one who should be
concerned that their hidden SSID is broadcasted. For the person connecting
to the network it really doesn't matter whether it's hidden or not - nor
does it matter whether the SSID is broadcast. So personally I wouldn't
display a message at all on iOS.

[JF Mezei]

My understanding (hoping someone will correct me professionally) is:

When your phone is set to autoconnect to a hidden SSID, because it
cannot see it before attempting to connect to it, it needs to try to
connect to it blindly to see if there is a response. This means that
whenever it not connected to another wi-fi, the phone regularly sends a
packet to that SSID in case there would be a response.

I do not know what that packet says, but that appears to be where the
leak of information comes from.

[Happy.Hobo]

On 09-27-2016 21:08, Jolly Roger wrote:
> you'd be broadcasting that information any time the device searches for
> networks. None of this seems worthy of a warning message to me, though.
> If anything, the owner of the hidden network is the one who should be
> concerned about such things, rather than the person connecting. It's

I would think that most of the time, the person connecting to a hidden
SSID (legitimately) is the person who hid it. In that case, the warning
makes some sense, though it seems it would be more useful at the time of
making it hidden. But Apple probably can't add a warning to your router
for you. :-)

[Jolly Roger]

On 2016-09-28, Happy.Hobo <Happy...@Spam.Invalid> wrote:
> On 09-27-2016 21:08, Jolly Roger wrote:
>> you'd be broadcasting that information any time the device searches for
>> networks. None of this seems worthy of a warning message to me, though.
>> If anything, the owner of the hidden network is the one who should be
>> concerned about such things, rather than the person connecting. It's
>
> I would think that most of the time, the person connecting to a hidden

> SSID (legitimately) is the person who hid it.i

While I'm sure that's often the case, I'm not willing to make that
assumption. I have to think there are plenty of cases where the person
connecting isn't the owner of the hidden network.

> In that case, the warning makes some sense, though it seems it would
> be more useful at the time of making it hidden. But Apple probably
> can't add a warning to your router for you. :-)

Apple certainly can display such a warning on an Apple router though.

[Alan Browne]

On 2016-09-27 21:20, Davoud wrote:
> I opened my iPhone's WiFi settings to choose a different one of my
> several wireless networks, all of which have hidden SSIDs. I saw the
> message "Using a hidden network can expose personally identifiable
> information. Configure your router to broadcast this network."
>
> Huh? What personal information?
>
> I'm not laboring under any delusions about hidden SSIDs providing a lot

> of extra security‹I do that with proper passwords‹but I wasn't

> expecting to see that a hidden SSID may compromise security.

SSID's don't provide less or more security. They're just not obvious to
casual observation by a casual WiFi user looking to hook up.

Some people or companies use hidden SSID's as a layer of protection
against hackers. Against any hacker who really wants to know there are
tools that will discover the hidden SSID as soon as anyone in the know
hooks up to it. It's a very thin bit of obfuscation.

The best defense WiFi station side is a strong WPA2 or higher access
scheme with a long, random char password.

--
She hummed to herself because she was an unrivaled botcher of lyrics.
-Nick (Gone Girl), Gillian Flynn.

[Alan Browne]

On 2016-09-27 21:34, Jolly Roger wrote:
> Davoud <st...@sky.net> wrote:
>> I opened my iPhone's WiFi settings to choose a different one of my
>> several wireless networks, all of which have hidden SSIDs. I saw the
>> message "Using a hidden network can expose personally identifiable
>> information. Configure your router to broadcast this network."
>>
>> Huh? What personal information?
>>
>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>> of extra security‹I do that with proper passwords‹but I wasn't
>> expecting to see that a hidden SSID may compromise security.
>
> iOS and macOS remember the SSIDs of each network to which you connect.
> Later, when the device scans for available networks, they broadcast those
> SSIDs (including hidden ones) as part of the probe. The owner of a network
> with a hidden SSID might not want that hidden SSID to be seen in those
> probes, which is what that message is about.

Not like he has much choice if the user side leave the network area and
come back. It will be broadcasting. There, everywhere (unless there's
some location filtering to reduce that side of it).

So what's the message?

If user A uses his home or company hidden WiFi SSID and he's out and
about in the world, that SSID is being ping'd about looking for mama WiFi.

If someone else (mr. X) happened to discover that SSID (back home where
it is) and logged the coordinates of it (but not able to use it), then
whoever in the world broadcast that same SSID pinging to find mama could
be linked to "A"'s home/work WiFi area.

A bit of very obscure identity tracking? Is that what Apple are worried
about?

[Alan Browne]

One approach would be to buy some extra WiFi routers and set up both
"real" looking SSID's to keep an attacker busy ... hook up the router to
a Linux server with tons of disks with encrypted data (noise) and key
files and all sorts of shit to keep 'em happy.

[Alan Browne]

Which is meaninglessly useless near the WiFi using the hidden SSID - but
mapable and useful (in the somewhat extremes of obscurity) to those who
like to map such and make correlations.

Say you're in China and your iPhone goes looking for the
"ultrasecret-lab" SSID. Then the Chinese government (hackers) know 1)
You (they know all about you and your company) and the name of your
company SSID. They now know just a little bit more. And there are data
bases out there that only exist to discover, one little nugget at a
time, as much about you or the company you work for.

This is really edge of the edge case.

[Jolly Roger]

On 2016-09-28, Alan Browne <alan....@freelunchvideotron.ca> wrote:
> On 2016-09-27 21:20, Davoud wrote:
>> I opened my iPhone's WiFi settings to choose a different one of my
>> several wireless networks, all of which have hidden SSIDs. I saw the
>> message "Using a hidden network can expose personally identifiable
>> information. Configure your router to broadcast this network."
>>
>> Huh? What personal information?
>>
>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>> of extra security‹I do that with proper passwords‹but I wasn't
>> expecting to see that a hidden SSID may compromise security.
>
> SSID's don't provide less or more security. They're just not obvious to
> casual observation by a casual WiFi user looking to hook up.
>
> Some people or companies use hidden SSID's as a layer of protection
> against hackers. Against any hacker who really wants to know there are
> tools that will discover the hidden SSID as soon as anyone in the know
> hooks up to it. It's a very thin bit of obfuscation.

Yes, and because of that, it's quite silly for that purpose. I can se
hiding your SSID to discourage relative novices from trying to connect;
but you'd have to be naive to think it is in any way protection from
people who are knowledgeable about networking.

> The best defense WiFi station side is a strong WPA2 or higher access
> scheme with a long, random char password.

True, though it doesn't have to be random if it's of sufficient
length. I use complete sentences with spaces and punctuation, which
makes them easy to remember, unique, and very secure.

[Alan Browne]

On 2016-09-28 20:20, Jolly Roger wrote:
> On 2016-09-28, Alan Browne <alan....@freelunchvideotron.ca> wrote:
>> On 2016-09-27 21:20, Davoud wrote:
>>> I opened my iPhone's WiFi settings to choose a different one of my
>>> several wireless networks, all of which have hidden SSIDs. I saw the
>>> message "Using a hidden network can expose personally identifiable
>>> information. Configure your router to broadcast this network."
>>>
>>> Huh? What personal information?
>>>
>>> I'm not laboring under any delusions about hidden SSIDs providing a lot
>>> of extra security‹I do that with proper passwords‹but I wasn't
>>> expecting to see that a hidden SSID may compromise security.
>>
>> SSID's don't provide less or more security. They're just not obvious to
>> casual observation by a casual WiFi user looking to hook up.
>>
>> Some people or companies use hidden SSID's as a layer of protection
>> against hackers. Against any hacker who really wants to know there are
>> tools that will discover the hidden SSID as soon as anyone in the know
>> hooks up to it. It's a very thin bit of obfuscation.
>
> Yes, and because of that, it's quite silly for that purpose. I can se
> hiding your SSID to discourage relative novices from trying to connect;
> but you'd have to be naive to think it is in any way protection from
> people who are knowledgeable about networking.

Makes me wonder why there isn't a more secure fashion to find a hidden
SSID such as an encrypted hidden SSID based on a SSID, common code,
unique subscriber code, date and time of day changing at the top of each
minute. That way the "enemy" can record all of the requests he wants,
he'll never be able to re-use anything nor compute the codes. And on
top of that, the shared secret password.

Just have to make sure all of the clocks are sync'd - which in the era
of ntp is no big deal.

>> The best defense WiFi station side is a strong WPA2 or higher access
>> scheme with a long, random char password.
>
> True, though it doesn't have to be random if it's of sufficient
> length. I use complete sentences with spaces and punctuation, which
> makes them easy to remember, unique, and very secure.

Which wouldn't pass a security audit. Not to disagree with you - just
the way the auditing weenies are programmed.

At work we use several short words - with random placed caps, number
fields of 4 or 5 chars and each group separated by the odd chars.

Like: eCho-29745)torqUe&28471*AztEc

Not easy to remember, but easy to type in once in a blue moon when needed.

[Davoud]

Alan Browne:

> Not like he has much choice if the user side leave the network area and
> come back. It will be broadcasting. There, everywhere (unless there's
> some location filtering to reduce that side of it).
>
> So what's the message?
>
> If user A uses his home or company hidden WiFi SSID and he's out and
> about in the world, that SSID is being ping'd about looking for mama WiFi.
>
> If someone else (mr. X) happened to discover that SSID (back home where
> it is) and logged the coordinates of it (but not able to use it), then
> whoever in the world broadcast that same SSID pinging to find mama could
> be linked to "A"'s home/work WiFi area.
>
> A bit of very obscure identity tracking? Is that what Apple are worried
> about?

Indeed! If that's all, no sweat. Anyone who wants to know my identity
can ask me. Or read my e-mail address, which includes my first and last
names, at the end of this post. Then they can look me up in the
Baltimore phone book. Or they can visit my Flickr page--it has my name
on it and I leave the EXIF on my photos because certain organizations
that harvest some of my Flickr photos (Encyclopedia of Life and The
Maryland Biodiversity Project) need GPS data on the photo. In the
course of my traveling career I handed my ID to scores of governments
around the world, many of them hostile. The PRC hacked OPM and stole
some of my annuity records. I can think of a hundred ways someone can
identify me and my location, and you can probably think of a hundred
more. So someone learning that I have a "hidden" WiFi network at home
named "pyramid" does not seem like the end of the world to me.
Especially since said network is in a semi-rural area quite a distance
from a road where no one stops or parks without being noticed.

BTW, the router in question--the one Apple tells me to reconfigure to
reveal the SSID--is an Apple-brand Airport Base Station. So why did
Apple make it capable of hiding the SSID if that's Bad?

P.S. I drive a Lexus with Lexus Enform (Enform, Inform--get it?)
active. The car has its own cellular comms system. Lexus can read my
GPS data even when the car is turned off. Lexus will program my GPS
remotely if I request it. I get an e-mail every month with a vehicle
diagnostic--miles driven, oil quantity and condition, other maintenance
data. I get e-mails from the car from time to time telling me where it
is. With Enform I don't have to worry whether Big Brother is watching;
I *know* he is. And Big Brother is so clever he makes *me* pay an
annual fee for him to watch me!

[Jolly Roger]

Alan Browne <alan....@freelunchvideotron.ca> wrote:
>
> So what's the message?
>
> If user A uses his home or company hidden WiFi SSID and he's out and
> about in the world, that SSID is being ping'd about looking for mama WiFi.
>
> If someone else (mr. X) happened to discover that SSID (back home where
> it is) and logged the coordinates of it (but not able to use it), then
> whoever in the world broadcast that same SSID pinging to find mama could
> be linked to "A"'s home/work WiFi area.
>
> A bit of very obscure identity tracking? Is that what Apple are worried
> about?

That seems to be the case. The chances of this happening combined with the
low impact even if it did happen are why I wouldn't bother displaying any
message at all if it were my decision. And if I did display a message, I'd
definitely word it far differently.

[Jolly Roger]

Davoud <st...@sky.net> wrote:
>
> BTW, the router in question--the one Apple tells me to reconfigure to
> reveal the SSID--is an Apple-brand Airport Base Station. So why did
> Apple make it capable of hiding the SSID if that's Bad?

Yep. And why didn't they give you a warning when you hid it on the router?
Seems sloppy to me.

[JF Mezei]

On 2016-09-29 00:06, Jolly Roger wrote:

> That seems to be the case. The chances of this happening combined with the
> low impact even if it did happen are why I wouldn't bother displaying any
> message at all if it were my decision.

Sicne your phone, when not connected, will constantly send out an
attempt to connect to any/all known hidden SSIDs in its list, what those
packets contain becomes important.

If it is just a "hello are you there?" , then that is fine. But if that
packet contains some encrypted login information that can relatively
easily be decrypted, then you are exposing youself. Consider industrial
spy that follows a Monsanto scientist at an airport, gets that packet,
spends time to decrupt it and eventually travers to monsanto facility
and is able to login.

[Jolly Roger]

JF Mezei <jfmezei...@vaxination.ca> wrote:
> On 2016-09-29 00:06, Jolly Roger wrote:
>
>> That seems to be the case. The chances of this happening combined with the
>> low impact even if it did happen are why I wouldn't bother displaying any
>> message at all if it were my decision.
>
> Sicne your phone, when not connected, will constantly send out an
> attempt to connect to any/all known hidden SSIDs in its list, what those
> packets contain becomes important.
>
> If it is just a "hello are you there?" , then that is fine. But if that
> packet contains some encrypted login information that can relatively
> easily be decrypted

WiFi probe requests don't contain login information. And WPA2 encryption
isn't easily decrypted either. I'd tell you to do your research, but I know
you'd rather just spout off bullshit from a position of ignorance.

[Happy.Hobo]

On 09-28-2016 23:06, Jolly Roger wrote:
> That seems to be the case. The chances of this happening combined with the
> low impact even if it did happen are why I wouldn't bother displaying any
> message at all if it were my decision. And if I did display a message, I'd
> definitely word it far differently.

Anyone whose secrets merit worrying about such things either already
knows and doesn't need the message, or is sufficiently incompetent to be
easily cracked in some other way.

[Happy.Hobo]

On 09-28-2016 19:20, Jolly Roger wrote:
> Yes, and because of that, it's quite silly for that purpose. I can se
> hiding your SSID to discourage relative novices from trying to connect;
> but you'd have to be naive to think it is in any way protection from
> people who are knowledgeable about networking.

If you don't have anything to hide, the snoops aren't go to bother. So
the hidden SSID would have the small benefit of keeping the kiddies from
wasting your bandwidth. (Although your WiFi is probably much slower
than your wired connection anyway.)

[Jolly Roger]

On 2016-09-29, Happy.Hobo <Happy...@Spam.Invalid> wrote:
> On 09-28-2016 19:20, Jolly Roger wrote:
>> Yes, and because of that, it's quite silly for that purpose. I can se
>> hiding your SSID to discourage relative novices from trying to connect;
>> but you'd have to be naive to think it is in any way protection from
>> people who are knowledgeable about networking.
>
> If you don't have anything to hide, the snoops aren't go to bother.

That's foolish reasoning. With the vast dearth of oversight into how
police departments and other government agencies are gathering and using
data about innocent citizens without due cause or court order, if it can
be abused, it likely is (or will be) abused, as Edward Snowden and
others have already shown the public.

> So the hidden SSID would have the small benefit of keeping the kiddies
> from wasting your bandwidth.

No. Hiding the SSID only discourages the most casual users from seeing
and connecting. It doesn't prevent anyone know knows anything from
seeing the network, and it *definitely* has *nothing* to do with
preventing anyone from connecting - that's what strong encryption (WPA2,
etc) does.

[Jolly Roger]

On 2016-09-29, Jolly Roger <jolly...@pobox.com> wrote:
> On 2016-09-29, Happy.Hobo <Happy...@Spam.Invalid> wrote:
>> On 09-28-2016 19:20, Jolly Roger wrote:
>>> Yes, and because of that, it's quite silly for that purpose. I can se
>>> hiding your SSID to discourage relative novices from trying to connect;
>>> but you'd have to be naive to think it is in any way protection from
>>> people who are knowledgeable about networking.
>>
>> If you don't have anything to hide, the snoops aren't go to bother.
>
> That's foolish reasoning. With the vast dearth of oversight into how
> police departments and other government agencies are gathering and using
> data about innocent citizens without due cause or court order, if it can
> be abused, it likely is (or will be) abused, as Edward Snowden and
> others have already shown the public.
>
>> So the hidden SSID would have the small benefit of keeping the kiddies
>> from wasting your bandwidth.
>
> No. Hiding the SSID only discourages the most casual users from seeing
> and connecting.

s/and connecting//

> It doesn't prevent anyone know knows anything from
> seeing the network, and it *definitely* has *nothing* to do with
> preventing anyone from connecting - that's what strong encryption (WPA2,
> etc) does.

s/connecting/authenticating/

[JF Mezei]

On 2016-09-29 17:01, Jolly Roger wrote:

> WiFi probe requests don't contain login information. And WPA2 encryption
> isn't easily decrypted either.

The first sentence is all that is needed.

So, if a probe request contains no identifying information, except the
BSSID of the hidden network, is there much harm is having those probe
requests go out at some airport where everyone can see it ?

If someone knows there is a hidden network around, can't he just do
packet traces and found out about it ?

[Patty Winter]

In article <1mua3k7.1u3xnlopgdpfkN%be...@eaglesoft.de>,

No, but good guess! British shorthairs were supposedly the inspiration
for Dodgson's Cheshire Cat.


Patty

[Davoud]

Bernd Fröhlich:
> >Cheshire? ;-)

Patty Winter:

> No, but good guess! British shorthairs were supposedly the inspiration
> for Dodgson's Cheshire Cat.

Dodgson... Dodgson... Now where have I heard that name? Oh, yes. That
would be Anglican deacon Charles L. Dodgson, aka Lewis Carroll, who
wrote wonderful stories and who also photographed young girls in
various stages of déshabillé, including at least one photo of a
teenager (Lorina Liddell, older sister of Alice Liddell) with
full-frontal nudity, always with the girls' parents' permission. Neat
hobby back when one could get away with it! Possession of many of his
photographs would be a criminal offense today, would get a man labeled
as a sex offender. No, I don't have any of them (honest), but I have
seen a few in a private collection in the U.K. It has been argued that
Dodgson's photos are not erotic. They are. Two of his nudes and an
erotic portrait of Alice Liddell as a beggar girl may be seen at
<http://www.photography-news.com/2015/01/lewis-carrolls-haunting-photogr
aphs-of.html>.