Issues with SSID cloaking

Are there any pitfalls to using SSID cloaking?
Many organizations use SSID cloaking as a mechanism to add a layer of security to the WLAN. This technique requires that all users have knowledge of the SSID to connect to the wireless network. While this is commonly viewed as a mechanism to improve security and is a recommended best-practice by the PCI Data Security Standard, it can reduce the effective security of the WLAN.

False sense of security
Early wireless network deployments relied on SSID cloaking as a mechanism to prevent unauthorized users from accessing the wireless network. Even though this was never intended to be used as an authentication mechanism, some organizations have adopted cryptic SSID’s that are distributed as shared secrets. Tools such as ESSID-Jack and Kismet observe and report the SSID from legitimate stations, allowing attackers to deduce the SSID and bypass the security.

Confused users
When the network SSID is cloaked, users will be unable to consult the list of available wireless networks for the WLAN. This could prompt users to select other networks which could expose vulnerable clients, or even be construed as computer trespass in some jurisdictions.

Exposure to AP impersonation attacks
Attack tools such as KARMA take advantage of the WLAN probing techniques used by wireless clients. When a station probes for a WLAN in their preferred network list (PNL), the station discloses the SSID to a listening attacker. The KARMA attack uses the disclosed SSID to impersonate a legitimate WLAN.

With the Windows XP SP2 wireless client update hotfix described in KB917021, Windows workstations change the behavior of how they probe for wireless networks. Users and administrators can now mark an entry in the PNL as “nonbroadcast”. When the “Connect even if this network is not broadcasting” option is not selected, the station will not disclose the SSID information, mitigating the KARMA attack. In order for the station to identify the availability of the network however, the AP must have the SSID cloaking feature disabled. If the AP does cloak the SSID, the station must revert to the active network probing mechanism.

Though SSID cloaking might seem like an attractive mechanism to aid the security of the WLAN, it effectively reduces security significantly more than it could potentially gain, exposing enterprise WLANs.

QuickLink: 072369

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now