21

From casual reading over the years, I've frequently encountered statements to the effect that hidden networks (i.e. wireless networks that does not broadcast its SSID) are unsafe, and that you should configure the wireless router with WPA2-PSK.

That implies that a hidden network and WPA2-PSK are mutually exclusive.
Or, put another way, that implies that a hidden network with X security is less secure than a non-hidden network with that same X security.
But my router seems to allow the capability to configure both independently, as in this screenshot:
enter image description here

Question:
Is a hidden network with "X" security less secure than a non-hidden network with that same "X" security (whether it is WPA2-PSK, or what have you)?
If yes, why?
That implies that hiding a network somehow "undoes" some aspect of the security provided by WPA2-PSK, etc. -- can someone please explain if this is so, and why?

StoneThrow
  • 1,083
  • 3
  • 13
  • 22
  • 5
    The answer is no. – DavidPostill Aug 27 '22 at 18:21
  • Agree - No. I use my Windows 11 machine in a location where few people are around and use open wireless (all I have available) and it works fine. – John Aug 27 '22 at 18:28
  • 2
    "Use suggestions to ask for more information or suggest improvements. Avoid answering questions in comments." Even if the answer is "no" you can still post that as an answer... – u1686_grawity Aug 29 '22 at 07:15
  • 1
    Allowing WPA2-PSK [AES] alone is more secure than also allowing WPA-PSK [TKIP]. The only reason to use WPA is if you have extremely old devices which do not support WPA2. But in 2022 it's very unlikely: WPA2 came out in 2004. Just ditch WPA1! – Fabio says Reinstate Monica Aug 29 '22 at 08:56
  • 2
    "_ That implies that a hidden network and WPA2-PSK are mutually exclusive_" they aren't, but many people just though "hey, if my network is hidden, that's enough security, I don't need WPA2-PSK or anything else like that", which most definitely isn't true at all. – jcaron Aug 30 '22 at 16:06

3 Answers3

34

A hidden network is generally regarded as being less secure for the client.

A client seeking to join a non-hidden network is able to passively listen for the access-point to broadcast it's identity. A client seeking to join a hidden network must itself broadcast "hello network ssid"

A rogue access-point overhearing these client broadcasts can pretend that it is the requested access-point. If the client accepts a connection to an unencrypted network as allowable (thankfully rare these days) then the rogue access-point has MiTM'ed the client.

user1725198
  • 341
  • 2
  • 2
  • What clients refuse to connect to unsecured Wi-Fi networks? – user570286 Aug 29 '22 at 05:03
  • 2
    @user570286 My client (`wpa_supplicant`) will refuse to connect to a hidden network if its encryption is different to what's listed in the configuration. – wizzwizz4 Aug 29 '22 at 12:42
  • 5
    As I understand this answer, the danger is, a bad actor can listen for my laptop broadcasting "hello, eeeeeee" and therefore he knows there's a network named _eeeeeee_, so he can run malicious software that says "I'm eeeeeee", and intercept StoneThrow's laptop connection. But since a non-hidden network broadcasts "my name is aaaaaaa" doesn't that result in the same consequence: bad actor knows there's a network named _aaaaaaa_ so he runs malicious software that says "I'm aaaaaaa" and intercept connecting PCs? – StoneThrow Aug 29 '22 at 14:36
  • 1
    Or, put another way, my understanding of this answer is: the aspect of hidden networks that is generally regarded as being less secure is that a bad actor can determine the name of the (hidden) network (by listening to the client's broadcast). But that same bad actor can determine the names of non-hidden networks because they themselves broadcast their names. I.e. in both cases, we arrive at the same point: bad actor has become aware of network names. Is there something I'm missing? I wonder if you might update your answer to address what I'm trying to articulate...? – StoneThrow Aug 29 '22 at 14:49
  • The only difference I can imagine is that the hidden network in question might be one's _home_ network, which in Windows might be configured with a more permissive firewall ruleset than nearby public networks (though even that matters more for direct incoming attacks like SMB or RPC, and doesn't make much of a difference as far as MITM of outbound connections goes). So in some specific cases, an attacker might want to spoof the victim's "home" network at some other location? I guess? – u1686_grawity Aug 29 '22 at 15:19
  • 6
    @StoneThrow If you ever connected to a hidden network your device will keep actively polling for it (to see if it comes back in range) even if you are in a totally different location. That means that the laptop keeps actively inviting bad actors to present if with a fake version of that network. This doesn't happen for non-hidden networks, because the laptop can passively listen to see if they are in range. Effectively this polling greatly increases the exposure to possible attacks. – Tonny Aug 29 '22 at 18:05
  • 7
    @StoneThrow If you live in NYC and connect to a network called "StoneThrow's Apartment NYC" and you come to LA and it's a hidden network, your device is broadcasting "Hello, is StoneThrow's Apartment NYC there?" and my device can say "Hey, yes, I'm StoneThrow's Apartment NYC". If it wasn't hidden, your device wouldn't broadcast and I'd somehow to **guess** to say "Hi, I'm StoneThrow's Apartment NYC" – user253751 Aug 29 '22 at 21:58
  • 3
    @StoneThrow The issue for the client is not only the MITM threat; it's also a location tracking issue, if the adversary has access to a large network of listening access points. Modern devices may randomize client MAC addresses to make it harder to track, but if you are constantly broadcasting a unique set of hidden SSIDs that you are trying to join, it defeats this randomization. – b0fh Aug 30 '22 at 13:23
  • There's also a loss of privacy from the broadcasting: if the same device is going both "Hello StoneThrow's Apartment NYC" and "Hello Joe's Discount STD Clinic", people can draw unpleasant inferences. – Mark Aug 30 '22 at 22:02
26

No, they're not "less secure" – but they're also not more secure than normal networks, either. It would be unsafe to rely on hidden SSID as your primary security mechanism instead of WPA2.

(For example, a hidden network that uses legacy WEP can be discovered and cracked as easily as a non-hidden one, therefore it would be unsafe to use "but it's hidden" as an excuse to delay upgrading WEP networks to WPA2.)

Hidden networks handle WPA and WPA2 the same way as normal networks; the only difference is that instead of the access point revealing its name, client devices actively probe for it (and thus reveal its name wherever you go anyway), but otherwise the handshake proceeds as usual.

Hidden SSID is more appropriately used for point-to-point links where the client devices are statically configured for a specific network and having it show up in everyone's network list would only be unnecessary clutter (e.g. in a city there might be 10-20 Wi-Fi-based PtP links running above your head).

u1686_grawity
  • 426,297
  • 64
  • 894
  • 966
  • 4
    I recall using the kernel interface to WiFi access point awhile ago. I could see hidden networks and join them like they weren't hidden. I had no idea what they were called because I didn't know how to interrogate them to get their names but joining was no issue. – Joshua Aug 28 '22 at 02:56
  • So, another example of "security by obfuscurity is not security". – BruceWayne Aug 30 '22 at 00:24
2

Even if your network router is broadcasting the SSID, there are access point poising where a bad actor could just copy the exact name of a publicly broadcasted access point, and you as the client just happen to connect to it and start typing in a password. In a large populated area, if many people are trying to access that AP, that password can be intercepted pretty quickly. And now someone has access to a private network.

Ada
  • 21
  • 1