Comments on: No password. No broadcast. No brains?

Question: No password. No broadcast. No brains?

DLWM — Tue, 02 Sep 2008 17:42:12 -0800

I have no security enabled on my wireless network, but SSID broadcast is turned off. Is this just kind of insecure, or all types of insecure?

This question made me think of my similar but slightly different situation. For some reason I can't get all the laptops in my apartment to connect to my wireless network when using WPA or WPA2 encryption -- my older PowerBook connects fine, but the newer MacBook keeps getting "There was an error joining this network..." messages.

So, being lazy, I just turned off the security entirely and then made the network invisible by turning off SSID broadcast. Now any computer can connect to it, provided, of course, that the user knows the "secret" name of the network. I did this in lieu of MAC filtering because I wanted to be able to have friends who come over be able to quickly connect without any mucking around with the MAC whitelist.

Am I totally fooling myself that this is more-or-less secure? Can Mr. Blackhat still "see" my wireless network even without and SSID broadcast?

Oh, and if anyone's had similar problems getting a MacBook to connect to a WPA/WPA2 network they've been able to fix, I'm all ears. The WAP is a Zyxel P660HW-T3, which is a combination DSL modem/router/LAN hub/WAP.

By: EndsOfInvention

EndsOfInvention — Tue, 02 Sep 2008 17:47:45 -0800

Am I totally fooling myself that this is more-or-less secure?

Yes.

Can Mr. Blackhat still "see" my wireless network even without and SSID broadcast?

Yes.

By: o2b

o2b — Tue, 02 Sep 2008 17:48:54 -0800

You're fooling yourself that it's secure. There are many apps out there that will sniff out networks even though they aren't broadcasting their SSID.

The only thing it protects you from are leeching neighbors who aren't sophisticated enough to download these applications.

By: gog

gog — Tue, 02 Sep 2008 17:50:25 -0800

Your fooling yourself.

WIFI scanning software will pick up your network without the SSID being broadcast.

By: pompomtom

pompomtom — Tue, 02 Sep 2008 18:12:26 -0800

My PHONE will tell me that there are networks up with hidden SSIDs. I'd have to reach over and open my laptop to find out what the SSID was and then connect.

By: Tomorrowful

Tomorrowful — Tue, 02 Sep 2008 18:35:39 -0800

This is kind of like leaving your door unlocked, and putting up a big sign that says PLEASE DO NOT ENTER KTHX.

By: flabdablet

flabdablet — Tue, 02 Sep 2008 18:41:02 -0800

The rules for WLAN security are really, really simple.

WPA/WPA2 with strong password: sufficiently secure.
Anything else: not.

I'm not, in general, a Mac user, but I did have trouble connecting a neighbor's MacBook to my WPA-secured WLAN. Mainly the trouble was finding my way in through a rather bizarre UI to find the right spot to tell it to use WPA instead of WEP and paste in the network key. I don't remember the details, but I do remember it was hard, and until I'd done it properly it kept trying to connect unsuccessfully, and the message you quote does ring bells. Stick at it.

In general, I've had more luck with WPA than WPA2. Given sufficiently strong keys (I generate mine from /dev/urandom) they're equivalently secure, as far as I know.

By: damn dirty ape

damn dirty ape — Tue, 02 Sep 2008 19:08:18 -0800

The problem I have with OS X and WPA is that the OS X client will sometimes think that that the router is WEP. You have to manually select WPA-PSK from the dropdown.

Or work around the problem by buying a used WAP from ebay, disabling the wireless on your router, and plugging into your router.

By: Lemurrhea

Lemurrhea — Tue, 02 Sep 2008 19:12:43 -0800

In regards to flabdablet's last statement, that WPA & WPA2 are equivalently secure, that is not true. They implement different ciphers, one being a stream cipher the other being AES (a block cipher). WPA2 is without question more secure.

Nonetheless, as far as I know neither has been broken 'in the wild', so you should be fine either way. but they are different levels of secure.

By: joshrholloway

joshrholloway — Tue, 02 Sep 2008 19:17:32 -0800

flabadablet wins. Like the answer to the other question earlier today (about MAC filtering), there is no substitute for good WPA security.

By: Nelson

Nelson — Tue, 02 Sep 2008 20:10:02 -0800

Security depends on your threat model. If you're only worried about keeping out a casual neighbour freeriding on your network, then disabling SSID broadcast is probably enough. That step will prevent the default Windows/MacOS network dialogs from seeing your network. But if you want real security, where a slightly more determined attacker can't quickly sniff your SSID and then get on your network, then yeah you need encryption.

By: maremare

maremare — Tue, 02 Sep 2008 21:47:24 -0800

My network is open. No password, SSID broadcast on, and it is even named 'open'.

Just as Bruce Schneier's network.

By: damn dirty ape

damn dirty ape — Tue, 02 Sep 2008 22:32:41 -0800

Bruce also knows how to lockdown desktops, servers, implement radius, create virtual networks, prioritize traffice, firewall ports, etc. Joe Wireless user doesnt, hence all the recommendations to use WPA and be donewith it.

By: DecemberBoy

DecemberBoy — Tue, 02 Sep 2008 23:28:32 -0800

It's not secure as such, but I've honestly never bothered with encryption on my home network. Unless you live in an apartment building or similar lots-of-people-in-a-small-space type lodgings where people are likely to access it unauthorized, I wouldn't worry about it. I can barely get a decent signal from 30-40 feet away from the router, much less from outside. If someone wants to expend the effort to sit outside in a car or something and leech my wireless with 10% signal strength, then let them. Besides, WEP and WPA can be easily cracked, and anyone who knows enough to scan for wireless networks knows this.

By: flabdablet

flabdablet — Wed, 03 Sep 2008 01:02:37 -0800

DecemberBoy, as far as I know the only way to crack WPA in a feasible amount of time involves brute-forcing the pre-shared key using a dictionary search for passwords, and if your key is a large random number rather than the hash of some dictionary word and your SSID, that won't work. Do you know different? If so, do you have a reference I could read?

By: DecemberBoy

DecemberBoy — Wed, 03 Sep 2008 01:19:19 -0800

Yeah, the WPA crack involves sniffing the client authentication and dictionary attacking the hashed key, but it's probably effective for a large percentage of home routers. I'm not saying that no one should ever use encryption on their wireless LAN, just that I don't. If you don't live in a large apartment building where who knows how many people can pick up your signal, I wouldn't bother. Besides, if someone wants to leech my internet service, I don't really care, honestly. All the machines on my network are reasonably secure, non-Windows machines.

By: flabdablet

flabdablet — Wed, 03 Sep 2008 03:51:39 -0800

the WPA crack involves sniffing the client authentication and dictionary attacking the hashed key, but it's probably effective for a large percentage of home routers

Worth a little emphasis in the Simple WLAN Security Rules, then.

WPA/WPA2 with strong password: sufficiently secure.
Anything else: not.

By: damn dirty ape

damn dirty ape — Wed, 03 Sep 2008 06:59:39 -0800

>WPA can be easily cracked

Easily? No. Unless someone has an extremely weak passphrase, but thats true of just about everything in computer security. Even then its leaps above WEP. WPA is actually a pretty good wireless protection scheme, with either TKIP or AES.

By: DLWM

DLWM — Wed, 03 Sep 2008 15:23:38 -0800

Thanks everyone. I'm more concerned about neighbors freeriding, and my periodic checks indicate that no one other than my devices are connecting. So I'm not too worried, but good to know that the network isn't really "invisible" to anyone looking.

flabdablet, dda, thanks for the tips about using WPA/WPA2 on the Mac. I'll play around with it some more to see if I can get anywhere.