No password. No broadcast. No brains?
September 2, 2008 5:42 PM   Subscribe

I have no security enabled on my wireless network, but SSID broadcast is turned off. Is this just kind of insecure, or all types of insecure?

This question made me think of my similar but slightly different situation. For some reason I can't get all the laptops in my apartment to connect to my wireless network when using WPA or WPA2 encryption -- my older PowerBook connects fine, but the newer MacBook keeps getting "There was an error joining this network..." messages.

So, being lazy, I just turned off the security entirely and then made the network invisible by turning off SSID broadcast. Now any computer can connect to it, provided, of course, that the user knows the "secret" name of the network. I did this in lieu of MAC filtering because I wanted to be able to have friends who come over be able to quickly connect without any mucking around with the MAC whitelist.

Am I totally fooling myself that this is more-or-less secure? Can Mr. Blackhat still "see" my wireless network even without and SSID broadcast?

Oh, and if anyone's had similar problems getting a MacBook to connect to a WPA/WPA2 network they've been able to fix, I'm all ears. The WAP is a Zyxel P660HW-T3, which is a combination DSL modem/router/LAN hub/WAP.
posted by DLWM to Computers & Internet (18 answers total) 1 user marked this as a favorite
 
Am I totally fooling myself that this is more-or-less secure?

Yes.

Can Mr. Blackhat still "see" my wireless network even without and SSID broadcast?

Yes.
posted by EndsOfInvention at 5:47 PM on September 2, 2008


You're fooling yourself that it's secure. There are many apps out there that will sniff out networks even though they aren't broadcasting their SSID.

The only thing it protects you from are leeching neighbors who aren't sophisticated enough to download these applications.
posted by o2b at 5:48 PM on September 2, 2008


Your fooling yourself.

WIFI scanning software will pick up your network without the SSID being broadcast.
posted by gog at 5:50 PM on September 2, 2008


My PHONE will tell me that there are networks up with hidden SSIDs. I'd have to reach over and open my laptop to find out what the SSID was and then connect.
posted by pompomtom at 6:12 PM on September 2, 2008


This is kind of like leaving your door unlocked, and putting up a big sign that says PLEASE DO NOT ENTER KTHX.
posted by Tomorrowful at 6:35 PM on September 2, 2008


The rules for WLAN security are really, really simple.

WPA/WPA2 with strong password: sufficiently secure.
Anything else: not.

I'm not, in general, a Mac user, but I did have trouble connecting a neighbor's MacBook to my WPA-secured WLAN. Mainly the trouble was finding my way in through a rather bizarre UI to find the right spot to tell it to use WPA instead of WEP and paste in the network key. I don't remember the details, but I do remember it was hard, and until I'd done it properly it kept trying to connect unsuccessfully, and the message you quote does ring bells. Stick at it.

In general, I've had more luck with WPA than WPA2. Given sufficiently strong keys (I generate mine from /dev/urandom) they're equivalently secure, as far as I know.
posted by flabdablet at 6:41 PM on September 2, 2008 [1 favorite]


The problem I have with OS X and WPA is that the OS X client will sometimes think that that the router is WEP. You have to manually select WPA-PSK from the dropdown.

Or work around the problem by buying a used WAP from ebay, disabling the wireless on your router, and plugging into your router.
posted by damn dirty ape at 7:08 PM on September 2, 2008 [1 favorite]


In regards to flabdablet's last statement, that WPA & WPA2 are equivalently secure, that is not true. They implement different ciphers, one being a stream cipher the other being AES (a block cipher). WPA2 is without question more secure.

Nonetheless, as far as I know neither has been broken 'in the wild', so you should be fine either way. but they are different levels of secure.
posted by Lemurrhea at 7:12 PM on September 2, 2008


flabadablet wins. Like the answer to the other question earlier today (about MAC filtering), there is no substitute for good WPA security.
posted by joshrholloway at 7:17 PM on September 2, 2008


Security depends on your threat model. If you're only worried about keeping out a casual neighbour freeriding on your network, then disabling SSID broadcast is probably enough. That step will prevent the default Windows/MacOS network dialogs from seeing your network. But if you want real security, where a slightly more determined attacker can't quickly sniff your SSID and then get on your network, then yeah you need encryption.
posted by Nelson at 8:10 PM on September 2, 2008


My network is open. No password, SSID broadcast on, and it is even named 'open'.

Just as Bruce Schneier's network.
posted by maremare at 9:47 PM on September 2, 2008 [1 favorite]


Bruce also knows how to lockdown desktops, servers, implement radius, create virtual networks, prioritize traffice, firewall ports, etc. Joe Wireless user doesnt, hence all the recommendations to use WPA and be donewith it.
posted by damn dirty ape at 10:32 PM on September 2, 2008


It's not secure as such, but I've honestly never bothered with encryption on my home network. Unless you live in an apartment building or similar lots-of-people-in-a-small-space type lodgings where people are likely to access it unauthorized, I wouldn't worry about it. I can barely get a decent signal from 30-40 feet away from the router, much less from outside. If someone wants to expend the effort to sit outside in a car or something and leech my wireless with 10% signal strength, then let them. Besides, WEP and WPA can be easily cracked, and anyone who knows enough to scan for wireless networks knows this.
posted by DecemberBoy at 11:28 PM on September 2, 2008


DecemberBoy, as far as I know the only way to crack WPA in a feasible amount of time involves brute-forcing the pre-shared key using a dictionary search for passwords, and if your key is a large random number rather than the hash of some dictionary word and your SSID, that won't work. Do you know different? If so, do you have a reference I could read?
posted by flabdablet at 1:02 AM on September 3, 2008


Yeah, the WPA crack involves sniffing the client authentication and dictionary attacking the hashed key, but it's probably effective for a large percentage of home routers. I'm not saying that no one should ever use encryption on their wireless LAN, just that I don't. If you don't live in a large apartment building where who knows how many people can pick up your signal, I wouldn't bother. Besides, if someone wants to leech my internet service, I don't really care, honestly. All the machines on my network are reasonably secure, non-Windows machines.
posted by DecemberBoy at 1:19 AM on September 3, 2008


the WPA crack involves sniffing the client authentication and dictionary attacking the hashed key, but it's probably effective for a large percentage of home routers

Worth a little emphasis in the Simple WLAN Security Rules, then.

WPA/WPA2 with strong password: sufficiently secure.
Anything else: not.
posted by flabdablet at 3:51 AM on September 3, 2008


>WPA can be easily cracked

Easily? No. Unless someone has an extremely weak passphrase, but thats true of just about everything in computer security. Even then its leaps above WEP. WPA is actually a pretty good wireless protection scheme, with either TKIP or AES.
posted by damn dirty ape at 6:59 AM on September 3, 2008


Thanks everyone. I'm more concerned about neighbors freeriding, and my periodic checks indicate that no one other than my devices are connecting. So I'm not too worried, but good to know that the network isn't really "invisible" to anyone looking.

flabdablet, dda, thanks for the tips about using WPA/WPA2 on the Mac. I'll play around with it some more to see if I can get anywhere.
posted by DLWM at 3:23 PM on September 3, 2008


« Older How do I get my americorps moolah?   |   What biologically causes the pleasure associated... Newer »
This thread is closed to new comments.