Copied and expanded from the articles comment page which I originally
posted this on, which seems to have a lack of activity.

1) Correct me if I'm wrong here, but isn't the SSID, when not cloaked,
picked up anyways?
What's to stop an exploit from picking up the SSID's around it,
including the one you're currently connected to, and using that, or
cycling through them, to see if any local AP's will auto-connect?
Cloaking the SSID keeps your Average Joe Bob from picking up your
network and even knowing it exists, to poke around any open shared
folders or any sensetive information that's potentially open, which is
a lot in a domestic situation, and still -something- in a corporate
enviroment.

2) Does an wireless router encrypt, or otherwise have any standing
security layer that it turns off when it's cloaked? IIRC, it doesn't
do anything different when it broadcasts itself.
I'm fairly new to the network security scene, only being a SysAdmin In
Training, but I don't think it does, like somehow broadcast the SSID
in a 'secure' fashion when it's not cloaked.

3) Unless you're referring to hijacks when the AP isn't actively
connected to anything - it's away from it's base station, or
workplace.
If you've got your wifi up and it's trying to pick up a prefferred
cloaked SSID, and aren't at it, and broadcasts the SSID, then some
ad-hoc wifi virus can pick up on that and use that. But again, what's
to stop said ad-hoc wifi virus from doing it with a non-cloaked SSID?
In fact, wouldn't a non-cloaked SSID be -easier- to pick up and try to
use this in?
Even so, this can be countered by two basic security practices- turn
off your AP, eject the card, whatnot, when you're not connected to
something, or away from a connection point, and also not turning on
any auto-connects. Just try to connect to said cloacked network when
you're in range of it.

4) An alternate reading that can be derived from this article is that
some companies are using cloaked SSIDs are their ONLY authentication
mechanism, and they're at risk from anyone higher than Random Joe Bob
who can operate a wifi sniffer.
... which, on the companies part, is dumb.

On 3/5/07, Joshua Wright <jwright (at) hasborg (dot) com [email concealed]> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> While many networks use SSID cloaking as a mechanism to improve the
> security of the network, I believe it actually reduces the security of
> the network substantially.
>
> I wrote an article for Network World that was posted today about this issue:
>
> http://www.networkworld.com/columnists/2007/030507-wireless-security.htm
l
>
> The most significant issue is that with the recent Windows XP SP2 hotfix
> KB917021, the preferred network list for WZC allows users to specify
> "Connect even if this network is not broadcasting". When this option is
> selected (not the default), stations will look for the network with
> directed probe requests (disclosing the SSID's in the PNL, and exposing
> the station to KARMA and Hotspotter attacks).
>
> When the option is not on, the station will only connect when it
> observes the SSID in beacons and from responses following a broadcast
> probe request frame. Of course, if the SSID is cloaked, the station
> will be unable to connect, forcing them to use the "Connect even if ..."
> option, and exposing them to KARMA attacks.
>
> This hotfix has not yet been distributed as part of the automatic update
> service from Microsoft. Several other facets of WZC has changed with
> this update, including how ad-hoc networks are started to mitigate the
> spread of the "Free Public WiFi" phenomenon. If you are responsible for
> Windows XP wireless stations, and you haven't read up on this hotfix
> yet, take a few minutes to do so: http://support.microsoft.com/kb/917021.
>
> On an unrelated note, dragorn and I will be presenting at Shmoocon this
> year about LORCON, our framework for experimentation in wireless
> networks. If anyone is going to be at Shmoocon and wants to grab a
> drink or something, drop me a note.
>
> - -Josh
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.2.2 (GNU/Linux)
>
> iQIVAwUBReyesDWX3FIa1TkuAQK2xQ/9GcVTr3wMY3v2DRD+HRbH8x7Q3Pgn9vYD
> 6vzu5yXH39g9GS3Slq3u4pKnM52JrsksKlXyKfdeAaMvmRFCmS/SX/+ORGr0dEdp
> li5uozXXVofmh6nkt6NObkyeg6JczalyBU1PWyjkdLTGoC3cQiHm8eICJzI0jFLL
> /nVSIQY48pFJ9ZRMb0WXJH4dIeyIxmsouq9bOvKNX9eMCiDcAlb3jU+Cc2XEMLmw
> 23Ku/PXnPjFadPCNcs6TqoXP7LgsrC/QjT5msz2lXpMVrI3WNxmIHysTe3nMCU/9
> S0Ko+YBq8dz4LrZHlRTQq1HJIKL+IwOD9AzO1XIx0QUGW+bdDLXFiDXiIZ1u71A7
> gs9FjFV/e0U1oSEn6j1nRmsG73YvhVvoWPYxo0fOAxZLe0KmdfdMHgI9iQ8HZX77
> CO3oIxv84DRKmoFEGaSPElwCderO1SGQHZLEAKS7xLVhmv1JugBVsTksmzbfPkPB
> Shs1GZSc8Ue51N1KE2iOWBttPa5M+9HJVRaYrAAXHaKudB7mJu13GFtG0gr7Pwwk
> NX5+rlpYn6BoOgMoNRTyjEjsvy1EVkP6F9q8Ct8r7yx6rufVafNZ4cFEJhwYxtLH
> LeS81Fqi38Dy2iQKPJpAfV5lVZfhrtWr7VOzHmWB2aEfxNHm/kH1YSGMp9N1sIGC
> GAdY7Y6KsGU=
> =lWDW
> -----END PGP SIGNATURE-----
>

[ reply ]