Issues with SSID cloaking

Q: Are there any pitfalls to using SSID cloaking? Many organisations use SSID cloaking as a mechanism to add a layer of security to the WLAN. This technique requires that all users have knowledge of the SSID to connect to the wireless network. While this is commonly viewed as a mechanism to improve the security of the WLAN and is a recommended best-practice by the PCI Data Security Standard (PDF), it can reduce the effective security of the WLAN.

False sense of security

Early wireless network deployments relied on SSID cloaking as a mechanism to prevent unauthorised users from accessing the wireless network. Even though this was never intended to be used as an authentication mechanism, some organisations have adopted cryptic SSIDs that are distributed as shared secrets. Tools such as ESSID-Jack and Kismet observe and report the SSID from legitimate stations, allowing attackers to deduce the SSID and easily bypass the intended security mechanism.

Confused users

When the network SSID is cloaked, users will be unable to consult the list of available wireless networks for the WLAN. This could prompt users to select and log onto other networks, thereby exposing vulnerable clients. This can even be construed as computer trespass in some US states.

Exposure to AP impersonation attacks

Attack tools such as KARMA take advantage of the WLAN probing techniques used by wireless clients. When a station probes for a WLAN in their preferred network list (PNL), the station discloses the SSID to a listening attacker. The KARMA attack uses the disclosed SSID to impersonate a legitimate WLAN, luring the station to the attacker.
With the Windows XP SP2 wireless client update hotfix described in Microsoft's KB917021, Windows workstations change the behaviour of how they probe for wireless networks. Users and administrators can now mark an entry in the PNL as "nonbroadcast". When the "Connect even if this network is not broadcasting" option is not selected, the station will not disclose the SSID information when probing for a network, mitigating the KARMA attack. In order for the station to identify the availability of the network however, the AP must have the SSID cloaking feature disabled. If the AP does cloak the SSID, the station must revert to the active network probing mechanism, making SSID cloaking the less-secure option.
Though SSID cloaking might seem like an attractive mechanism to aid the security of the WLAN, it effectively reduces security significantly more than it could potentially gain, exposing enterprise WLANs.
Joshua Wright is the senior security researcher for Aruba Networks, and an editorial board member of the Wireless Vulnerabilities and Exploits (WVE)project. This article appeared in Network World.