On hidden WiFi networks

Disabling SSID broadcast is not a security measure and may hurt your privacy. For opting out of location services, refer to n/nomap.

Automaattinen sisällysluettelo / Automatically generated Table of Contents

The issue with hidden networks
Connecting to a hidden network
Seeing hidden networks
- Returning to normalcy
- TODO
QR codes for hidden SSIDs

The issue with hidden networks

When you hide your WiFi network, your access point (AP) will still announce its existence with the MAC (Media Access Control) address without name. Some location services, such as WiGLE will still records its existence (n/nomap) and as the Service Set IDentifier (SSID) is required for connecting, your devices will shout around everywhere asking for it, so scanning around will make you identifiable and possibly trackable as not many people are likely to be broadcasting the same set of SSIDs.

I have said it before, but I am a fan of openwireless.org and wonder if making that SSID hidden to not reveal myself so obviously on WiGLE (as hidden SSIDs are more common) would work for promoting it and those with the ability to see it, would be more likely to be interested in opening their network as opposed to people not seeing it.

Connecting to a hidden network

Please remember to replace wlan0 with your actual interface name if applicable.

SailfishOS displays the MAC addresses and I understand Windows to display “hidden network” or something similar as well. Android and iOS require entering the name through manual adding and warn about hidden networks, on Linux at least NetworkManager has a button “connect to hidden network”.

iwd provides commands iwctl station wlan0 get-hidden-access-points and iwctl station wlan0 connect-hidden, although they may require iwctl station wlan0 scan at first. In /var/lib/iwd/<ssid>.<type> there would be

[Settings]
Hidden = true

Seeing hidden networks

Many platforms have apps for this, however Android prevents getting the hidden SSID, so I am focusing on Linux. The required Fedora package is aircrack-ng.

Switch to monitoring mode through airmon-ng start wlan0
If there are warnings about interfering services, stop them or airmon-ng check kill. This will likely disconnect your network connectivity, unless you have multiple NICs.
airodump-ng wlan0
Wait patiently as ESSID <length: 0> gets replaced with the actual SSID once devices connect. On the bottom you will see devices asking for specific SSID.

This could be sped up by exploiting WiFi vulnerabilities, but that would no longer be in the white hat territory and thus I don’t concern myself with it.

Returning to normalcy

Exit airodump-ng by CTRL - C as usual.
Exit monitoring mode through airmon-ng stop wlan0phy
Restart your network management (the airmon-ng start wlan0 and airmon-ng check-kill probably gave you a hint), for me it’s systemctl restart iwd NetworkManager, while wpa_supplicant would be more common.

TODO

I should investigate and write about these:

man airodump-ng may have nice flags as currently nothing is stored.
- Security people should have some data to compare to on what is normal in the network environment and when changes happen. Then again with less data stored, there is less chance of doing something illegal by accident, while I think the passive listening this page focuses on is the same as VHF scan all button.
I think kismet does the same as airodump-ng, while it may be more focused on wardriving.

QR codes for hidden SSIDs

zxing and Wikipedia agree on WIFI:T:WPA;S:mynetwork;P:mypass;; so my wondering would be: WIFI:T:nopass;S:openwireless.org;;H:true; where only P:mypass got omitted.

# The capital H is the highest error correction, others are LMQ
% qrencode -l H -t utf8 "WIFI:T:nopass;S:openwireless.org;;H:true;"
█████████████████████████████████████
█████████████████████████████████████
████ ▄▄▄▄▄ █▀ █▀▀▀▀  ▀▄▄▀█ ▄▄▄▄▄ ████
████ █   █ █▀ ▄ █▀▄▀▄█▄▄ █ █   █ ████
████ █▄▄▄█ █▀█ █▄▀▀█▀▀█▀██ █▄▄▄█ ████
████▄▄▄▄▄▄▄█▄█▄█ █ █▄▀ ▀ █▄▄▄▄▄▄▄████
████   ▄ █▄ ▄ ▄█▄█  ██▀▀ ▄▀▄▀ █▄▀████
█████  █▄▀▄▄  ▀ ▄▄▄▀▀▄▀▀ ▄▀ ▀▀▄█ ████
████ ▀▄█▄█▄▄█▄▀▄▀█ ▄▄██▀▀▄ ▄▀▀   ████
████▄▄█▀ ▀▄ ▀ ▄█▀ ▀█▄▄█ ▀██ ▀▀███████
████▀   ▀▀▄▄ █ █▄▄▀▄▄▄▄█ ▄▀▄ ██▀▀████
████ █▄█ ▄▄█▄▀█ ▄███▄▄█▀▀▄▀▀▀█▄▄▀████
████▄█▄██▄▄█ ▄▄▄▀▀█▄ ▄▄█ ▄▄▄ ▀▄▄▄████
████ ▄▄▄▄▄ █▄▀▄█▀ ▄▄▀  █ █▄█ ▀ █ ████
████ █   █ █ ███▄█▄▄█▄▀▀   ▄ ▀▄ █████
████ █▄▄▄█ █ ▄  ▄█▀▄  ▀ ▀▄▄▀▄▀  ▀████
████▄▄▄▄▄▄▄█▄▄▄▄███▄▄▄█▄▄▄▄▄▄▄▄▄█████
█████████████████████████████████████
█████████████████████████████████████

While the above looks messy in my jekyll serve -l, Binary Eye detected it regardless.

Return to note index?

Dear reader, you may be missing a content blocker! 🙀 Please consider installing one to protect yourself, and your close ones, from manipulation and targeted malvertising! Personally I love both Privacy Badger and uBlock Origin (with EFF DNT Policy Allowlist) together, while AdNauseam alone would be more direct protest tool to oppose how the internet is nowadays. Android users may be better served by Rethink while for iOS there is AdGuard. Learn more about targeted advertising! PS. I am sorry if you are already protected and this silly EasyList targeting(?) script doesn't detect that, thank you for taking the steps towards a safer internet! 💜