On Monday 23 May 2011 16:36:00 Tim wrote:
On Mon, 2011-05-23 at 13:58 +0100, Tim Smith wrote:
One problem lies in the fact that 802.11 does not specify a particular means of giving a NULL SSID so different APs do it in different ways. Some give a zero-length SSID. Some give an SSID of length 1 consisting of a zero octet (a C null-terminated empty string). Some use a single ASCII 32. Some use a number of spaces equal to the length of the real SSID. You will thus find all sorts of rubbish in your list of available APs when looking at it using a station. Some of the older ones may Go All Funny :-(
However, the SSID WILL be present in a probe response to a probe request which contained it, so it's available to anyone with a sniffer. This has to be the case or no stations would ever be able to find it to associate, as you obviously know :-)
In essence, when you *try* to hide your SSID, it doesn't stop broadcasting a SSID, it broadcasts a bogus one? Plus providing the real SSID details in other transmissions?
Yup.
So, that would make it harder for you to connect to the ID you manually type into your client. Not to mention the fun and games of picking your random ID from the neighbour's random ID?
Not really. This is SSID, not BSSID (BSSID is usually the MAC of the AP). When you scan, you not only listen for beacons, but you (should) send probe requests. If you put an SSID into your probe request, you will get a response only from a BSS with a matching SSID, so you broadcast saying "network named 'MyHouseNetwork' please respond" at which point you get the response from the real BSS which has the real SSID in it and not the bogus one that went in the beacons.
This is not for security of the SSID, but because you also supply that SSID when you associate, so the AP may route you to different authentication systems depending on which "network" you're trying to connect to. It's sort of like having virtual IPs on one ethernet MAC. But only sort of.
Though, whatever the specs say about what's supposed to be done, it's certainly been shown that various different things have a lot of trouble associating with the right access point, or any access point, when there's no SSID being sent.
Yup. There's a lot of broken kit out there :-) How your station chooses to store and query the scan information is a good source of bugs.