× Some paid Circle Parental controls customers may be showing free options only. Router firmware correcting this issue will be available ASAP. Visit Status.NETGEAR.com for updates.

Discussion stats
  • 11 replies
  • 2310 views
  • 0 kudos
  • 2 in conversation
Announcements

Top Contributors
Reply
Highlighted
Aspirant

Curious WiFi work around; why does it work?

Background:

  Router: Netgear R6400 used as an AP

  PC running Windows 10 build 1703

     PC Wireless Properties

      Connect even if the network is not broadcasting its name (SSID)

      WPA2-Personal, AES

 

When the Router “Security Options” is set to WPA2-PSK [AES] only and the SSID broadcast is off the PC will not connect and displays a Hidden-Network as the only available connection.  Manually entering the SSID and security code still fails to connect.  Turn on the SSID broadcast and the PC connects immediately (keeping in mind that the PC is set to connect even if SSID broadcast is off).

 

Here the curious WiFi work around:

Change the “Security Options” setting on the router from WPA2-PSK [AES] only to WPA-PSK [TKIP] + WPA2-PSK [AES] (with SSID broadcast still off), and the PC immediately connects and uses the WPA2 security protocol.

 

What is it that causes the PC to fail to connect unless the SSID broadcast is turned on when the router Security-Options is set to WPA2 only; but it will connect even with the SSID broadcast is turned off when the Security-Options is set to WPA + WPA2?

 

Message 1 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?

That's a curious workaround.  FWIW, hiding the SSID only turns off Wi-Fi beacons sent by the router.  The SSID is embedded in all other types of Wi-Fi packets.  There are so many freely available Wi-Fi analyzers that can reveal the SSID from this traffic that hiding it is now anachronistic.  Hiding the SSID was never part of the Wi-Fi standard and can lead to problems.  It looks like you found a new one.

Message 2 of 12
Highlighted
Aspirant

Re: Curious WiFi work around; why does it work?

Actually, each PC connection-block stores the SSID once connected; this is necessary for future connections to a router that doesn't broadcast it's SSID.  Most analysers simply display the SSID that the PC stores, giving the appearance that it has actually detected the SSID in a packet.

 

I believe part of the problem is with the Windows 10 build 1703; on the home version the only SSID connection is displayed when connected (SSID not broadcast); when a connection is made on the Windows 10 Pro version, both the SSID connection is shown and the Hidden-network (they refer to the same router).

 

 

Message 3 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?

Actually, a Wi-Fi device must send a Probe request with the SSID and the Access Point must respond with Probe Reponse to confirm the SSID.  These packets can be sniffed by analyzers.  

 

Uncovering Hidden SSIDs

Hidden Wi-Fi Network: How to know the name of a wireless network with no SSID

Message 4 of 12
Highlighted
Aspirant

Re: Curious WiFi work around; why does it work?

I'm not talking about "determined hackers" here, but, the average person; if the Router isn't publically broadcasting it's ID, the average user can't take advantage of it.  Of course it's not substitute for a good security-key, plus a MAC access list.

 

You appear to be knowledgable on router broadcasts; what is broadcast differently between the Security Option being set to WPA2 only, verses WPA + WPA2, that allows the PC to connect without SSID broadcast?

 

Message 5 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?


@xytsrm wrote:

I'm not talking about "determined hackers" here, but, the average person; if the Router isn't publically broadcasting it's ID, the average user can't take advantage of it.  Of course it's not substitute for a good security-key, plus a MAC access list.

 

 

The average person is going to give up after a few tries of guessing the password.  No harm to your network, even if dozens of people try.  If they don't give up, then they're a "determined hacker" that probably also knows about hidden SSIDs.  The incremental benefit of "security by obscurity" is virtually zero.  A strong security key is all you need to protect your Wi-Fi network.

 

As a security measure, a MAC access list is no better than hiding the SSID.  It only comes into play after a device has been authenticated with the correct Wi-Fi password.  Once in, a knowledgable person can defeat the access list by changing the MAC address on the device.  Want to block the average person from the Wi-Fi network?  Don't give them the password.  An access list is like a baby fence inside your house.

 

An access list can be useful for controlling access by children's devices but this is privilege management, not security.  It also comes at a cost.  Using a MAC access list disables hardware acceleration; if you have really high-speed Internet (i.e. Gigabit speed), then the router won't be able to keep up.  With Gigabit Internet becoming increasingly prevalent, this is becoming a consideration for many people.


You appear to be knowledgable on router broadcasts; what is broadcast differently between the Security Option being set to WPA2 only, verses WPA + WPA2, that allows the PC to connect without SSID broadcast? 

 

Apart from the router advertising support for both TKIP and AES when using WPA + WPA2, I don't know why this enables the PC to connect.  Since this is all tied to a hidden SSID, and using it in your case requires weaker encryption (WPA) that will make it easier for a determined hacker (the one you should be protecting against, not the average person) to get in, just unhide the SSID and not worry about it.

Message 6 of 12
Highlighted
Aspirant

Re: Curious WiFi work around; why does it work?

As a security measure, a MAC access list is no better than hiding the SSID.  It only comes into play after a device has been authenticated with the correct Wi-Fi password.  Once in, a knowledgable person can defeat the access list by changing the MAC address on the device.  Want to block the average person from the Wi-Fi network?  Don't give them the password.  An access list is like a baby fence inside your house.

While a determined-user may be able to breach the SSID and security code, the router will still block access to the network unless his device displays a valid MAC address.  With out access to the network, specifically the router the determined-user would not be able to know which MAC codes were valid.

 

 in your case requires weaker encryption (WPA) that will make it easier for a determined hacker 

You are making a flawed assumption that my devices are connecting via WPA.  If you refer to my original post I stated that all connections are WPA2, as setup in the respective devices.

 

I don't know why this enables the PC to connect.

Given that this was my original question and you don't have the answer makes this discussion interesting, but academic.  Thanks anyway.

Message 7 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?


@xytsrm wrote:
As a security measure, a MAC access list is no better than hiding the SSID.  It only comes into play after a device has been authenticated with the correct Wi-Fi password.  Once in, a knowledgable person can defeat the access list by changing the MAC address on the device.  Want to block the average person from the Wi-Fi network?  Don't give them the password.  An access list is like a baby fence inside your house.

While a determined-user may be able to breach the SSID and security code, the router will still block access to the network unless his device displays a valid MAC address.  With out access to the network, specifically the router the determined-user would not be able to know which MAC codes were valid.

Not so.  MAC addresses are unencrypted.  You don't need access to the network in order to see the MAC addresses of all active devices on that network.


 in your case requires weaker encryption (WPA) that will make it easier for a determined hacker 

You are making a flawed assumption that my devices are connecting via WPA.  If you refer to my original post I stated that all connections are WPA2, as setup in the respective devices.


Fair enough, but there may be MITM (Man In The Middle) attacks where a hacker can force/trick a client into dropping down to WPA.  These sorts of fallback attacks have been employed against SSL.


I don't know why this enables the PC to connect.

Given that this was my original question and you don't have the answer makes this discussion interesting, but academic.  Thanks anyway.


I mean this sincerely, but your question is moot if you stop hiding your SSID.  You're welcome.
 

Message 8 of 12
Highlighted
Aspirant

Re: Curious WiFi work around; why does it work?

It's very clear that, although you claim to be a "Superuser" you do not understand how the MAC access list in a router works.  Again without a device displaying an authorized MAC recorded in a list in the Router, which is itself protected by a different password; no device can get access to the network, even if I gave the determined-user the SSID and network security code.

 

It's beginning to become clear that you are nothing more than a TROLL, with nothing better to do - GET A LIFE!

 

BTW: I will continue to hide the SSID.

 

Oh yes, I will not waste my time responding to further posts from persons who don't have the answers - HAVE A NICE DAY.

Message 9 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?

I'm not trolling you in any way.  Only trying to help.  I'll conclude with the following two articles, then leave you alone.  In the end, it's your network.

 

Why You Shouldn’t Use MAC Address Filtering On Your Wi-Fi Router

 

The XY Problem

Message 10 of 12
Highlighted
Aspirant

Re: Curious WiFi work around; why does it work?

The bottom-line of the article "Why You Shouldn't Use MAC Address Filtering On Your WiFi Router" it only provides minimal protection, but doesn't hurt.

 

If you really want to use MAC address filtering to define a list of devices and
 their MAC addresses and administer the list of devices that are allowed on 
your network, feel free. 

The article appears to contradict itself: It says a determined-user can use wireshark to determine a valid MAC and then reconnect in place of your device; this implies that this will bypass the WPA2 security code, which would be a serious reason to never use MAC address filtering.  But then at the end it says (as quoted above) "If you really want to use MAC address filtering .... feel free."

 

Given that, as the article states, the MAC is used in all packets, simply detecting the MAC and then reconnecting must be insufficient without knowing the WPA2 security code, or any hacker would be able to bypass WPA2 by simply detecting the MAC, regardless of whether MAC filtering is used - Do you agree?

 

I apologize for referring to you as a Troll, but at least on the surface your obsession about MAC filtering, and hiding the SSID, which appears to do no harm seemed suspicious. 



Message 11 of 12
Highlighted
Guru

Re: Curious WiFi work around; why does it work?

I can see why you think there's a contradiction.  There isn't.  The article wasn't clear about the following point.   A determined user can easily get past MAC address filtering when there is no WPA/WPA2 security code protecting the network.  On its own, filtering is completely ineffective at providing security.  It's as terrible as securing a network with WEP, which is trivial to crack.  Don't get me wrong, I believe in the concept of defense-in-depth, which advocates to use layers of security, but the layers have to be effective.  But filtering is a mere speed bump compared to the wall provided by WPA2.

 

You might be surprised to know that many people don't use a Wi-Fi password, believing that MAC address filtering along with SSID hiding is enough.  I've even seen people use the excuse that a Wi-Fi password is too much trouble to use.  Fortunately, you are not one of those people.

 

Thanks for giving me a second chance.  I can see why I came across as dissembling.  I should have addressed your original question in my initial response.  But when you brought up MAC address filtering as a tool for providing security, I simply had to point out what you now, hopefully, understand.  As to the question of harm, the fact that you have to switch to WPA+WPA2 instead of WPA2 can be considered harmful.

 

There's one thing I forgot to suggest.  Windows may be storing some details about the Wi-Fi network that applied to your old router.  You can see these details by executing the following in a Command Prompt.  

netsh wlan show profiles

Try forgetting the network on Windows.  This will erase the profile.  Set the router to WPA2 only then rejoin the network.

 

I hope this helps.

 

 

Message 12 of 12