Broadband-Hamnet™ Forum :: Firmware
Welcome Guest   [Register]  [Login]
 Subject :Part 97 Compliant - Disable SSID Broadcast.. 2013-06-23- 19:21:16 
kr0siv
Member
Joined: 2013-01-26- 20:02:56
Posts: 8
Location

My current understanding of the latest firmware is that SSID "BROADCAST" cannot be disabled.

My assumption is that the idea behind this action is to ensure part 97 compliance via having your callsign as part of your ssid.

However, there is a major issue with this setup.

1) Phones/Laptops/etc Can see the nodes... (people will get curious and fiddle with them)

2) It is possible to connect a phone to one of these nodes and sniff the network for an ip address to access the nodes network

3) You CAN disable SSID broadcasting and stay part 97 Compliant.


Number 3 most people don't seem to know within the HSMM community. I am a wireless network security professional. (OSWP certified). When you have for example an access point with an SSID and disable the SSID Broadcast this does two things..


1) Standard computers/phones/devices will NOT see the network

2) Whenever the hardware is communicating IE:Meshed/linked the SSID is transmitted in the raw packet data....


In other words if you were looking at the raw data over the air (very easy to do under linux with a monitor mode capable wifi adapter) you can see the SSID of any access point (or HSMM node) that does not broadcast its SSID as long as the node is transmitting/communicating with another device.


I would strongly like to propose that an option to disable the broadcast function be added to the next firmware release, this will increase (security through obscurity) while continuing to be Part 97 compliant.


Windows computers and cellphones ( and many other devices ) will not look for wireless deivce, it will just wait until it sees a broadcast. With broadcasting turned off non-licensed individuals won't realize the network is there while the FCC/Licensed ham/and Technician could see the network if they so pleased, this simply hides the network from devices that shouldn't be attempting to connect anyway.


It in no way, shape, or form hinders the devices ability to function under part 97

HOWEVER, that being said, if you do a site-survey you will NOT see any node that is not broadcasting, you would need to add a manual-entry option where you could enter the SSID of the device/node you are connecting to.. Most stock routers have these capabilities.

IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-06-24- 17:12:43 
AD5OO
Admin
Joined: 2010-01-18- 23:05:42
Posts: 37
Location
Mesh nodes are not access points, and different principles apply. They operate in ad-hoc mode and the SSID must be broadcast, it's a requirement of the mode.
IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-06-25- 13:57:22 
kr0siv
Member
Joined: 2013-01-26- 20:02:56
Posts: 8
Location

Even in ad-hoc it is possible to disable ssid broadcast. I need to take a look at the firmware but are you using OLSR? Regardless you can disable ssid broadcast in that "mode", there is nothing that would cause the node to fail without a broadcast. You would of course have to manually configure accepted nodes to talk to but that is part of creating a stable semi-secure network.


An amateur network should not be showing its face on commercial/retail devices.

IP Logged
Last Edited On: 2013-06-25- 13:57:48 By kr0siv for the Reason
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-06-25- 20:25:14 
Joined: 2024-11-28- 18:33:28
Posts: 0
Location

I echo what AD5OO said.  That is part of the requirement for an ad-hoc network.  You cannot hide the SSID.


Now on to what I noticed:

"My assumption is that the idea behind this action is to ensure part 97 compliance via having your callsign as part of your ssid."

Okay, let us assume your assumption is correct to ensure part 97 compliance.  First, Broadband-Hamnet/HSMM-MESH utilizes an ad-hoc network.  Part of how an ad-hoc network works is that each item that wants to join that particular network must have the same SSID.  If each individual user had their own callsign as part of the SSID.  The nodes would not be able to connect. 


"You would of course have to manually configure accepted nodes to talk to but that is part of creating a stable semi-secure network."

That is not how I understand how Broadband-Hamnet/HSMM-MESH works.  The goal here is to be as autonomous as possible with nodes joining and leaving the network as they wish and being self-configuring.

Assuming you could hide an ad-hoc network...What would you do if you self-dispatched in a disaster (bad idea...ICS100) to another city with a Broadband-Hamnet/HSMM-MESH network that you had to find and manually configure?  Would not you want something more automatic that is plug and play and spend less time in configuring something that otherwise works?


The firmware does use OLSR and inside the firmware there is also script that will transmit the hostname of the node to remain Part 97 FCC Compliant.  So, hopefully you setup your node hostname with your callsign or else you are not Part 97 Compliant.

IP Logged
Last Edited On: 2013-06-25- 20:34:29 By for the Reason
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-06-26- 09:13:45 
kr0siv
Member
Joined: 2013-01-26- 20:02:56
Posts: 8
Location
Certainly my node is configured with my call as the hostname. My main concern here is that while yes you want the network to be as automated as possible at the same time you don't want people who are non-licensed poking in your network because their non-amateur devices can see them. The nature of the network you just explained says that (and I will go test this to be sure) anyone who knew the network was adhoc and knew the ssid could connect to the network with any commercial/retail device and do as they please with it. This is a major issue, especially if the node has internet access. The last thing you want is someone using it as their free porn connection because they think its just a large public access point.
IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-07-12- 18:21:20 
kd0nrc
Member
Joined: 2012-12-16- 01:27:52
Posts: 8
Location: Kansas City Metro Area

The FCC mandated callsign ID occurs with OLSR node name advertisements, not with ad-hoc beacon packets.

"Hiding" the SSID will absolutely break the ad-hoc network, which has an SSID of HSMM-MESH. These beacons advertise to other nearby nodes, and are part of how the thing works, including self-healing and mobile nodes joining new neighbors.

Hiding SSIDs is a bad idea anyway. It doesn't actually secure anything, and clients that connect to (and store for later) a hidden network will frequently send a beacon request. Is KD0NRC-HOME there? Is KD0NRC-OFFICE there? etc. This opens up the possibility for automated evil twin attacks using what's known as KARMA. Read up on Jasager and how it works. The stuff is evil. I gave a pretty interesting presentation to a security conference a few years ago, wherein I roped in dozens of unwitting network devices and captured many session cookies for websites, all because these people had one or more "hidden" SSIDs saved.

Finally: Addresses aren't handed out via DHCP. Address negotiation, routing information and all of that is handled by OLSR. Your average joe, or even your fairly-savvy, internet-addicted freak next door probably won't figure out how to route to other nodes by setting their card to ad-hoc mode on SSID HSMM-MESH. Even if they use a sniffer and find the addresses, it'll be tedious. The best way for someone to access HSMM unauthorized would require them to install and configure OLSR on a linux laptop.

Although HSMM basically relies on security through obscurity, the barrier to entry is reasonably high. I'll be frank with you: if someone is that knowledgable, hiding the SSID isn't going to do you a darn bit of good anyway. They'll see 802.11 and be able to get the SSID from the ethernet frames with any sniffer and a decent monitor-mode WiFi card.

IP Logged
Last Edited On: 2013-07-12- 18:23:08 By kd0nrc for the Reason
Kansas City HSMM on G+
KC HSMM Working Group mailing list
 Subject :Re:Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-07-14- 05:54:55 
va3idl
Member
Joined: 2013-04-14- 07:22:02
Posts: 23
Location
[kr0siv 2013-06-25- 13:57:22]:
You would of course have to manually configure accepted nodes to talk to but that is part of creating a stable semi-secure network.

An amateur network should not be showing its face on commercial/retail devices.



I can not say what kind of manual configuration is needed in that case, but the primary goal of HSMM-MESH unlike a herd of other projects is to create a plug-and-play solution to lower the entry level of computer knowledge required, so that more hams would be able to join the mesh.In that case extra configuration vs extra protection is definitely to be solved in favor of an easier solution.

Also is showing the amateur face on commercial devices really such a bad idea? I have seen a lot of people willing to impose technical protection against non-ham use, but look at the older tech - there is nothing to stop a non-licensed person from buying a VHF radio and start using your repeater. Nor buying an HF radio and start transmitting all over the world. There are legal ways to stop them, but not technical. And if the person needs this kind of communication so badly he might as well turn into a new ham, that's simple. Same here. If the person is not only tech savvy, but also a little bit smart, he will first google the name and come to this website. And no matter how you protect, he will flash his router and be a part of the mesh.

The only thing that is really so different between now and then is the Internet access through the mesh. But this is a grey area anyway, and a wise ham would not open the whole Internet to the mesh, but rather allow access to specific services like DX cluster, maybe QRZ.com, etc. Don't forget that any banners you carry is "radiocommunications in support of business activities", and if you give access to a news website, this is "commercially recorded material", so be wise. And if a script-kiddie is still interested in your network after all these limitations, you are probably looking at a future ham.


IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-08-07- 12:14:27 
kf7ywp
Member
Joined: 2012-10-15- 09:08:03
Posts: 6
Location
Security through obscurity only works when the obscurity is obscure. Hiding the ssid in no way shape or form adds any form of security.
IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2013-08-08- 11:27:46 
ae5ae
Member
Joined: 2010-10-27- 00:47:17
Posts: 144
Location: Van Alstyne, TX

FWIW, if it means anything... even if it were possible to disable the SSID broadcasts on the mesh (and keep the mesh working), each node has short script that runs every 5-minutes that transmits a UDP broadcast with the node's hostname on port 4919.  See /usr/local/bin/fccid which is run by cron.

IP Logged
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2016-11-12- 20:02:41 
AB9U
Member
Joined: 2012-03-06- 08:19:44
Posts: 39
Location: Cottonwood, AZ
 
Three years later from the last message here, I'm looking at a related but different solution to broadcasts. I would like to be able to disable the actual WIFI transmitter/receiver function, just like in commercial use boxes, to be able to use multiple nodes in a hard wired cluster using just DTD connections. Even lowering the power to 1dBm, removing the antennas and shielding the connections allows some leakage between nodes with the result of node doubling showing up in the Mesh Node list. I've poked around the firmware code on both Mesh nodes and DD-WRT flashed commercial nodes and have not yet found the exact switch that turns off wifi. I'll keep looking because I know it can be done, but I'm wondering if anyone "out there" has already done it. Again, it's the transmitter/receiver function I want to turn off, not SSID during regular use. Anyone do any work at this level of code and who could point out where I should look?
IP Logged
de Wil - AB9U
 Subject :Re:Part 97 Compliant - Disable SSID Broadcast.. 2016-11-25- 14:14:29 
AB9U
Member
Joined: 2012-03-06- 08:19:44
Posts: 39
Location: Cottonwood, AZ
 
I asked this question here a couple of weeks ago and heard nothing back from anyone, and so I investigated this issue myself in detail and came up with a procedure that works well. If anyone else is looking to use a WRT54GS node as, say, a Tunnel Client or Server, with DTD linking only, and no Wifi, then I have a solution. I'll be posting this detailed procedure soon on my Mesh web site at AB9U-BASE. If you need the details sooner feel free to email me or leave a message on my local Hamchat. 73 - Wil - AB9U
IP Logged
de Wil - AB9U
Page # 


Powered by ccBoard


SPONSORED AD: