Apple - IOS 10 warning: Using a hidden network can expose personally identifiable information

Clients that connect to known networks automatically will advertise “hidden” SSIDs in all of their probe requests. This results in your device broadcasting those SSIDs everywhere you go, to anyone who’s listening.

This behavior is dependent on the client’s operating system. For instance, you can configure Windows 7 and later to not connect to hidden networks automatically (only “visible” ones). That prevents such broadcasts from happening, but then you have to connect to hidden networks manually every time.

On the other hand, iOS and macOS always connect to known networks, hidden or not. The fact that iOS 10 warns about this would indicate that Apple has no plans to add the kind of toggle switch that Microsoft added in Windows 7, or to force the user to connect manually. Therefore, iOS and macOS constantly broadcast all the hidden SSIDs they are capable of connecting to.

Microsoft explains this behavior on TechNet:

A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.

Therefore, using non-broadcast networks compromises the privacy of the wireless network configuration of a Windows XP or Windows Server 2003-based wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks.

Now as to why this is a privacy issue:

  1. Should I point out the irony of broadcasting an SSID in the direct vicinity of the access point trying to hide it? Except instead of only having the AP broadcasting it, every client in range does. Then the AP responds to each of those clients with the SSID anyway.
  2. Instead of limiting SSIDs to the vicinity of their respective APs (like in the case of visible networks), your phone goes and broadcasts those hidden SSIDs to everyone near you, everywhere you go. Worse, SSIDs may include first and/or last names, which I’ve seen people use in network names.
  3. Your set of preferred hidden SSIDs acts as a signature that may uniquely identify you. Let’s say for instance that my neighbor uses the hidden SSID My Secret SSID. Now if I sniff a broadcast beacon containing My Secret SSID at Starbucks, I can infer that a member of his household is nearby, or one of his guests. Based on the other hidden SSIDs among that person’s broadcast beacons, I may be able to determine exactly who I’m dealing with. Conversely, I could walk up to that person, recognize them, then assign a face to their unique set of hidden SSIDs.
  4. Let’s say you carry your phone with you everywhere you go. Someone with a large-enough network of radio receivers could know where you are at any given time, figure out where you work, where you spend your time, whether you’re home, etc.

1 and 2 show how trying to hide an SSID makes the privacy of its network much worse. 3 and 4 show how that extends to your personal privacy as well.

Sound far-fetched? Criminals/advertisers/jealous exes/the government have done worse things. In fact, MAC addresses were once used to track shoppers’ movements through malls. Apple subsequently randomized MAC addresses in probe requests.

Thankfully, no one I know has used a hidden SSID in well over a decade, and I haven’t seen that practice recommended in even longer long.

Bottom line: don’t hide your SSID. It achieves the exact opposite of what you think it does.

Update: Since there seems to be some confusion as to why you can’t connect to a hidden network without broadcasting it to the world, as well as about security vs. privacy, let’s make a fun analogy.

Imagine a driver (the AP) is picking you up from the airport. They don't know you, and you don’t know them. So they hold up a sign that reads, “John Doe.” When you find them, you (the client) go and tell them, “I’m John Doe.” This is what happens when connecting to a broadcast network.

Now, imagine that driver is trying to be super covert, and doesn’t hold up that sign. What happens now is you have to walk around yelling, “Who’s picking up John Doe?” over and over, until finally the driver steps forward and responds, “I'm picking up John Doe.”

In either case, you then exchange credentials, make sure you’re each who you think you’re dealing with. What happens after authentication is just as secure either way. But every step leading up to it compromises your privacy.

Apple representatives stated that iOS 10 passively listens for known access points and broadcasts SSIDs related to hidden access points but no other "personal" information. Other experts, however, claim to have been able to easily collect information on a phone's trusted wifi access points, hidden or not. Though hiding your SSID cannot prevent an attack (nothing can), it probably doesn't increase your risk of attack in a measurable way unless iOS is broadcasting other data that wouldn't be available to the attacker otherwise, that could inform an attacker about your identity or other information that could aid their efforts to target you. Apple should clarify exactly what they mean by "personally identifiable information".

Concerns are raised that your phone will broadcast the SSID of your hidden network while you're not connected to it. Broadcasting the name of an access point in locations where the access point is NOT seems insignificant. An attacker would still have to find the actual access point which seems pretty resource intensive unless you AND the attacker are nearby the access point at the same time.

A "hidden" SSID can reduce your exposure to someone with malicious intent war driving or stumbling upon your network by chance. The fact that someone can still discover your SSID even if it's hidden seems less concerning because it means an attacker may have to take extra steps to get that information making it more resource and time intensive for them, even if just by a bit. You never know when someone might get deterred and move on to another target.