Michael Horowitz
Home => Hidden Wi-Fi Networks
[Formatted for Printing] From the personal web site of  Michael Horowitz

Hidden Wi-Fi Networks on a Synology Router

September 20, 2019

I have recently been looking at the Synology RT2600ac router. This is Synology's most powerful router, their second generation product.

In reading about the router, somewhere, someone mentioned that it creates hidden Wi-Fi networks, but I blew this off. Lots of people say lots of stuff online.

At some point, I was looking at the security of the Guest network created by the RT2600ac. It has a couple interesting features, but that is not what this article is about.

Like other current routers, the RT2600ac lets you create a single SSID that lives on both Wi-Fi frequency bands. I didn't do that, my test Guest network was only on the 2.4 GHz band. I also created the Guest Wi-Fi without creating the normal private Wi-Fi network.

To monitor the Wi-Fi network from outside the router, I used a free Windows program called WiFiInfoView (v2.42) from Nir Sofer. It shows lots of detailed information about nearby wireless networks. It also shows hidden Wi-Fi networks; they display as having a blank SSID.

The router was in a very crowded Wi-Fi environment, so I sorted the list of detected networks by signal strength.

I mention all of this both to explain how I found what I did and why most people with a Synology router would not have detected anything.

Even given the above, I almost noticed nothing unusual. There was a hidden Wi-Fi network with almost the exact signal strength of my Synology Guest network, but that, in and of itself, means nothing. Frankly, I am not sure what made me think that that hidden network was from my router. But, it was.

WiFiInfoView showing nearby networks
WiFiInfoView showing nearby networks

In the screen shot above, the Synology Guest network is at the bottom, MikeNet34. The hidden network, just above it, shares many traits with the Guest network: channel, signal strength, channel width, not identifying itself, encryption, PHY types and the top speed. They differed on WPS, which Synology enables by default, but I had configured the router to not use. The Guest network had WPS disabled, the hidden one had it enabled.

Look at the image above, do you see the smoking gun? It's the Start Time, a network attribute that very few programs display. Clearly the two networks are related, they started at the exact same second.

Every network adapter is assigned what should be a unique number, called a MAC address. Part of the MAC address (first 3 bytes) is supposed to identify the company that manufactured the network adapter. You see this in the Company column in the screen shot above. You also see that neither Synology network can be identified from its MAC address. This is strange because the main/private network created by the RT2600ac router can be identified this way as belonging to Synology.

The first three bytes of the visible Guest network (MikeNet34) are 02-11-32 and WiFiInfoView was not the only software that could not relate this to a company. The Wireshark OUI lookup returns a Not Found error. So too, does a search at the IEEE. Manually searching the full master list also turned up nothing. The first three bytes of the hidden shadow network are 16-11-32 which is also not associated with any company. Somewhat suspicious.

There is another smoking gun in the screen shot above.

I'm not sure why, but I next sorted the display of detected Wi-Fi networks by Start Time. This was a gasp moment, for me. The router had also created a hidden network on the 5GHz band. Recall, I was not using the 5GHz band for anything. Not for the private network (which did not exist) nor for the Guest network. The first three bytes of the hidden network on the 5GHz band were 16-11-32, same as the other hidden network.

Putting this all together, here are the fist three bytes of the Wi-Fi MAC addresses used by Synology:

  1. The private networks are 00-11-32 (which is assigned to Synology)
  2. The Guest networks are 02-11-32
  3. The hidden networks are 16-11-32

The RT2600ac creates one visible network and two hidden networks
The RT2600ac creates one visible network and two hidden networks

As a final test, I power off the router and the two hidden networks disappear.

The hidden network on the 5GHz band was created 7 seconds before the two networks on the 2.4GHz band, but all three are clearly from the same Synology router.

I power cycle the router and the lights on top show that Wi-Fi is off on both frequency bands. The Guest network had timed out and shut down; I had only set it to live for an hour. WiFiInfoView detects nothing from the router.

Then I log onto the router and enable the 2.4GHz guest network again. The lights on the router show that the 2.4GHz band is active and that the 5GHz band is not. But, take that with a grain of salt, the hidden network on the 5GHz band is now detected by WiFiInfoView. It's on a different channel, but the router is configured to automatically pick a channel on the 5GHz band. The hidden network on the 2.4GHz band is still on channel 1 which, again, is how the router is configured. The first three bytes of the MAC address for all three networks are unchanged. As before, the hiddent 5GHz network was started 7 seconds before the two networks on the 2.4GHz band.

VERIZON TOO

An upside to testing in a crowded Wi-Fi neighborhood is that there are so many networks to review. While researching the above, I noticed three Verizon networks had all started at the same time (give or take a few seconds). The SSID of the two visible networks also ties them together. The visible networks can be identified as coming from Verizon hardware, but the MAC address of the hidden network starts with 1A-78-D4 which is not assigned to any company.

Verizon FIOS also creates a hidden network
Verizon FIOS also creates a hidden network

WHY?

Why would Synology create two hidden wireless networks? I don't know, but I can speculate.

Maybe they did not. The hardware is made in China; could it be that the hardware is doing something the software is not aware of?

Maybe this is done for the mesh network? I have seen both Eero and Google Wi-Fi create hidden networks as part of their mesh system. I don't have a mesh network, the Synology RT2600ac is all by itself. So maybe this is a bug? Again, just guessing.

NEXT STEP

One option would be to look at the hidden networks and see what, if any, data is being transmitted on them. This is beyond me technically.

So, I asked Synology ...

... and, sure enough, they said these hidden networks are created for their mesh network, which I don't have. Based on my other experiences with a Synology router, this seems par for the course for them. The tech support person said they would submit a new feature request to let us disable these hidden networks.

- - - - - - - - -

UPDATE September 23, 2020: In re-reading this, a year after having written it, I realize I may not have stressed a very important point. The Synology router created a network on the 5GHz Wi-Fi band when it was specifically configured not to. The lights on the router showed that the 5GHz band was not being used. But, it was. My conclusion to this is that Synology can not be trusted as a router vendor.

UPDATE December 21, 2022: Someone with a Synology RT6600AX router (SRM version 1.3-9193) ran across this blog while looking for information on the hidden network they found. This confirms that the issue still exists, which, to me, says a lot about Synology as a router vendor. Also, the hidden network that the router currently creates has WPS enabled even though WPS is disabled in the router web interface. And he tested something I did not - disabling the Wi-Fi at night on a set schedule. He found that while the RT6600AX does turn off the Wi-Fi on schedule, the hidden network remains.
FYI: the hidden network only replicates the 5GHZ-2 network, not the 2.4 and 5GHZ-1 networks.

 

 

 @defensivecomput TOP Home => Hidden Wi-Fi Networks   
 michael--at--michaelhorowitz.com   Last Updated: December 22, 2022 4PM UTC  
  License Plate
Copyright 2001-2024
Copyright 2001-2024  
Printed at:   March 29, 2024 8:33am   ET
Viewed 23,977 times since September 20, 2019 (15/day over 1,651 days)