Home => Hidden Wi-Fi Networks
September 20, 2019
I have recently been looking at the Synology RT2600ac router. This is Synology's most powerful router, their second generation product.
In reading about the router, somewhere, someone mentioned that it creates hidden Wi-Fi networks, but I blew this off. Lots of people say lots of stuff online.
At some point, I was looking at the security of the Guest network created by the RT2600ac. It has a couple interesting features, but that is not what this article is about.
Like other current routers, the RT2600ac lets you create a single SSID that lives on both Wi-Fi frequency bands. I didn't do that, my test Guest network was only on the 2.4 GHz band. I also created the Guest Wi-Fi without creating the normal private Wi-Fi network.
To monitor the Wi-Fi network from outside the router, I used a free Windows program called WiFiInfoView (v2.42) from Nir Sofer. It shows lots of detailed information about nearby wireless networks. It also shows hidden Wi-Fi networks; they display as having a blank SSID.
The router was in a very crowded Wi-Fi environment, so I sorted the list of detected networks by signal strength.
I mention all of this both to explain how I found what I did and why most people with a Synology router would not have detected anything.
Even given the above, I almost noticed nothing unusual. There was a hidden Wi-Fi network with almost the exact signal strength of my Synology Guest network, but that, in and of itself, means nothing. Frankly, I am not sure what made me think that that hidden network was from my router. But, it was.
In the screen shot above, the Synology Guest network is at the bottom, MikeNet34. The hidden network, just above it, shares many traits with the Guest network: channel, signal strength, channel width, not identifying itself, encryption, PHY types and the top speed. They differed on WPS, which Synology enables by default, but I had configured the router to not use. The Guest network had WPS disabled, the hidden one had it enabled.
Look at the image above, do you see the smoking gun? It's the Start Time, a network attribute that very few programs display. Clearly the two networks are related, they started at the exact same second.
Every network adapter is assigned what should be a unique number, called a MAC address. Part of the MAC address (first 3 bytes) is supposed to identify the company that manufactured the network adapter. You see this in the Company column in the screen shot above. You also see that neither Synology network can be identified from its MAC address. This is strange because the main/private network created by the RT2600ac router can be identified this way as belonging to Synology.
The first three bytes of the visible Guest network (MikeNet34) are 02-11-32 and WiFiInfoView was not the only software that could not related this to a company. The Wireshark OUI lookup returns a Not Found error. So too, does a search at the IEEE. Manually searching the full master list also turned up nothing. The first three bytes of the hidden shadow network are 16-11-32 which is also not associated with any company. Somewhat suspicious.
There is another smoking gun in the screen shot above.
I'm not sure why, but I next sorted the display of detected Wi-Fi networks by Start Time. This was a gasp moment, for me. The router had also created a hidden network on the 5GHz band. Recall, I was not using the 5GHz band for anything. Not for the private network (which did not exist) nor for the Guest network. The first three bytes of the hidden network on the 5GHz band were 16-11-32, same as the other hidden network.
Putting this all together, here are the fist three bytes of the Wi-Fi MAC addresses used by Synology:
As a final test, I power off the router and the two hidden networks disappear.
The hidden network on the 5GHz band was created 7 seconds before the two networks on the 2.4GHz band, but all three are clearly from the same Synology router.
I power cycle the router and the lights on top show that Wi-Fi is off on both frequency bands. The Guest network had timed out and shut down; I had only set it to live for an hour. WiFiInfoView detects nothing from the router.Then I log onto the router and enable the 2.4GHz guest network again. The lights on the router show that the 2.4GHz band is active and that the 5GHz band is not. But, take that with a grain of salt, the hidden network on the 5GHz band is now detected by WiFiInfoView. It's on a different channel, but the router is configured to automatically pick a channel on the 5GHz band. The hidden network on the 2.4GHz band is still on channel 1 which, again, is how the router is configured. The first three bytes of the MAC address for all three networks are unchanged. As before, the hiddent 5GHz network was started 7 seconds before the two networks on the 2.4GHz band.
An upside to testing in a crowded Wi-Fi neighborhood is that there are so many networks to review. While researching the above, I noticed three Verizon networks had all started at the same time (give or take a few seconds). The SSID of the two visible networks also ties them together. The visible networks can be identified as coming from Verizon hardware, but the MAC address of the hidden network starts with 1A-78-D4 which is not assigned to any company.
Why would Synology create two hidden wireless networks? I don't know, but I can speculate.
Maybe they did not. The hardware is made in China; could it be that the hardware is doing something the software is not aware of?
Maybe this is done for the mesh network? I have seen both Eero and Google Wi-Fi create hidden networks as part of their mesh system. I don't have a mesh network, the Synology RT2600ac is all by itself. So maybe this is a bug? Again, just guessing.
One option would be to look at the hidden networks and see what, if any, data is being transmitted on them. This is beyond me technically.
So, I asked Synology ...
... and, sure enough, they said these hidden networks are created for their mesh network, which I don't have. Based on my other experiences with a Synology router, this seems par for the course for them. The tech support person said they would submit a new feature request to let us disable these hidden networks.
|@defensivecomput||TOP||Home => Hidden Wi-Fi Networks|
|michael--at--michaelhorowitz.com||Last Updated: September 25, 2019 6PM UTC|