Automatically Connecting to Hidden SSID WiFi Network

Solution 1:

Automatically connecting to a network with a hidden SSID is a bad idea.

Since your computer cannot passively listen for the SSID broadcast and automatically connect when it sees the SSID (which will not show in the beacon broadcast, since that is how hiding the SSID works), it has to actively send probe packets with the network's SSID, even if it is nowhere near the access point, and wait for a response. This means that, instead of the access point broadcasting its name all the time, you have all computers configured to automatically connect to it broadcasting its name all the time, no matter where they are.

Not to mention that, to be able to roam between several access points with the same SSID, the computer has to know their BSSID (essentially, the AP's MAC address). Usually they do this by listening to the beacons broadcast by the access points. Since the beacons do not have the SSID (hey, it's hidden!), the computer has to periodically send probe requests even if it is already connected to the access point. Making it laughably easy for an intruder to find out the SSID if even one computer is connected to the network. Not to mention the desassociation attacks.

So, it gains almost zero security (it is still way too easy to find the SSID) and loses a bit more security (the client computers constantly announcing to the world "hey, I am a computer belonging to someone who works at company XYZ!" even when nowhere near company XYZ). The net result is negative.

The only way to reduce or even avoid the security loss is to have it connect manually instead of automatically. Which seems to be what Apple is doing. (Windows Vista, from what I recall, warns you of the security issues when you try to set it to automatically connect. The NetworkManager used by most Linux distributions also seems to make you chose the saved connection from a dropdown manually.)

In theory, it would be possible to save the known BSSIDs for each ESSID and only send the probe request when a beacon for one of them is received (that is, when you are near an access point which has in the past been used for that SSID). I do not know why nobody seems to have tried that yet.

Solution 2:

not sure how to respond specifically to irrational John's comment on Jordan Cataldo's answer, so apologies for the new answer. but -- no, iJohn, you can save this applescript, via Script Editor, to an .app that can be placed in the user's Login Items (under Accounts in System Prefs). then, you'll be logged into the hidden network automatically on startup.

based on Jordan's example, i wrote the following script to login to a hidden network that may not be available yet, for the (admittedly rare) case when the server is on the same power strip as the client, and takes a while to start up. museum exhibits have unusual needs ;)

set networkResult to false
repeat while not networkResult
    try

        do shell script "networksetup -setairportnetwork NetworkName networkPassword | /bin/bash"

        -- network found and joined.
        set networkResult to true

    on error errorMsg

        -- network not yet available;
        -- wait five seconds and try again.
        set networkResult to false
        delay 5

    end try
end repeat