WiFi SSID broadcast
- Client devices passively listen for known networks.
- Clients initiate connection when a known network is heard.
- Attackers do not know what networks un-associated client devices are looking for.
Turing broadcasting on will not prevent all clients from actively scanning for known networks. This is implementation specific - for example, Windows XP is defaulted to only actively scan. Therefore your assumption that attackers do not necessarily know which networks are being sought is incorrect. It only applies if you connect with modern devices that passively scan networks for the visible SSIDs when they were configured.
SSID Broadcasting Off
- Client devices must actively probe for known networks.
- Client devices are advertising trusted SSIDs.
- Attackers can capture trusted SSID info and use it to trick clients into connecting to a Rogue AP when they are not near the actual trusted network.
That is true as long as the network is open. A client will not be able to connect to a secured network with a different or no password.
This seems a generally sensible supposition. However, I don't think I've seen any claims that take into account what happens when an attacker tries to impersonate a network without knowing other attributes of the network's security configuration - particularly, the encryption protocol or keys. The connection should, in theory, fail with protocol mismatch or bad key negotiation.
The beacon frame, even when not broadcasting the SSID (i.e. SSID is sent in this frame as NULL) still details the network security configuration including encryption details.
Given the above, it would seem to me that disabling SSID broadcast (while still not at all a reliable security mechanism) still has a net-positive impact on security - or net-neutral, at worst. Is there something I'm missing?
Even if not broadcasting, sending a probe request with NULL as the SSID may cause the AP to reply with a beacon containing the SSID. Any road, as soon as a valid device needs to connect the SSID will end up being broadcast by the AP. I would say the only extra security offered is security through obscurity - it may make you feel better but it does not really make your network any more secure. The only negligible benefit is that your SSID will not be broadcast as often. On the flipside, an attacker may assume that this is a particularly sensitive network and spend more time targeting it.