Most devices actively ask around for the hidden SSIDs they know about. As in, they send a broadcast in cleartext called a "probe request" containing the list of hidden SSIDs every time they scan for access points.
Today usually the scans use randomised MAC addressess for privacy, but that doesn't help if you have any hidden SSIDs stored because of this list. Places like shopping malls are known to use these beacons to track the movements of individual people.
Before 802.11w (that still works almost always because 802.11w tends to be deactivated for compatibility), there was a trivial way to "unmask" a hidden SSID, you have to wait for someone to talk to the target access point, send a disassociation frame to the victim, and wait for the probe request / response when the victim automatically reconnects.
Most devices actively ask around for the hidden SSIDs they know about. As in, they send a broadcast in cleartext called a "probe request" containing the list of hidden SSIDs every time they scan for access points.
Today usually the scans use randomised MAC addressess for privacy, but that doesn't help if you have any hidden SSIDs stored because of this list. Places like shopping malls are known to use these beacons to track the movements of individual people.
Before 802.11w (that still works almost always because 802.11w tends to be deactivated for compatibility), there was a trivial way to "unmask" a hidden SSID, you have to wait for someone to talk to the target access point, send a disassociation frame to the victim, and wait for the probe request / response when the victim automatically reconnects.
Do that many people use hidden ssids that it's worth for non-state actors to track them?