I have a Vigor2765ac with a single operational SSID on 2.4GHz and another single SSID on 5GHz. The router is running the latest firmware V4.5.2_BT. There is also a wired access point AP903ac

I recently used a WiFi analyser on my phone and found 2 extra hidden SSIDs, one on each of 2.4GHz and 5GHz radio channels.

The MAC addresses are similar to those from my Router, but my other SSIDs on both 2.4GHz and 5GHz are actually set to "disable", so are off

Additionally these two hidden SSIDs appear to be set to WPA2 / WPA3 and my router settings are WPA2 and NOT WPA3.

Can anyone advise what they are doing and how to switch them off please
 

I can't advise what they're doing or tell you how to switch them off but I can confirm that I see the same thing with my 2866Vac router on 5GHz wifi.  I set up two SSIDs on the same radio channel using WPA3 security but when I scan the 5GHz band on another device I see three SSIDs - the two I set up using WPA3 and a third, hidden, one using WPA3/WPA2.  All three have MAC addresses which are almost the same, but not quite, and the hidden SSID disappears when I switch off the 2866Vac's wifi.  I only noticed this recently - within the past month or two - but it could have been happening for a while.  Also, I first noticed it when I switched from WPA2 to WPA3 when my last old wireless device was retired.  I'm currently on fimware v4.5.2.2_BT (2026-02-03) and I still see this mysterious hidden SSID.

Do these hidden networks have quite long names of fairly random strings?  I've seen these (you can see them if you ssh to the AP, turn wifi debugging on and then dump the log) and I *think* they're used internally as pert of the mesh.  I did ask Draytek about them but never got a reply.  Do educate us if you find out more.

I contacted Tech Support to see if I was doing something 'wrong', they escalated the issue to 2nd Line Support as they had exhausted the obvious possibilities.

The 2nd Line Support engineer provided the following explanation

Hidden SSIDs are used by Mesh function.
And due to the limitation of the mt7615_5040 Wireless driver, we have to let the hidden SSIDs exist even when Mesh function is disabled. (V2135ac/V2763ac/V2765ac/V2865ac/V2866ac/V2927ac)
For other models like AP805, the hidden SSIDs exist only when Mesh is enabled.
Those hidden SSIDs use random-generated string as Password, so there is no security issue.
In addition, both VigorMesh and EasyMesh have hidden SSIDs for internal use.
This is not a bug. Please inform the customer to just ignore them.

So the upshot is they are an biproduct of the way the system has been designed. They can't be turned off, but shouldn't be a security risk due to the long random passwords.

Unfortunately they unnecessarily crowd the WiFi spectrum and my neigbhours are thinking I'm jamming them !!






 

David wrote:

I contacted Tech Support to see if I was doing something 'wrong', they escalated the issue to 2nd Line Support as they had exhausted the obvious possibilities.

The 2nd Line Support engineer provided the following explanation

Hidden SSIDs are used by Mesh function.
And due to the limitation of the mt7615_5040 Wireless driver, we have to let the hidden SSIDs exist even when Mesh function is disabled. (V2135ac/V2763ac/V2765ac/V2865ac/V2866ac/V2927ac)
For other models like AP805, the hidden SSIDs exist only when Mesh is enabled.
Those hidden SSIDs use random-generated string as Password, so there is no security issue.
In addition, both VigorMesh and EasyMesh have hidden SSIDs for internal use.
This is not a bug. Please inform the customer to just ignore them.

So the upshot is they are an biproduct of the way the system has been designed. They can't be turned off, but shouldn't be a security risk due to the long random passwords.

Unfortunately they unnecessarily crowd the WiFi spectrum and my neigbhours are thinking I'm jamming them !!

 

Doesn't WPA2 require both sides to have agreed the key in advance?  Do all DrayTek devices have hard-coded keys in their firmware for the purposes of connecting to a DrayTek mesh, or is the key shared in some other way?  There probably is a secure way of generating a new, unique, random key each time and exchanging it with other devices but I'd be much happier if I could just completely disable WPA2 as I no longer have any wireless devices that need it.  Perhaps DrayTek could add an "Enable mesh compatibility" switch for WPA3 users that need this special WPA3/WPA2 mode for their mesh but allow the rest of us to stick to using WPA3 only.