5 BSSIDs from one router

What your ISP gateway is broadcasting that you didn't ask for.

May 9, 2026 • GhostPort Technologies

Tonight, while live-testing GhostPort Sonar's passive Wi-Fi monitoring, a customer unplugged their Cox Communications gateway. Sonar caught the moment cleanly: five distinct BSSIDs disappeared from the air at the same instant, all sharing the same vendor OUI, all originating from the one device the customer just took offline.

That's not a Cox-specific problem. That's how most modern ISP gateways work. And it's exactly the visibility gap GhostPort exists to close.

What we actually saw

Five BSSIDs from one chassis, broadcasting simultaneously:

One named customer SSID — the one printed on the side of the router.
Four hidden SSIDs — same OUI prefix, locally-administered MAC addresses.

When the gateway lost power, all five went silent within the same 60-second window. Sonar's beacon timestamps confirm a single physical source.

What those hidden BSSIDs are for (and why most are reasonable)

Modern Wi-Fi gateways use multi-BSSID broadcasting as a standard feature, defined in the IEEE 802.11 specification. A single radio can advertise multiple virtual networks. On a typical ISP gateway you'll see, in roughly this order:

1. CUSTOMER MAIN The network with the SSID and password printed on the sticker.

2. CUSTOMER GUEST Usually disabled by default, hidden until enabled.

3. IOT / MESH BACKHAUL Used internally to coordinate with extender pods or smart-home accessories.

4. SETUP / PROVISIONING Used briefly during install, usually idle afterward.

5. ISP-SHARED HOTSPOT And this is the one worth a closer look.

The one that matters: CoxWiFi (and Xfinity, and Spectrum, and AT&T...)

Most major US ISPs run a public hotspot service that piggybacks on customer-owned gateways:

CoxWiFi — Cox Communications
xfinitywifi — Comcast / Xfinity
Spectrum WiFi — Charter / Spectrum
AT&T Wi-Fi — varies by region

These hotspots use your gateway hardware, your electrical power, and your radio spectrum to provide free Wi-Fi access to other subscribers of the same ISP. Your data plan is segregated from the public traffic at the ISP level — that's the technical assurance.

What's worth knowing:

It's enabled by default in many regions. New gateways often arrive with the public hotspot already broadcasting. You opt out, not in.
The opt-out lives in your account portal, not the gateway admin page. Most customers never visit either. The exact path is documented in Cox's residential support knowledgebase.
Even after opt-out, the hidden setup BSSIDs typically continue broadcasting because they serve internal management functions.

This is documented in the ISPs' own support knowledgebases. It's not a secret. It's just rarely surfaced unless you go looking.

The bigger pattern: ISPs and your data

The CoxWiFi opt-out is one specific case. The broader pattern is harder to opt out of:

In April 2017, the US Senate passed S.J.Res. 34, signed on April 3, 2017, repealing the FCC's broadband privacy rule. The rule, finalized in 2016, would have required ISPs to obtain explicit opt-in consent before selling customer browsing data.
Since the repeal, ISPs have been free to monetize aggregated and de-identified browsing metadata, and disclosure practices vary by carrier.
ISP-level DNS lookups remain visible to your provider regardless of whether you opt out of any specific product. Every domain your devices query is something your ISP can log.

These aren't conspiracy theories. They're the legal and technical defaults of using consumer broadband in 2026.

What you can't see, you can't manage

Here's the thing that struck us tonight: the customer had no idea their gateway was broadcasting five BSSIDs. They knew about one — the SSID they connect to. The other four were invisible until Sonar caught them.

That's the problem GhostPort is built to solve.

GhostPort sits between your gateway and your devices. It gives you:

Visibility into every BSSID, named or hidden, that's emitting in your space — including the ones your own gateway is broadcasting on your behalf.
Per-BSSID signal strength, security suite, vendor, and Wi-Fi version — captured passively, no probe traffic sent.
DNS isolation — your queries go through a private resolver, not your ISP's. (Pi-hole + DoH/DoT, locked into ZeroTrust and ZHop modes.)
Routed-through-our-tunnel egress — DoubleHop and ZHop modes route traffic through our infrastructure so your ISP sees only an encrypted blob to one endpoint.

We didn't catch a Cox conspiracy tonight. We caught a normal Cox gateway doing what gateways do — the same things every ISP gateway does, mostly defensible, one of them (CoxWiFi) opt-out-by-default and worth the customer's attention.

The point isn't that Cox is bad. The point is that you should be able to see what your own equipment is doing, and most consumer gear gives you exactly zero tools to do that.

GhostPort gives you those tools. Sonar is one of them.

References

IEEE 802.11-2020, multi-BSSID feature (industry standard).
Cox Communications residential support: CoxWiFi public hotspot opt-out.
S.J.Res. 34 (115th Congress) — repeal of FCC broadband privacy rule, signed April 3, 2017.

See what your own gateway is broadcasting.

ghostporttechnologies.com

Visibility first. Privacy follows.