Why MAC address filtering doesn’t help security

Last Updated on July 17, 2017 by Dave Farquhar

The other question that came out of my recommended DD-WRT settings was why not filter MAC addresses. I hate to be flip, but MAC address filtering doesn’t help, so why bother?

The reason is because your MAC addresses are broadcast as part of the network traffic, and it’s unencrypted. So your MAC addresses aren’t any secret at all. So it doesn’t do any good. One could argue it doesn’t do any harm. But it adds an extra step every time you put something on your wireless network. Why go to the inconvenience if you don’t gain anything from it?

As a quick aside, MAC address filtering can have its uses. In DD-WRT, you can use it to force devices onto a particular network band. But that’s not the typical thing people use it for.

Sniffing MAC addresses out of the air sounds like something that would be difficult. But I found a number of Youtube videos that show in five minutes how to find the MAC address of something that’s talking, then change your machine’s MAC address to match, so you can get on the network. Someone who’s done it once can do it in a lot less than five minutes. And someone with moderate scripting ability could make it take seconds. Someone who doesn’t have moderate scripting ability could probably find someone else’s script and use it.

MAC filtering is something that’s fallen out of favor in corporate networks because it’s so easy to defeat. In corporate environments, they use a technology called 802.1x to keep unauthorized machines off the network. You can set up 802.1x with DD-WRT if you want. But most people probably don’t want to set up a RADIUS server so they can use WPA2-Enterprise and go to the trouble of issuing the required certificates for all of the hosts. If you really want to break into the security field, it’s a good project to undertake. You’ll impress your interviewer if you casually mention that you have WPA2-Enterprise with RADIUS and 802.1x at home. But it’s overkill, and for that matter, it’s even possible to defeat 802.1x, though much more difficult. It’s a good project, but don’t get the idea that it makes you invincible. Nothing does.

The practice of MAC address filtering dates way back to the early days of wireless. And in the bad old days when all we had was WEP, MAC address filtering probably was worth doing because WEP was so weak. In fact, if you have to run WEP, I would recommend MAC filtering because then you have a better chance of knowing if someone got in because your device will start acting weird.

But if you’re running WPA2, MAC filtering is pointless. That’s  because it adds one second to the time it takes for a sophisticated attacker to get into your network. When you’re using WPA2 and AES with a long, complex password, it’s going to take a decade or more to get into your network.

What’s a second on top of a decade? By the time they guess your password, you’ll be replacing your network with some newer, better, more secure technology and then the game starts over anyway. So slowing the attacker down by one second doesn’t gain you anything.

MAC address filtering, unlike SSID hiding, won’t hurt you. But it creates unnecessary hassle for you with no real benefit. That’s why I don’t recommend it except in the unusual circumstance where you have to run WEP. Even then, I’d really rather you just got rid of WEP. Because like moving SSH your port, at best, all it does is slow down an attacker by a few minutes at most.

If you found this post informative or helpful, please share it!