How does MAC address filtering help to secure a wireless network?

Someone asked me the other day how does MAC address filtering help to secure a wireless network? If you’re in a position where it would help, I argue there are other things you need to do. But I’ll explain how it works, then what I’d rather you do instead.

Here’s the idea. Every network card, wired or wireless, has a Media Access Control (MAC) address. In spite of the acronym, it has nothing to do with Apple computers. All computers use them.

These addresses are supposed to be unique. They aren’t always, but the odds of getting two duplicate ones are pretty low.

how does MAC address filtering help to secure a wireless network
I can use this screen on my router to limit what MAC addresses can connect to my wireless network. But it takes less time to defeat than it takes for me to add an address to this filter.

So the idea is that I can treat MAC addresses as a sort of password. Right now there are 15 devices on my network (yikes). If I only allow those 15 devices to connect, the theory goes, then my network is more secure because my network will reject my neighbor’s laptop on the basis of his MAC address, even if he guesses my wireless password correctly.

The theory sounds pretty good. The practice is less sound.

Here’s the problem. MAC addresses transmit in the clear. So if I load up the right software and put a big enough antenna on a computer, I can see all of my neighbors’ MAC addresses, even if I can’t get on their networks. So a MAC address is no more secure than a password written on a piece of paper taped to your monitor.

It does take some skill to spoof a MAC address, but not a lot. Someone trying to get on your network has to know how to sniff your MAC address, de-auth your MAC address, change his MAC address to match yours, and then connect. There are Youtube videos that explain it all. Yes, you can learn how to defeat MAC address filtering exactly the same way you would learn how to install a garbage disposal. The first time you do it might take you 30 minutes or an hour. The second time you do it will take a couple of minutes. Once you’re good, it will take seconds, especially if you learn to script it out.

So while MAC address filtering makes it a little harder to get on your network, it’s really like the difference between a $10 lock and an $11 lock on your front door in a bad neighborhood. It’ll slow down an unskilled lock picker for a few more seconds. It will do nothing at all to the skilled one.

MAC address filtering doesn’t do anything to harm you, unlike some security measures. But it causes you a lot more inconvenience than it causes the bad guy. Why should you spend five more minutes setting up your new devices when it only buys you two minutes of security? The only time I recommend it is when you can’t do anything else.

What would I rather you do instead? Make sure you’re using WPA2 with AES, and put a stronger password on your wireless network. Four or five unrelated words will do. It will only inconvenience you a few seconds per device, and it will buy you years of security. That’s a great deal.

Leave a Reply

%d bloggers like this:
WordPress Appliance - Powered by TurnKey Linux