I got two good questions last week, via Facebook, that I answered briefly in the comments, but are worth further exploration: Does it beef up wireless security to hide the SSID and only allow the MAC addresses of hardware you own?
Those are good questions. Smart questions. I like those kinds of questions.
Unfortunately, neither measure gets you a whole lot. Against a sophisticated attacker, that buys you minutes, compared to the security of a strong password, which buys you years. It’s like having a locked screen door in front of the vault door at Fort Knox. (Assuming you’re using a strong password–if you’re using a weak password and these measures, it’s like having multiple locked screen doors.)
Then again, not everyone is a sophisticated attacker.
The problem is that a wireless sniffer (available for free) will expose MAC addresses and hidden SSIDs. So a sophisticated attacker just sniffs the SSID, then looks at the MAC addresses on the network, knocks one or more of them off the network, then spoofs that address and starts trying passwords.
So, against someone with good tools, hiding the SSID and filtering MAC addresses only adds a couple of minutes to the beginning of the process–if that.
I will concede that if your main concern is freeloading neighbors who either don’t want to pay for their own Internet access, or want to use your network to do something they don’t want to do on their own, hiding your SSID and/or MAC filtering will keep them out. Because no consumer operating system has built-in tools that defeat those two measures.
Then again, the same thing is true of a strong password, and with fewer downsides.
I’ve found that hiding the SSID can actually cause problems. For nearly a decade, I couldn’t get wireless to work reliably in all of the reaches of my house. I actually spent a 3-day weekend one year wiring several rooms of the house with the help of a friend because a Linksys WRT54G wouldn’t reach my family room, even when I placed it in the room right next door. It worked sometimes, but not always.
But when I hid the SSID, it never worked. That room became a dead zone.
My modern wireless router can reach that room, though with a significantly diminished signal. As long as I’m broadcasting my SSID, it works fine.
MAC filtering doesn’t cause any problems–it’s just a hassle. Some routers make it easier than others, but at the very least, I have to go over to one of my computers, log into the router, add a permitted MAC address–on a good router, it’ll already be there if the device owner has already tried to connect–and then they’re ready to go.
I go through five minutes of hassle to buy myself two minutes of additional security.
I’d rather just tell them to connect to the network, then hand the device to me when it asks for the password. Then I’ll key in my long, obnoxious password, then hand the device back. If I don’t mistype, it takes about a minute.
Honestly, a year or two ago, it was rare for someone to bring wireless devices over. But it happens more and more, and it’s only going to become more common.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.