I do hear about MAC address filtering from time to time. At first, it sounded kind of intriguing, but ultimately it turns out to be kind of like a cheap padlock: it only keeps honest people honest.
It’ll certainly keep the casual or accidental connection from happening, which is fine as far as that goes; but for true security, it’s actually pretty close to not having any at all.
I’ll explain why.
A MAC, or “Media Access Control” address, is a theoretically unique identifier assigned to every network interface card (often referred to as a “NIC”, or network adapter).
Every ethernet port on your PC1, every wireless adapter, and even every Firewire or USB connection that might also be used for networking, is assigned a MAC address. And as I said, they are all supposed to be different – the ethernet port on my desktop machine has a different MAC address than the ethernet port on my laptop, which is different than the ethernet port on the server running in my basement.
Even two otherwise identical network adapters should have different MAC addresses.
MAC addresses are assigned at the hardware level. So, for example, if you move a network adapter from one machine to another, the MAC address moves with it.
MAC address usage
The MAC address uniquely identifies every machine, and in fact, every piece of equipment on your network. The MAC address is how packets of data identify which piece of networking equipment they need to be sent to next, as the packet makes its way to its final destination.
If you know the MAC address of every computer you want to allow to connect to your network, many routers – particularly wireless routers – allow you to restrict access to only those MAC addresses you specify. You collect the MAC addresses from all your laptops, for example (available via the “ipconfig /all” command in the Windows Command prompt) and then enter them into your router’s “allowed addresses” list, and you should be secure.
How MAC address filtering fails
I’ve used “theoretically” and “in theory” a couple of times above, because there are some inconvenient facts that cause those theories and some assumptions to fall down.
- MAC address filtering does not encrypt. Restricting your wireless router’s access to certain MAC addresses does not prevent your data from being sniffed. If your data is unencrypted, that data remains visible to whoever might be in range.
- MAC addresses may not be unique. Many network interfaces now come with a default MAC address, but also allow you to manually configure a different MAC address. It’s easy, then, to configure two network adapters with the same MAC address.
- The MAC address itself is never encrypted. Even if you specify WPA2 encryption on your wireless connection, the MAC address itself is not encrypted. It can’t be, as it’s required to tell the computers involved which computer is supposed to receive the packet. Your data is encrypted, of course, but the MAC address is not.
So, let’s say a somewhat knowledgeable hacker is interested in accessing your WiFi hotspot, on which you have MAC address filtering turned on. He or she need only do two things:
- Sniff the network and look at the MAC addresses which are allowed access to the Wifi.
- Configure his network interface to use one of those MAC addresses.
He’s on, quickly and easily.
Use WPA2 for more effective security
In my opinion, unless you’re aware of the risks above and take them into account, MAC address filtering can actually be worse than having no security at all. It can give a false sense of security, which may lead you to ignore the additional steps that would give you true security.
My recommendation? Turn on WPA2 encryption, which will encrypt your data, keeping it safe from sniffing, and restrict access to the wireless network to those that have the key.
It’s a lot easier than tracking down all the MAC addresses for all your equipment.