I do hear about MAC address filtering from time to time. At first, it sounded kind of intriguing, but ultimately it turns out to be kind of like a cheap padlock: it only keeps honest people honest.
It’ll certainly keep the casual or accidental connection from happening, which is fine as far as that goes; but for true security, it’s actually pretty close to not having any at all.
I’ll explain why.
Become a Patron of Ask Leo! and go ad-free!
MAC address
A MAC, or “Media Access Control” address, is a theoretically unique identifier assigned to every network interface card (often referred to as a “NIC”, or network adapter).
Every ethernet port on your PC1, every wireless adapter, and even every Firewire or USB connection that might also be used for networking, is assigned a MAC address. And as I said, they are all supposed to be different – the ethernet port on my desktop machine has a different MAC address than the ethernet port on my laptop, which is different than the ethernet port on the server running in my basement.
Even two otherwise identical network adapters should have different MAC addresses.
MAC addresses are assigned at the hardware level. So, for example, if you move a network adapter from one machine to another, the MAC address moves with it.
MAC address usage
The MAC address uniquely identifies every machine, and in fact, every piece of equipment on your network. The MAC address is how packets of data identify which piece of networking equipment they need to be sent to next, as the packet makes its way to its final destination.
If you know the MAC address of every computer you want to allow to connect to your network, many routers – particularly wireless routers – allow you to restrict access to only those MAC addresses you specify. You collect the MAC addresses from all your laptops, for example (available via the “ipconfig /all” command in the Windows Command prompt) and then enter them into your router’s “allowed addresses” list, and you should be secure.
In theory.
How MAC address filtering fails
I’ve used “theoretically” and “in theory” a couple of times above, because there are some inconvenient facts that cause those theories and some assumptions to fall down.
- MAC address filtering does not encrypt. Restricting your wireless router’s access to certain MAC addresses does not prevent your data from being sniffed. If your data is unencrypted, that data remains visible to whoever might be in range.
- MAC addresses may not be unique. Many network interfaces now come with a default MAC address, but also allow you to manually configure a different MAC address. It’s easy, then, to configure two network adapters with the same MAC address.
- The MAC address itself is never encrypted. Even if you specify WPA2 encryption on your wireless connection, the MAC address itself is not encrypted. It can’t be, as it’s required to tell the computers involved which computer is supposed to receive the packet. Your data is encrypted, of course, but the MAC address is not.
So, let’s say a somewhat knowledgeable hacker is interested in accessing your WiFi hotspot, on which you have MAC address filtering turned on. He or she need only do two things:
- Sniff the network and look at the MAC addresses which are allowed access to the Wifi.
- Configure his network interface to use one of those MAC addresses.
He’s on, quickly and easily.
Use WPA2 for more effective security
In my opinion, unless you’re aware of the risks above and take them into account, MAC address filtering can actually be worse than having no security at all. It can give a false sense of security, which may lead you to ignore the additional steps that would give you true security.
My recommendation? Turn on WPA2 encryption, which will encrypt your data, keeping it safe from sniffing, and restrict access to the wireless network to those that have the key.
It’s a lot easier than tracking down all the MAC addresses for all your equipment.
Download (right-click, Save-As) (Duration: 5:25 — 2.6MB)
Subscribe: Apple Podcasts | Android | RSS
Jeffrey
It seems to me that people who try to avoid using security on thier network like the questioner, should be asked “would you leave your house front door unlocked and open if you were in the back yard not monitoring it?” Several places I have lived, first thing we did when walking into the house was closing and locking the door. This seems to me like setting up WPA…common sense and the first thing to do in a potentially unsecure situation.
billbahamas
I use WPA2 and mac filtering so you are saying I’m wasting my time with the mac filtering. I guess if they get by the WPA2 the mac filter would be no problem.
Matt JJ
However, Mac Address filtering, with WPA/WEP AND a hidden SSID provides significantly more security. This allows only those that are authenticated via each level to access the hidden network. You need to know what the SSSID is in order to hack it…
Tom R
A “hidden” SSID is easily hackable. Even if the wireless router isn’t broadcasting the SSID all the devices connected to that router are still broadcasting the SSID to get the router’s attention for service. A semi-competent attacker is quite able to capture these broadcasts. SSID “hiding” is almost useless. Adding MAC filtering and hidden SSID to WPA isn’t significantly more secure, it’s a waste of time. WEP is broken, not secure at all and must be avoided. Just stick with WPA and a complex passcode for adequate wireless security.
Ray
I agree with Tom above, hiding a ssid is a waste of time because there are tons of programs, free ones at that, with out digging around for hacking software that will easily give this up.
When it comes to mac filtering this is also a bit of a waste because you can just sit there with sniffing software to pick up the mac address then use spoofing software to make your mac look like a legit one.
You should only use a very tough to crack password for WPA2 only, try not to go with WPA because although harder to break than WEP it is not impossible, when it comes to choosing a password you should not choose anything that is easy to guess, I went to someone’s house today and the password was their fav football team, this is not secure at all, it needs to be 10+ characters at least with upper and lower and other things like full stops and other allowable characters to make it impossible to remember, this means that the hacker needs to do something like a brute force style attack which takes time, if it takes to long they may go elsewhere.
If you look online there are websites that tell you the quality of the password you have chosen.
Matt JJ
Further, I use MAC filtering as part of my method of cutting off network access when the kids are supposed to be off-line (like on a school night).
Peter B
Also worth looking up how Google Street view survey cars ‘accidentally’ picked up network names #SSIDs# plus some of the traffic #eg e-mails# over unencrypted networks while taking their photographs. So well worth securing any wireless network …
Tom R.
There is really no practical way to “hide” your network’s SSID, as some have suggested. You can certainly turn off “SSID broadcasting” on your router, but that’s only half the story. While your router will no longer be shouting, “Hey, tomsnetwork here!” any wireless devices authorized to connect to the router servicing tomsnework will be shouting, “Hey, tomsnetwork, you there?” The result is an easily discoverable network SSID. Ergo, turning off “SSID broadcasting” on your router accomplishes nothing other than a false sense of security.
karen
It is obviously that both WPA and mac address filtering can secure my wireless network. But does mac address filtering effective to disable the connection of other pc which uses ethernet cable?
Alain
In my opinion, MAC filtering is similar to a cheap padlock closing the trap over the real lock. Another analogy would be a 6″ high decorative border fence around your yard. It tells honest peoples that it’s private property and that they are asked not to come in uninvited.
To add to what Tom R. said, hiding your SSID is actualy prety bad, as the “Hey, tomsnetwork, you there?” is combined with “I’m Bill with the password xuknçvg xet hu576à2_7é895bvby6”
What’s the point in having an extremely strong pass phrase if you are to shout it everywhere?
Ray Smith
“In my opinion, MAC filtering is similar to a cheap padlock closing the trap over the real lock.” Yup, MAC filtering does nothing whatsoever to improve the security of a wireless home network. Realistically, if somebody has the knowledge and determination to be able to bypass your password/encryption, then they’ll absolutely have the knowledge and determination to be able to bypass MAC filtering. At best, it’d delay the intrusion by maybe 30 seconds or so.
It’s worth noting that WPA2 when used with a strong password/phrase cannot be broken and, consequently, it’s not necessary to put other security mechanisms in place – especially an extremely weak and inconvenient mechanism like MAC filtering.
“To add to what Tom R. said, hiding your SSID is actualy prety bad, as the “Hey, tomsnetwork, you there?” is combined with “I’m Bill with the password xuknçvg xet hu576à2_7é895bvby6”” – That’s not quite correct. Unlike client devices that are set to connect to a broadcast network, devices that are set to connect to a non-broadcast network (constantly) disclose the SSID of that network – the network password, however, is not disclosed by the client. That said, you’re absolutely right in saying that, from a security perspective, a broadcasting network is better than a non-broadcasting network. This is what Microsoft says on the matter (it refers to XP, but is still applicable to subsequent operating systems):
“A non-broadcast network is not undetectable. Non-broadcast networks are advertised in the probe requests sent out by wireless clients and in the responses to the probe requests sent by wireless APs. Unlike broadcast networks, wireless clients running Windows XP with Service Pack 2 or Windows Server® 2003 with Service Pack 1 that are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.”
And:
“For these reasons, it is highly recommended that you do not use non-broadcast wireless networks. Instead, configure your wireless networks as broadcast and use the authentication and encryption security features of your wireless network hardware and Windows to protect your wireless network, rather than relying on non-broadcast behavior.”
Chuck
Good point Ray to include Microsoft’s comments on the matter, especially “Unlike broadcast networks, wireless clients running Windows [XP, Server ****, 7, 8, 8.1, 10] [that] are configured to connect to non-broadcast networks are constantly disclosing the SSID of those networks, even when those networks are not in range.”
The problem here is someone taking their laptop out to a public place, and their machine is shouting out for their SSID. Anyone who wants to can monitor the shout outs, and when they get one, set up a Honeypot to pretend to be that SSID. Since that SSID is the preferred and trusted internet source, in short order they are surfing via the Honeypot, and the bad guy is capturing everything they send through.
I suppose if they only connect to and used encrypted sites and logins and data they might still be safe, but if they’ve already blown it using a “hidden” SSID, why should we assume they haven’t also messed something else and are completely (or largely) vulnerable to that man-in-the-middle Honeypot attack?
Tom R
@Alain – I never said the passphrase was included in the SSID broadcast, just the network identifier. If you’re using WPA, the passcode is encrypted for transmission to the router.
Shai Lasher
In order to know which MAC addresses can access your LAN, sniffing is not enough. You need to access the router and there you can see the list. If you have a good login on your router (User and password different from the default and password that’s a hard one to find out what it is), it is highly unlikely that anyone will be able to do that. The other thing is that some routers (I use TP-Link) have ability to restrict MAC addresses that can access the management of the router. I have 3 MACs that can access the router at all. I use no encryption on the network. There are 3 MACson the planet that can access my router and then they need my 44 characters password and my user ID (Which surprisingly isn’t admin or Admin 🙂 ).
On Access points that widen the range of my WiFi, besides them not doing the DHCP, I use that same security and a long and winding password for the WPA2-PSK. The main router has no encryption and no one can access or connect to my WiFi unless I allow it (And I have some 45 MACs permitted).
The main reason I go through such great trouble is that encryption and decryption of every packet of data will delay the transfer a bit and I want it to be as fast as possible.
Besides, I use “WhoIsOnMyWiFi” which tells me when something I did not authorize tries to connect. I tested it, but after the test, there never was any unauthorized access to my LAN.
In short, in my opinion and from my experience, if you know what and how, encrypt critical data on your computers and smartphones/pads, so they’ll be safe even if they fall into the wrong hands, but other than secondary access points or repeaters, there is no point encrypting the LAN packets if you have a good login on your router and are using management permissions on it and use MAC filtering only for the LAN (Just make sure when anyone you allow in has a new laptop/pad/smartphone, to get it and put it in the allowed list and take out the old MACs that are no longer in use by those you allow in).
(My humble opinion)
Ray Smith
“In order to know which MAC addresses can access your LAN, sniffing is not enough. You need to access the router and there you can see the list.” – That’s totally and completely incorrect.
“The main reason I go through such great trouble is that encryption and decryption of every packet of data will delay the transfer a bit. – Unless somebody is using hardware that’s a decade or more old, the loss performance loss will be minimal. Imperceptible, in fact.
“I use “WhoIsOnMyWiFi” which tells me when something I did not authorize tries to connect.” – Which is all well and good if you happen to be at home – and awake! – to take the necessary action. Otherwise, it’ll do nothing to keep people off your network.
Bottom line: WPA2 is a better and far more secure choice.
Nat
I used to use MAC address filtering. I don’t know how many minutes I wasted trying to add a device to my network and couldn’t get it working. Then I would remember that I had MAC address filtering on. I would have to dig up the MAC address of the new device, reconfigure the router and then try adding the device again. I think the only person inconvenienced by my MAC address filtering was me!
Ray Smith
Ha! Absolutely right. Realistically, a hacker could bypass MAC filtering in less time than it’d take you to log in to the router and create a new rule!
Mark Jacobs (Team Leo)
Probably the best argument yet. MAC filtering and not broadcasting the SSID would probably stop the vast majority of people getting into your network, as most of those are mooching neighbors or drive-by moochers who go for the low hanging fruit, but it’s so much simpler to use a strong WPA2 password and fugetaboutit. Not to mention that you just might be that one person in a thousand who is attacked by hacker.
jraju
Hi, SSID and pw are said to be a guard. Wp2 encryption is also not safe. I have configured my modem and after using some hours, i i changed the ssid and pw, and then saved the router settings.
this i had done in my laptop thro wifi connection.
Then closed the laptop. Boot the computer and i could not access the internet, saying so many things, like, i do not have a lan on a valid ip,modem is having connectivity issues, Dns server problem and whatnot.
I could not log in to the router page to configure again. I called the help desk, and they asked me to go to the router page. I said that is the problem. the help told to me to reset. OH, all was gone. My router was restored to factory default and i could not do anything.
Went to the technical person and he used some ipconfig commands, and accessed the router page and then again entered the usual settings manually to get the internet access.Now the problem is more, as the router pages are used commercially nowadays.
Ok, what is the cure to this. Buying a new modem, which when reset should be able to give internet access, rather than configuring again all over.
Leo would probably come with better suggestion. And i would request him to take the concerns of users . Normally port 80,23,and 21 are shown as vulnerability ports, which allows easy access to malicious programs and router hacks.