MAC address filtering is often advertised as a security feature in most routers, allowing users to block network traffic or limit speed for specific devices. However, the truth is that MAC addresses were never designed for security purposes, and they are now considered ineffective for network security. Here are four key reasons why you should not rely on MAC addresses for network security and what you should use instead.
Mac Addresses Are Easily Spoofed
One clear reason why MAC addresses are an example of security theatre is that they can be easily spoofed. A MAC address is assigned by the manufacturer of the device’s network interface, meaning your computer may have different MAC addresses for Wi-Fi and Ethernet. These addresses are reported by the devices themselves and are selected from predefined pools.
Some Wi-Fi drivers, firmware, or operating systems may make changing or spoofing a MAC address difficult or even impossible. However, many Wi-Fi cards are readily available that allow users to easily modify their wireless ID.
Any malicious attacker can obtain a device and modify the MAC address to match one that the network allows for connection. Now, you might wonder how they would know which MAC address to use. This brings us to the second reason why MAC addresses are insufficient for your network security.
Your MAC Address Isn’t Secret
Another crucial point to understand about MAC addresses is that they are not secret. Your Wireless ID is included in the Ethernet frame of network packets and is used to route traffic within the local network. Typically, this means your traffic flows from your device, identified by its wireless ID, to the router, which has its wireless ID.
This is known as Layer 2 of the OSI model, commonly referred to as the Data Link Layer. This layer is responsible for physically guiding packets within the local network and is theoretically used to uniquely identify every device on the network. It encapsulates the IP layer, which handles traffic routing between networks through routers.
This might sound a bit complex, but the most important point is that just as an IP address is unencrypted within a packet, your wireless ID is also present in an unencrypted part of your traffic. This means anyone observing your traffic can identify the wireless ID of your devices. This is by design, as MAC addresses were never intended to be kept secret.
Most network adapters have firmware controls that ignore traffic not intended for them. However, you can easily purchase Wi-Fi and Ethernet adapters without these controls, allowing them to capture packets from all devices within the local area network.
Since MAC addresses are assigned from manufacturer-specific pools, it becomes easy to guess which device belongs to whom. For example, someone using an LG laptop in a corner of a coffee shop will have a wireless ID assigned by LG. As a result, anyone can identify MAC addresses on your network, even if they are not connected to it.
MAC Address Filters Are A Pain
One more important practical reason not to rely on wireless ID filtering for network security, apart from the security theatre, is that it is extremely difficult to manage.
In certain rare cases, using MAC address filtering can be helpful, such as keeping your children’s devices off the network until they learn to spoof their wireless ID. However, you will soon realise that adding every new device to an allowlist is time-consuming and frustrating, especially in an age where smart devices and the internet are present in our homes. Finding the MAC address for each device can be challenging and time-consuming.
Eventually, you would need to create a foolish spreadsheet for each wireless ID in your home, which would not only be a tedious process but also useless for anyone truly interested in attacking your network.
Unfortunately, many home routers don’t offer alternatives. Setting up parental controls on devices, using VLANs to limit access to the network, or choosing stronger passwords is a better way.
In the end, you might have to work with the configurations provided by your router’s software.
Read Also: The Most Common Netflix Error Codes and How to Fix Them
Devices are Automatically Scrambling Their MAC Address
In the past, the points mentioned above were mostly academic. Surely, one could easily change their wireless ID, but I don’t know if any hacker would care about it—after all, how could it cause harm? However, in recent years, this situation has changed. Especially since private modes for Wi-Fi connections have been introduced in most users’ settings, which alter their MAC address.
This is supported by iOS and Android, although it can be turned off. You would need to request everyone using your network to disable it. This could become an awkward conversation, especially with guests or family members staying with you for a week or so. It could become a complicated conversation.
MAC Address Filtering Can Have a Very Limited Place In your Network Security
MAC address flaking is a great example of security theatre, but it can have some useful applications. If you have young children and want to prevent their devices from accessing the internet without having to hide your password carefully, it can be a good method. However, for most other uses, we would recommend using other methods to secure your network.
Ensuring that you’re using the strongest Wi-Fi encryption or protocol and setting a strong password can be a great start. It’s more likely that you’ll be affected by a malicious email, link, attachment, misconfiguration, or file download than by a direct physical attack on your network. Therefore, it’s important to stay updated on other best practices for securing your home’s cybersecurity.