Security Through MAC Filtering – Expectation Vs Reality

Knowing your device’s MAC credentials and details is fairly simple, particularly thanks to web-based MAC address lookup tools. Plus, sorting through the MAC addresses of connected devices is how your router keeps tabs on who is accessing a given network, thus providing a level of security… or does it?

While MAC filtering is an appealing feature that might offer some sense of security on paper, in reality, it’s not the most robust measure for keeping hackers at bay, and here’s why.

A Little Background

The networking devices that you use to browse the internet come with a factory-assigned media access control (MAC) address that should be unique to each device.

As you log into a network, the parent router reads this address and adds it to the list of all other approved devices. Only those devices with a recognizable address are allowed access to the local network.

This is MAC filtering in a nutshell, and it certainly sounds promising at first glance. What’s also impressive is that users can utilize the web interface option associated with their router to configure these security settings as they please.

The Harsh Reality

As a practical security measure, MAC filtering promises much more than it can actually deliver. For one thing, skilled hackers can be much more adept at acquiring your MAC information if they can get access to your network. MAC filtering is largely useless at preventing spoofing or man-in-the-middle attacks done using stolen MAC details.

In fairness, the principle behind MAC filtering is largely favorable for a network administrator to monitor another user’s activity through the router. This includes employees at an office, kids using the internet at home, or even patrons at a café with free Wi-Fi.

But for security purposes, this technique has some disadvantages that simply cannot be ignored.

A Waste of Time

Generally speaking, MAC filtering takes a great deal of time and should really only be done if you’re particularly invested in it for whatever reason. Enabling the filtering option in your router requires getting details of each and every device which, depending on how many people can use a single network, can become a hassle fast.

Again, if you’re really into administration, this might be worth your while. But for security purposes, you’re much better off with more specialized measures, not least because of the next issue with MAC filtering.

It’s Counterintuitive

Since MAC addresses are needed to bridge multiple devices in a local network connection, they are needed to share bits of information (known as packets) between devices.

If third parties can intercept these signals, they can see the details of each packet with the right tools or software. From that point, they can easily identify the MAC address of a logged-in device. That’s how they can steal someone’s network identity and use it for a number of nefarious purposes.

For instance, given that MAC filtering allows your router to only associate a given MAC address to a single device, detecting multiple devices with the same address (one of them assuming a stolen address) can hamper connectivity and affect your work.

Alternatively, attackers can trigger a denial of service (DoS) attack with your MAC identity by pretending that they’re operating an allowable device, forcing your router to disconnect your device instead of through the same protocol that was supposed to protect you.

Stick with Simpler Measures

Modern devices enjoy the benefit of Wi-Fi Protected Access (WPA) protocols which are designed to offer maximum security to connected devices through state-of-the-art encryption algorithms. This system is much better than relying solely on, or indeed at all, given what we’ve discussed earlier, on address filtering.

Of course, WPA encryption also isn’t foolproof. But it still offers a much more reinforced system, and it’s worth noting that even if someone does get through WPA security, MAC filtering will be easier to conquer and is not worth the effort.

What MIGHT be worth your while is to make sure that your WPA encryption remains largely impenetrable, and the best way to do that is to create a complex, difficult-to-guess but easy-to-remember password, and only disperse it among users that you trust.

Another fairly simple way to avoid MAC spoofing is to avoid servers that lack SSL encryption, known for the “https://” prefix that appears before their URLs. Web browsers like Chrome allow security features and warnings that you can enable while navigating potentially unsafe sites.

In Closing

MAC filtering is a nifty tool given what it allows you to do. But as a safety precaution, it’s more of a greeting to new devices rather than a bouncer-at-the-nightclub situation that some are led to believe.

Therefore, to protect your data and experience the best connectivity, stick with encryption and keep tabs on your network credentials through MAC address lookup, and you’ll be just fine.