MAC address filtering has long been included as a security feature in many consumer routers, allowing users to block traffic or limit speeds to specific devices on their network by MAC address. However, MAC addresses were never really designed as a security feature, and they have long been considered obsolete for protecting your network security. Here are four reasons why you shouldn’t use MAC addresses to protect your network security (and what you might want to use instead!)
4
Mac addresses are easily spoofed
An obvious reason to try something different
One key and apparent reason MAC addresses are an example of security theater is that they can easily be spoofed. A MAC address is assigned by the manufacturer of the network interface device in use, which is why you might have different MAC addresses for Ethernet or Wi-Fi for your PC. Devices self-report these addresses, which are assigned from pre-declared pools. Some Wi-Fi drivers, firmware, or operating systems might make it more difficult or impossible to change or spoof the MAC address of a device. Still, plenty of easily available Wi-Fi cards natively support changing your MAC address.
Any malicious actor could easily acquire a device like this and change their MAC address to whatever they think your network needs to see in order to allow a connection. Now, you might think, how will they know which MAC address to use? That brings us to our second reason why MAC addresses aren’t enough for your network security.
3
Your MAC address isn’t secret
Anyone can easily determine which MAC address is yours
Another essential thing to understand about MAC addresses is that they’re not secret. Your MAC address is contained within the Ethernet frame of a network packet and is used to determine where your traffic should be directed on your local network or LAN. Typically, this means that your traffic should be directed from your device, with its MAC address, to your router, with its accompanying MAC address. This is Layer 2 of the popular OSI model of networks, known as the data link layer, which is responsible for physically directing packets within a local network, as well as (in theory) uniquely identifying each device on a network. This layer encapsulates the IP layer we’re all more familiar with, which is responsible for directing traffic between networks via a router.
All of this can be a bit complicated, but the critical thing to understand is that, similar to an IP address in a packet, your MAC address lives in an unencrypted section of your traffic. This means that anyone can inspect your traffic and identify the MAC addresses of your devices. This is by design — they are not supposed to be a secret!
Your MAC address lives in an unencrypted section of your traffic. This means that anyone can inspect your traffic and identify the MAC addresses of your devices.
Most network adapters will have firmware controls to ignore all traffic that isn’t directed at them. Still, you can easily buy adapters for Wi-Fi and Ethernet that don’t have this control in place and will allow you to capture packets from all devices in the local vicinity. With the aforementioned per-manufacturer allocations of MAC addresses, it’s pretty easy to guess which device is which by the manufacturer — i.e., the person in the corner of a coffee shop with an LG laptop has an LG-assigned MAC address. The result of this is that anyone can easily identify MAC addresses on your network without even needing to be connected to it.
You might be wondering how devices learn each other’s MAC address and how they find each other on a network. This is done via a protocol called ARP (Address Resolution Protocol) and a system of caching.
2
MAC address filters are a pain
We’re a long way away from 2005
Security theater aside, another reason why we wouldn’t recommend relying on MAC address filtering to handle your network security is more practical. They’re a complete pain to administer. There are some valid uses for a MAC address filter, such as keeping your kids’ devices off a network (until they also figure out how to spoof their MAC address). Still, you may quickly find that adding every new device to an allow list is time-consuming and a hassle. Especially in an age of smart devices and Internet of Things appliances in our homes, locating each device’s MAC address can be non-trivial and time-consuming. Inevitably, you’ll end up with a silly spreadsheet of every MAC address in your household, which is not only a pain but also pretty ineffective for anyone seriously interested in attacking your network.
Unfortunately, many home routers don’t come with an alternative. If you have the option, setting up some kind of parental controls on a device for young kids, setting up VLANs to limit network access, or moving to a stronger password (or even an alternative authentication method) would be a better approach. Ultimately, though, you might need to work with what your router software provides.
1
Devices are automatically scrambling their MAC address
New iPhones might cause you problems immediately
Now, in the past, the above points would have been more academic issues. Sure, someone can spoof their MAC address easily, but I don’t know any hackers who would care. Surely it can’t do any harm? But in recent years, that’s changed, with more and more consumer devices introducing “Private” modes for Wi-Fi connections, which scramble their MAC addresses regularly to avoid analysis of their usage or traffic patterns.
This is supported by iOS and Android; while it can be disabled, you’ll need to ask everyone using your network to do so. This might quickly become a tricky conversation to navigate with guests or family members staying for a weekend.
MAC address filtering can have a very limited place in your network security
MAC address filtering is a great example of security theater but can have some uses. If you’ve got young kids and want to ensure their devices can’t get online without worrying about keeping your password a big secret, then this can be a good way to do it. But for most other uses, we’d suggest looking into other means of securing your network. Ensuring you’re using the strongest Wi-Fi encryption standard available, as well as a strong password, is a great start. In reality, you’re far more likely to be compromised by a malicious email link, attachment, misconfiguration, or file download than a direct, physically present attack on your network, so ensure you’re up to date on other best practices for keeping your home cybersecurity secure.
#reasons #MAC #address #filtering #isnt #network #security
source: https://www.xda-developers.com/reasons-mac-address-filtering-isnt-enough-network-security/
