MAC address filtering is one of those controversial features that some people swear by while others say it’s a complete waste of time and resources. So which one is it? In my opinion, it’s both, depending on what you’re trying to achieve by using it.
Unfortunately, this feature is marketed as a security enhancement that you can use if you are tech savvy and willing to put in the effort. The real fact is that it really doesn’t provide any extra security and can actually make your Wi-Fi network less secure! Don’t worry, I’ll explain more about that below.
However, it is not completely useless. There are some legitimate cases where you can use Mac address filter on your network, but it doesn’t add any extra security. Instead, it’s more of a management tool that you can use to determine whether or not your kids can access the Internet at certain times of the day or whether you want to manually add devices to your network that you can monitor.
Why It Doesn’t Make Your Network More Secure
The main reason it doesn’t make your network more secure is because it’s really easy to: forging a MAC address† A network hacker, who can literally be anyone because the tools are so easy to use, can easily find out the MAC addresses on your network and then spoof that address on their computer.
So, you may be wondering, how can they get your MAC address if they can’t connect to your network? Well, that’s an inherent weakness of Wi-Fi. Even with a WPA2-encrypted network, the MAC addresses on those packets are not encrypted. This means that anyone with network snoop software installed and a wireless card within range of your network can easily grab all the MAC addresses communicating with your router.
They can’t see the data or anything like that, but they don’t really need to break the encryption to access your network. Why? Since they now have your MAC address, they can spoof it and then send special packets to your router called disassociation packets that will disconnect your device from the wireless network.
Then the hacker’s device tries to connect to the router and is accepted because it now uses your valid MAC address. This is why I said earlier that this feature can make your network less secure, because now the hacker doesn’t have to bother to crack your WPA2-encrypted password at all! They just have to pretend to be a trusted computer.
Again, this can be done by someone who has little to no knowledge of computers. If you just hack Google WiFi with Kali Linux, you’ll get tons of tutorials on how to hack your neighbor’s WiFi in just a few minutes. Do those tools always work?
The best way to stay safe
Those tools work, but not if you use WPA2 encryption along with a fairly long Wi-Fi password. It is very important that you do not use a simple and short WiFi password because all a hacker does when using these tools is a brute force attack.
With a brute force attack, they will capture the encrypted password and try to crack it using the fastest machine and largest dictionary of passwords they can find. If your password is secure, it can take years to crack the password. Always try to use WPA2 only with AES. You should avoid the WPA [TKIP] + WPA2 [AES] option because it is much less secure.
However, if you have MAC address filtering enabled, the hacker can bypass all those problems and simply grab your MAC address, fake it, disconnect you or any other device on your network from the router and connect freely. Once inside, they can do all sorts of damage and gain access to everything on your network.
Other solutions to the problem
But some people will still say that controlling who can get on my network is so useful, especially since not everyone knows how to use the tools I mentioned above. OK, that’s a point, but a better solution to monitor outsiders who want to connect to your network is to use a guest Wi-Fi network.
Virtually all modern routers have a guest Wi-Fi feature that allows you to let others connect to your network, but not let them see anything on your home network. If your router doesn’t support it, you can just buy a cheap router and associate it with your network with a separate password and IP address range.
It’s also worth noting that other WiFi security improvements like Disable SSID broadcast will also make your network LESS secure, not more secure. Another one that people have told me they are trying is to use static IP addressing. Again, as long as a hacker can figure out your network IP range, they can use any address in that range on their machine as well, regardless of whether you assigned that IP address or not.
Hopefully this gives you a clear idea of what to use MAC address filtering for and what your expectations are. If you think otherwise, let us know in the comments. Enjoying!