1

For the sake of context, let's say I set up my home router with WPA2, a strong passphrase and I whitelisted all of my devices.

I know the data is encrypted, but is the layer 2 header encrypted as well? Ultimately, is it possible for someone not connected to my Wi-Fi to extract a MAC address and spoof as it in order to get their hands on some free internet (or worse)?

Lutefisk
  • 372
  • 1
  • 3
  • 12
  • Many home routers have hidden vulnerabilities that hackers can use to bypass your security. Many time the manufacturer either doesn't patch it,or if they do the consumer doesn't know it exists, or how to do it so the equipment remains vulnerable. – cybernard Jul 07 '16 at 01:09
  • One vulnerability that is quite popular is with wps. This magic pure piece of monkey junk is meant for easy client configuration on encrypted wifi access. The problem is that most of the time the implentation is made with à software button that can be remotely abused. With that you need to brute force a string made of say 8 numbers. Given a cheap laptop and maybe 14 hours of time you could get the magic number, log to the network and do what you have to. – happy Sep 05 '16 at 01:29
  • And i forgot to mention but then all is required is to kickout everyone using a kickout session After and to sniff everyone mac adress – happy Sep 05 '16 at 01:31
  • @happy the WPS bugs are almost dead, unless you are lucky. To exploit this now, you need to constantly shift link layer address in response to lockouts. There are tools that do this, but no guarantees. – user400344 Dec 04 '16 at 01:50

2 Answers2

3

MAC Whitelisting as well as Blacklisting are pretty much useless for security. Your strong WPA/2 passphrase however is great (if WPS isn't enabled).

As kub0x said, the Layer 2 info isn't encrypted. MAC addresses are fully visible: If you have a laptop or a wifi card, install or VM a linux distro and fire up the aircrack suite. With Airodump-ng, you can see the MAC addresses of WAPs and the MAC addresses of the clients. MAC spoofing is easy, so an attacker could definitely spoof the unencrypted MAC.

As for free internet, I'd say no. While they would masquerade as a whitelisted MAC address, they still wouldn't be able to decrypt the payload sent to them. Your strong passphrase has already encrypted the useful part of the data. Before they can get free wifi, they have to be able to send properly encrypted data to the WAP which it would decrypt. If it decrypts to gibberish (which it would if improperly encrypted, or not at all encrypted), it won't go anywhere. Further, in order for them to receive data from the router, and further the internet, they would have to decrypt those encrypted packets. Again, they wouldn't go anywhere.

The only chance they have of getting free internet with a MAC whitelist enabled is the same as if you had no whitelist enabled: they have to have your passphrase, or break in another way (WPS and Reaver).

The only thing MAC Black/Whitelisting does is prevent accidental connections to your WAP. Aside from that, I believe the listing does nothing.

Bottom line: you're still safe, but possibly not for the reasons you think.

Nicholas Dechert
  • 115
  • 9
  • The best way to prevent accidental connections to the AP is to have a unique SSID. And due to how the encryption works there is also a small security benefit from having a unique SSID. – kasperd Jan 03 '17 at 07:52
0

The Ethernet Layer or Layer 2 is not encrypted, since it's needed in order to deliver the packets using the media access. Take a closer look at : Encrypting layers of OSI

WPA2-PSK doesn't completely encrypt layer 2 information. Management frames are unencrypted (except in cases where management frame protection is implemented).

As you can see, only upper layers are encrypted, where you can determine the packet size also.

Your second concern also is answered in the same post:

MAC addresses of all communicating parties can also be observed, which somewhat helps to analyze communication flows and gain general information on the network

Community
  • 1
kub0x
  • 365
  • 1
  • 9