Are MAC Address Filtering and SSID Hiding still worthwhile?

Question

On a recent certification exam, I was presented with a question about ways to secure an 802.11 wireless network. It was a multiple-answer question, but the only two available answers that related at all to security were addressing SSID Hiding and MAC Address Filtering.

Fortunately, this particular certification was neither wireless- nor security-focused.

I'm aware that these two should definitely not be your only means of securing your wireless network, but are they still really considered worth implementing on top of more sturdy authentication and encryption mechanisms?

Answer 1

They're stumbling blocks, but not insurmountable. SSID hiding can provide some protection from people looking for any SSID they can get their hands on, and MAC filtering can keep casual riffraff out. As the only methods of protecting a WLAN they're pretty weak.

For someone who targets your network specifically, encryption (especially unbroken encryption) will provide vastly better security. MAC spoofing is trivial in most adapters these days, and after you've cracked the network to the point you can monitor in-flight packets, you can get a list of valid MAC addresses. SSID is trivial at that point as well. Due to the automated nature of the toolsets available, MAC filtering and SSID hiding aren't really worth the effort any more. In my opinion.

Answer 2

No, neither of these are worthwhile measures against an attacker. Unless you have an easy to guess password you need to assume anyone who might realistically try to gain access to your network has software to help or a little knowledge of how to get around such techniques.

SSID hiding doesn't improve security since it is trivial to identify the SSID of a network that's in use (download and run inSSIDer for instance), and in fact it can compromise the security of wireless clients that are configured to connect to hidden SSID networks. From a Microsoft TechNet article:

using non-broadcast networks compromises the privacy of the wireless network configuration of a…wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks…it is highly recommended that you do not use non-broadcast wireless networks.

MAC address filtering doesn't improve security since network traffic includes the unencrypted MAC address of active network devices. This means anyone can find out a MAC address that's on the allowed list and then use easily available software to spoof their MAC address.

Authentication and encryption are the only reasonable ways to secure your wireless network. For a home network that means using WPA2-PSK security with a strong password and an SSID that's not on the list of the 1000 most common SSIDs.

MAC address filtering perhaps provides one benefit: controlling access for non-malicious users. Once you've given someone your WiFi password you have no control over who they give the password to: they can easily tell their friends, perhaps after forgetting that they shouldn't. MAC address filtering means you have central control over which devices belonging to non-hackers can connect.

So if you're worried about someone hacking into your network, forget SSID hiding and MAC address filtering. If you don't want your friends' friends to connect, MAC address filtering might help…although it'd be less hassle to ask your friends not to pass on the password or just enter the WiFi password for them on any devices.

Answer 3

Kismet and other completely passive rfmon scanners have been around for a long, long time. Unless it's on a home wifi network that you never share with guests and seldom add devices to, the marginal increase in security you get from those two actions isn't worth the marginal increase in inconvenience.

Answer 4

As others have answered, MAC filtering and SSID hiding don't help against an active attacker.

But, they may be worthwhile for some degree of protection from untrusted devices used by mostly-trusted people. I'll explain with a hypothetical situation:

Say you have a router at home (or in a business) configured for a separate "guest network". Many home routers make this setting easily available, often using a WPA key for the primary "home" network, but providing a captive portal for the guest network.

It can be much more convenient (and is definitely more secure) to use the primary network, so your family naturally uses that. But being the tech geek you are, you've been certain to secure all the devices on your home network, keeping them fully patched with up-to-date antivirus, firewalls, etc.

Now, while you're at work, your teenager's friend comes over to hang out at the house, and she brings her laptop with her. She wants the wifi password. You want her to use the guest network, because who knows what's on that laptop?

Your teenager could just give out the primary wifi password, but you've configured MAC address filtering. So instead, she gives out the password to the guest network because it would be a pain to try getting her friend's laptop on the home network, even if she had the router admin password. They grumble about needing to reconnect every time she comes over, but the untrusted laptop stays off your trusted network.

Answer 5

As a security device, SSID hiding doesn't do much because in order to connect to the hidden network the client will broadcast the SSID instead of the access point broadcasting it, so by passively monitoring for a little while you can pick up what the SSID is anyway. MAC locking is also not much good for security. If you are passively monitoring you will see what MACs successfully connect and can spoof one of them and connect yourself. These are features that can be of moderate help when combined with other methods, but the management effort is not worth the benefit, and it would be much better to spend the effort on enterprise WPA2. Hidden SSIDs can be useful for the non-security use of reducing confusion when you have business networks and public access networks in the same building/area. If you hide the non-public networks customers/guests looking to connect to your public access network will not be as easily confused.

Answer 6

Some might say that those measures are marginal or useless, and to some degree they are correct. However, network management is a step towards better security. For instance, MAC filtering requires you to find and list every device on your network. At home this isn't a big deal, since most people have less than twenty to thirty devices.

So, imagine that you have DHCP disabled, static addressing on all five devices you may have. For instance, a Laptop, a PlayStation, Two Cell Phones, and a Tablet. (Typical for a small family.)

That's not many devices. So let's now imagine that you've really upset a hacker, and he's targeting you, trying to find something juicy. He's social engineered his way to finding your WPA2 password. Now he just needs to spoof your MAC address and choose an available IP.

So... scenario 1: He decides to spoof your laptop. He spoofs your MAC and uses the same IP. This works for the hacker for about thirty minutes. Then you decide you want to watch Netflix. You open your laptop and you either A: Can't connect, or B: Windows tells you there is an IP conflict. (Which it will). Guess what? You just realized something is going on that shouldn't. The Hacker (because it's WiFi), better be using a Yagi antenna from a quarter mile away, because he's been caught. You win. Because you manage your network, you'll know if someone makes a configuration change or if one of your devices begins having connection problems.

Long story short, it may not keep him out. But it will make it harder to hide.