23

I just bought a Galaxy S4, and it didn't connect to the WIFI in my house (I have a 14$ router). After a bit of testing, I've decided to leave my connection open without a password, but added the devices manually to the whitelisted MAC addresses.

  • Is that safer than having a regular password, that can be broken with brute force, or another technique?

  • Is there any other solution that I can try connecting my cellphone to the router?

The errors I got were "getting IP Address", and after that "error: connection too slow....". I have a good connection.

TildalWave
  • 10,801
  • 11
  • 45
  • 84
jcho360
  • 813
  • 2
  • 8
  • 12
  • 19
    MAC address filtering is definitely not a replacement for a good strong WPA2 password. See here: http://security.stackexchange.com/a/15188/12 – Xander May 30 '13 at 12:36

4 Answers4

41

MAC filtering is not a part of the 802.11 spec, and is instead shoved into wireless routers by (most) vendors. The reason why it's not a part of the 802.11 spec is because it provides no true security (via kerckhoff's principle).

In order for wireless to work, MAC addresses are exchanged in plaintext (Regardless of whether you're using WEP, WPA, WPA2, or an OPEN AP). For encrypted wireless, the MAC address is either a part of the initial handshake (used to derive the session key), and/or exposed during pre-encryption communications. In addition to all of these reasons, MAC filtering is also much more of a pain in the butt to upkeep than instituting something like WPA2-PSK.

Simply put, MAC filtering is not something that needs to be "cracked." In open networks, people simply only need to sniff the air and they will be able to see what devices are working, and then they can use one of many, many extremely simple tools to change their MAC address. In encrypted networks, they will need to sniff and grab a new handshake (which can easily be forced via a deauth attack). From there, they have access to your network.

My suggestion is to use WPA2-PSK with a strong key for personal networks or WPA2-Enterprise with a strong EAP mode (PEAP or TLS) for enterprise networks. The main difference between the two of these, aside from the method of authentication and authorization, is that with WPA2-PSK, if someone knows the PSK and can capture the handshake of a user, they can decrypt their stream. That is not possible with WPA2-Enterprise, because it uses EAP, which has a different encryption key per individual via the EAP mode. This is important because you wouldn't want just anybody with access to the network to be able to decrypt the CEO's wireless communications.

It is also important to note that with WPA2-PSK, your ESSID does play a part in the security of your network because of the following:

DK = PBKDF2(HMAC−SHA1, passphrase, essid, 4096, 256)

Essentially, WPA2-PSK uses your ESSID as the salt when running PBKDF2. For this reason, you should also attempt to keep your ESSID unique, to avoid attacks using rainbow tables.

In summation
- MAC filtering does not provide any level of "true" security
- Use WPA2-PSK if possible (Most smartphones do support it)
- Try to have a unique ESSID

JZeolla
  • 2,936
  • 1
  • 18
  • 25
7

First, it does nothing to protect data on the network. Second, MAC addresses can be easily spoofed and a valid MAC address can be sniffed off of any device connected to your network. It will only keep out the most basic of intruders (ie, someone who is non-technical and simply looking for free wifi.) It offers no serious protection to simply use MAC filtering and really only offers the most basic protection possible.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
3

Even a WEP/WPA password of 'password' is better than no password because then the traffic is encrypted.

If you have no password then your traffic, aside from SSL protected sites, is right in the open.

Your MAC address can be changed at will, and as mentioned by Steel City Hacker, can be sniffed right out of the open.

I recommend you explore your neighborhood with a Backtrack distro just to see how this stuff works.

MattPark
  • 131
  • 4
  • 2
    I disagree. Having poor encryption provides no real security, but it does give the impression that there is protection and no need to 'fix' thing. It is much like the tie wrap in this image: http://i.stack.imgur.com/q9k6y.jpg – Hennes May 31 '13 at 11:33
0

Well left to me, if you have a client running a cafe like mine does and he the client doesn't want to go LAN, maybe a combination of a MAC filter and a wps would be fine.

For example my client complained that some friends of his apprentice connects to his network just by getting the password on their (apprentices) system, be it wep, wpa, wpa2 , tikp, once the 3rd party knows your password then its useless thats why I feel mac address is a bit safer when combined with other security like a wps even after authenticating the mac in the mac table, it would need a wps to log in fully.

Rotimi Abdulghaniyy
  • 1
  • 1