Why is MAC-based authentication insecure?

Most wireless routers can use MAC-based authentication as part of their overall security scheme. It seems like a good idea, but I've heard that it is very ineffective, because it's easy to spoof MAC addresses.

I believe that it's easy to spoof these addresses, but I don't see how that's a problem. Wouldn't hackers still need to know what MAC address to pretend to have? There are 16^16 possible MAC addresses, so that doesn't seem like too big of a problem to me. Can anyone explain?

stalepretzel

Posted 2009-08-07T02:21:50.517

Reputation: 1 106

Answers

In an ethernet network the MAC address is used to uniquely identify each node (computer etc) on the network. Every packet broadcast over the network must contain the MAC address of the intended receiver to ensure packets get where they need to go.

Therefore using a packet sniffing tool it is quite easy to extract valid MAC addresses "off the wire". Once you have the MAC address, as you already know, spoofing the MAC address is even easier.

Also, I seem to remember that MAC addresses are part of the OSI Data Link layer (level 2) and are still visible in packets even if encryption such as WEP / WPA2 is used. This may have changed more recently however.

Ash

Posted 2009-08-07T02:21:50.517

Reputation: 2 611

Even with wireless encryption enabled, MAC addresses are sent unencrypted. The reason for this is that if you encrypted the MAC address, every client on the wireless network would need to decrypt every single packet, just to find out whether it was sent to them or not.

Imagine watching a Netflix movie on your laptop using your home wireless connection, with a smartphone in your pocket also connected to the wifi. Your phone would need to receive every packet containing the streaming movie, decrypt it, then discard it. This would consume a huge amount of CPU and battery for no real reason.

Since the MAC address in each packet is always unencrypted, it's trivial for any attacker to run a packet sniffer, get a list of all the MAC addresses communicating on the network, then impersonate one of them.

Security Now podcast #11 (MP3, transcript) covers MAC filtering as well as WEP, disabling SSID broadcasts, and other ineffective ways of securing a wireless network.

Zack Elan

Posted 2009-08-07T02:21:50.517

Reputation: 571

This is definitely a much better answer than the current accepted one. – cregox – 2010-03-31T21:48:27.377

If I'm using WPA, will the MAC portion of the packets still be unencrypted? – AaronLS – 2009-08-07T05:45:00.487

4Yes. The MAC portion is always unencrypted. – Dana Robinson – 2009-08-07T08:15:27.567

It's only insecure if you actually have something valuable to protect. If you're just trying to prevent unauthorized users from using your wireless connection MAC-based authentication is fine.

MAC addresses aren't intended to be kept private, so it's very easy for someone to clone it.

M. Dudley

Posted 2009-08-07T02:21:50.517

Reputation: 3 157

This is a good point. For most home networks the main goal is to make it difficult for people to leech your bandwidth. MAC filtering does this. Anything that requires real security on my computer I use HTTPS web sites or some local encryption scheme. – Ash – 2009-08-07T03:10:04.310

It's bad because those who use it, apparently think it makes things more secure. And it's that wrong feeling of security that's the problem.

(Don't bother to filter on MAC-address, nor to hide the SSID. Use WPA or WPA2 with a good passphrase instead.)

Arjan

Posted 2009-08-07T02:21:50.517

Reputation: 29 084

Use WPA2, it seems WPA is also broken: http://www.networkworld.com/news/2009/082709-new-attack-cracks-common-wi-fi.html

– CesarB – 2009-09-29T02:44:24.113

Well, "broken" in the strict cryptographic sense (some information can be recovered). You cannot yet decrypt all the traffic. Still, you should switch to WPA2 ASAP. – sleske – 2010-01-04T11:54:21.517

In computer security there is a statement "Users are the weakest links in the security chain " So I can imagine a one situation.

Say an internal user wants to do something "illegal".. So in this case he can use the MAC of his own machine and do whatever thing he want. Since the admins can see it is a "hack" there is no responsibility of the real user.

And as far as I know a user can scan for the MAC addresses within the LAN. I think packet sniffer tools can retrieve them. So in that case he can steal a MAC of a his mate as well.

Don't think the hackers are from the outside. They may be insiders as well.

Chathuranga Chandrasekara

Posted 2009-08-07T02:21:50.517

Reputation: 629

I think it would be fairly trivial to find your MAC address if you were on any network other than your own along with a hacker. Not to mention, the MAC addresses aren't random. The first X digits represent the make of the router and I believe the other digits represent other things as well.

Joe Phillips

Posted 2009-08-07T02:21:50.517

Reputation: 1 350

2Part of the address is a number purchased by each manufacturer from the registrar. The rest is at the whim of each manufacturer to assign, as long as they guarantee that no two devices are ever shipped with the same address. The easiest way to meet that guarantee is often to dole them out sequentially from a single record keeper within the company. – RBerteig – 2009-08-07T07:23:42.760

While they are easy to spoof, it is more work for the hacker to do so. I don't think it will hurt as part of your overall security scheme. Just don't rely on it alone.

Jeremy French

Posted 2009-08-07T02:21:50.517

Reputation: 870

Doesn't really answer the question... Should probably be a comment. – stalepretzel – 2009-08-08T17:22:58.463

3It hurts, because you spend time and effort on implementing scheme that doesn't deter intruders (false sense of security) and usually annoys legit users (e.g. when they want to use new device or have network card/motherboard replaced). – Kornel – 2009-08-31T20:28:09.997