MAC address filtering allows you to define a list of devices and only allow those devices on your Wi-Fi network. That’s the theory, anyway. In practice, this protection is tedious to set up and easy to breach.
K9 Web Protection is a free Internet filter and parental control software for your home Windows or Mac computer. K9 puts YOU in control of the Internet so you can protect your kids. K9 puts YOU in control of the Internet so you can protect your kids.
This is one of the Wi-Fi router features that will give you a false sense of security. Just using WPA2 encryption is enough. Some people like using MAC address filtering, but it’s not a security feature.
RELATED:Don’t Have a False Sense of Security: 5 Insecure Ways to Secure Your Wi-Fi
Each device you own comes with a unique media access control address (MAC address) that identifies it on a network. Normally, a router allows any device to connect — as long as it knows the appropriate passphrase. With MAC address filtering a router will first compare a device’s MAC address against an approved list of MAC addresses and only allow a device onto the Wi-Fi network if its MAC address has been specifically approved.
Your router probably allows you to configure a list of allowed MAC addresses in its web interface, allowing you to choose which devices can connect to your network.
So far, this sounds pretty good. But MAC addresses can be easily spoofed in many operating systems, so any device could pretend to have one of those allowed, unique MAC addresses.
MAC addresses are easy to get, too. They’re sent over the air with each packet going to and from the device, as the MAC address is used to ensure each packet gets to the right device.
RELATED:How an Attacker Could Crack Your Wireless Network Security
All an attacker has to do is monitor the Wi-Fi traffic for a second or two, examine a packet to find the MAC address of an allowed device, change their device’s MAC address to that allowed MAC address, and connect in that device’s place. You may be thinking that this will not be possible because the device is already connected, but a “deauth” or “deassoc” attack that forcibly disconnects a device from a Wi-Fi network will allow an attacker to reconnect in its place.
We’re not exagerating here. An attacker with a toolset like Kali Linux can use Wireshark to eavesdrop on a packet, run a quick command to change their MAC address, use aireplay-ng to send deassociation packets to that client, and then connect in its place. This entire process could easily take less than 30 seconds. And that’s just the manual method that involves doing each step by hand — never mind the automated tools or shell scripts that can make this faster.
RELATED:Your Wi-Fi’s WPA2 Encryption Can Be Cracked Offline: Here’s How
At this point, you may be thinking that MAC address filtering isn’t foolproof, but offers some additional protection over just using encryption. That’s sort of true, but not really.
Basically, as long as you have a strong passphrase with WPA2 encryption, that encryption will be the hardest thing to crack. If an attacker can crack your WPA2 encryption, it will be trivial for them to trick the MAC address filtering. If an attacker would be stumped by the MAC address filtering, they definitely won’t be able to break your encryption in the first place.
Think of it like adding a bicycle lock to a bank vault door. Any bank robbers that can get through that bank vault door will have no trouble cutting a bike lock. You’ve added no real additional security, but every time a bank employee needs to access the vault, they have to spend time dealing with the bike lock.
RELATED:10 Useful Options You Can Configure In Your Router’s Web Interface
The time spent managing this is the main reason you shouldn’t bother. When you set up MAC address filtering in the first place, you’ll need to get the MAC address from every device in your household and allow it in your router’s web interface. This will take some time if you have a lot of Wi-Fi-enabled devices, as most people do.
Whenever you get a new device — or a guest comes over and needs to use your Wi-Fi on their devices — you’ll have to go into your router’s web interface and add the new MAC addresses. This is on top of the usual setup process where you have to plug in the Wi-Fi passphrase into each device.
This just adds additional work to your life. That effort should pay off with better security, but the miniscule-to-nonexistent boost in security you get makes this not worth your time.
MAC address filtering, properly used, is more of a network administration feature than a security feature. It won’t protect you against outsiders trying to actively crack your encryption and get onto your network. However, it will allow you to choose which devices are allowed online.
For example, if you have kids, you could use MAC address filtering to disallow their laptop or smartphpone from accessing the Wi-FI network if you need to ground them and take away Internet access. The kids could get around these parental controls with some simple tools, but they don’t know that.
That’s why many routers also have other features that depend on a device’s MAC address. For example, they might allow you to enable web filtering on specific MAC addresses. Or, you can prevent devices with specific MAC addresses from accessing the web during school hours. These aren’t really security features, as they’re not designed to stop an attacker who knows what they’re doing.
If you really want to use MAC address filtering to define a list of devices and their MAC addresses and administer the list of devices that are allowed on your network, feel free. Some people actually enjoy this sort of management on some level. But MAC address filtering provides no real boost to your Wi-Fi security, so you shouldn’t feel compelled to use it. Most people shouldn’t bother with MAC address filtering, and — if they do — should know it’s not really a security feature.
Image Credit: nseika on Flickr
READ NEXTParental controls can filter the web, blocking inadvertent access to inappropriate websites. There are a variety of ways to do this, from configuring network-wide parental controls on your router to using the parental controls built into Windows or third-party software.
Web filtering is best used to restrict the web for young children, preventing them from accidentally wandering into the seedier corners of the Internet. Teenagers are adept at finding their ways around parental controls if they want to.
One of the easiest ways to set up parental controls is by configuring them on your router. Your router functions as the choke point where all the Internet traffic for your network flows through. Setting up parental controls here will allow you to perform web filtering for all the devices on your network — computers, smartphones, tablets, and even game consoles with built-in browsers.
Some routers ship with built-in parental controls. If your router has this feature, it will often be advertised on the box and will generally be explained in the manual. You can go to the router’s web-based configuration pages and set up the parental controls for your network.
Many routers don’t include parental controls, but you can use OpenDNS to set up parental controls on any router. To do this, you’ll just need to change your router’s DNS server settings to use OpenDNS. OpenDNS allows you to set up an account and configure web filtering — you can select different types of categories of websites to block. Websites you block will redirect to a “This site is blocked” message when visited on your network.
For more information about changing your router’s settings, refer to its manual.
If you would like a device on your network not to be filtered, you can change its DNS server manually so it won’t use OpenDNS. Of course, this means that anyone on your network can change their DNS server and bypass the filtering. Like we said, such filters can be helpful for your children, but a teenager can get around it.
Windows 7 has some built-in parental controls that allow you to control what time a user account can log into the computer and what programs it can use. This is helpful if your kids use separate user accounts on your computer.
However, Windows 7 doesn’t include a web filter. Microsoft does still offer Family Safety, a free program that allows you to set up web filtering on Windows 7. Install the Family Safety program on your Windows 7 computer and you’ll be able to manage its settings from Microsoft’s Family Safety website. The program is available as part of Microsoft’s Windows Essentials package.
Windows 8 and Windows 10 have integrated parental controls that combine Windows 7’s time limits and program access controls with Family Safety’s web filtering and more new features. You can manage your settings and view reports from the same Family Safety website. All you need to do is check the “Is this a child’s account?” box when setting up a new user account on Windows 8. The account will be marked as a child’s account and can be managed from the Family Safety website online.
Read more about using parental controls on Windows 8.
You can also turn to third-party parental controls. Many Internet security suites come with built-in parental controls. If you have a security suite installed on your computer, check if it has built-in parental controls.
There are also dedicated parental control solutions you can pay for, like the famous Net Nanny that everyone has heard of. However, you don’t need to pay for a parental control solution. There are many other free web filtering solutions you can use. For example, Norton offers a free Norton Family parental control application that seems to be widely recommended. Try doing a search online and you’ll find many other options that may fit your needs.
Of course, no parental controls are perfect. They won’t block everything bad and may occasionally block something good. Sufficiently motivated teenagers can also get around them, if only by leaving your house and accessing the Internet elsewhere or using their smartphone.
Image Credit: San José Library on Flickr
READ NEXT