Why is MAC-based authentication insecure?

security wireless-networking authentication mac-address
16,579

Solution 1

In an ethernet network the MAC address is used to uniquely identify each node (computer etc) on the network. Every packet broadcast over the network must contain the MAC address of the intended receiver to ensure packets get where they need to go.

Therefore using a packet sniffing tool it is quite easy to extract valid MAC addresses "off the wire". Once you have the MAC address, as you already know, spoofing the MAC address is even easier.

Also, I seem to remember that MAC addresses are part of the OSI Data Link layer (level 2) and are still visible in packets even if encryption such as WEP / WPA2 is used. This may have changed more recently however.

Solution 2

Even with wireless encryption enabled, MAC addresses are sent unencrypted. The reason for this is that if you encrypted the MAC address, every client on the wireless network would need to decrypt every single packet, just to find out whether it was sent to them or not.

Imagine watching a Netflix movie on your laptop using your home wireless connection, with a smartphone in your pocket also connected to the wifi. Your phone would need to receive every packet containing the streaming movie, decrypt it, then discard it. This would consume a huge amount of CPU and battery for no real reason.

Since the MAC address in each packet is always unencrypted, it's trivial for any attacker to run a packet sniffer, get a list of all the MAC addresses communicating on the network, then impersonate one of them.

Security Now podcast #11 (MP3, transcript) covers MAC filtering as well as WEP, disabling SSID broadcasts, and other ineffective ways of securing a wireless network.

Solution 3

It's bad because those who use it, apparently think it makes things more secure. And it's that wrong feeling of security that's the problem.

(Don't bother to filter on MAC-address, nor to hide the SSID. Use WPA or WPA2 with a good passphrase instead.)

Solution 4

It's only insecure if you actually have something valuable to protect. If you're just trying to prevent unauthorized users from using your wireless connection MAC-based authentication is fine.

MAC addresses aren't intended to be kept private, so it's very easy for someone to clone it.

Solution 5

In computer security there is a statement "Users are the weakest links in the security chain " So I can imagine a one situation.

Say an internal user wants to do something "illegal".. So in this case he can use the MAC of his own machine and do whatever thing he want. Since the admins can see it is a "hack" there is no responsibility of the real user.

And as far as I know a user can scan for the MAC addresses within the LAN. I think packet sniffer tools can retrieve them. So in that case he can steal a MAC of a his mate as well.

Don't think the hackers are from the outside. They may be insiders as well.

Share:
16,579
stalepretzel
Author by

stalepretzel

Updated on September 17, 2022

Comments

  • stalepretzel
    stalepretzel almost 2 years

    Most wireless routers can use MAC-based authentication as part of their overall security scheme. It seems like a good idea, but I've heard that it is very ineffective, because it's easy to spoof MAC addresses.

    I believe that it's easy to spoof these addresses, but I don't see how that's a problem. Wouldn't hackers still need to know what MAC address to pretend to have? There are 16^16 possible MAC addresses, so that doesn't seem like too big of a problem to me. Can anyone explain?

  • Ash
    Ash almost 15 years
    This is a good point. For most home networks the main goal is to make it difficult for people to leech your bandwidth. MAC filtering does this. Anything that requires real security on my computer I use HTTPS web sites or some local encryption scheme.
  • AaronLS
    AaronLS almost 15 years
    If I'm using WPA, will the MAC portion of the packets still be unencrypted?
  • RBerteig
    RBerteig almost 15 years
    Part of the address is a number purchased by each manufacturer from the registrar. The rest is at the whim of each manufacturer to assign, as long as they guarantee that no two devices are ever shipped with the same address. The easiest way to meet that guarantee is often to dole them out sequentially from a single record keeper within the company.
  • user457303
    user457303 almost 15 years
    Yes. The MAC portion is always unencrypted.
  • stalepretzel
    stalepretzel almost 15 years
    Doesn't really answer the question... Should probably be a comment.
  • Kornel
    Kornel almost 15 years
    It hurts, because you spend time and effort on implementing scheme that doesn't deter intruders (false sense of security) and usually annoys legit users (e.g. when they want to use new device or have network card/motherboard replaced).
  • CesarB
    CesarB over 14 years
    Use WPA2, it seems WPA is also broken: networkworld.com/news/2009/…
  • sleske
    sleske over 14 years
    Well, "broken" in the strict cryptographic sense (some information can be recovered). You cannot yet decrypt all the traffic. Still, you should switch to WPA2 ASAP.
  • cregox
    cregox about 14 years
    This is definitely a much better answer than the current accepted one.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How can I get my router and Inprocomm IPN2220 wireless network card connected?
php not redirecting and logging in
WCF transport security with no authentication
How can I calculate the Failed Acceptance Rate and False Recognition Rate?
ASP.Net Authentication using <credentials> in web.config
ASP.NET Core using custom authenticationhandler with cookieauthentication
Password hashing (non-SSL)
How to Deactivate a LDAP User?
Securing a Docker container with HTTP BASIC AUTH
How to automatically login as a user using Spring Security without knowing their password?