MAC address filter has been an option on almost every router for a decade or longer. The concept is simple; every device has a unique identifier built into its networking cards. Routers can use this unique identify to allow only approved devices on the network.
It seems like back in the day everyone was using MAC address filtering and hiding SSIDs. These were considered common security practices, and then people found out how easy they were to bypass. Packets could be collected, and even encrypted the MAC addresses were always visible so all a hacker needed to do was find one that was communicating and copy it.
Pretty soon every blog and news article around was telling people not to use MAC filtering because there was no point to it. It didn’t truly provide security so might as well not use it at all. I’m here today to tell you that all those blogs are wrong. You should use MAC filtering and here’s why.
The Defender’s Dilemma
We’ve all heard of the Defender’s Dilemma even if you haven’t heard of it by those words. It goes something like this “Attackers only have to get it right once, but defenders have to get it right every time all the time.” This dilemma is as old as cyber security itself, and its partially true. We as defenders must find the bad in the noise, and we must do it consistently. Another way to put it is that an attacker only needs to find one entry point, but a defender must defend all possible entry points at the same time.
But what if we could change that?
The Attacker’s Dilemma
When I was working on a PhD in Cyber Security I had a terrific opportunity to speak with the lead security research at Microsoft and Dr. Dan Ellis, one of the creators of the MITRE ATT&CK matrix. While they both had different perspectives on cyber security, they shared at least one core similarity. They spoke about getting left of the kill chain and shifting from a Defender Dilemma to an Attacker Dilemma.
The core concept here is to make it as difficult as possible for attackers to bypass our defenses. Make the attackers get past our sensors before they can actually conduct their operations.
This mindset, this Attacker’s Dilemma, is the reason why I say that you should enable MAC address filtering on your router. It adds time and takes extra effort, don’t believe me? Let me explain it a bit more.
MAC address filtering is better now
Back in the day MAC address filtering used to be a straight deny. You couldn’t connect to the network, period, dot. But now MAC address filtering can work in a number of different ways. One of the more unique ways MAC filtering works is by actually allowing devices on the network but blocking them from accessing anything. Think about what happens when you connect to somewhere like Star Bucks Wi-Fi. You connect to the Wi-Fi but the internet doesn’t work until you accept the terms and conditions. This is technically called a “Captive Portal” but it is actually a form of Mac Address Filtering.
What happens with a Captive Portal is actually three main parts. There is the “jail” where devices are placed before they accept the terms, the walled garden of websites they are allowed to access without accepting the terms, and the web page of the actual portal.
Some routers will perform MAC filtering in much the same way, only without the captive portal part. Instead of preventing the device from connecting the router instead places it in a jail. To many of you reading this post that might not sound like a significant difference since an attacker still only has to change the MAC address, but I assure you it is a major difference.
Knowing is half the battle:
How many times have you connected to Wi-Fi and been greeted with a “Wi-Fi connected but no internet access” message? Did you ever ask yourself “Does this Wi-Fi network have MAC address filtering on”? If you never thought about it that’s ok, I don’t blame you. My first thought usually goes to “it’s DNS”, because 9/10 its DNS.
An attacker will have to go through this same thought process. If they connect to your network with MAC address filter on, they’ll get a “Connected but no Internet Access” message. Yes, it is trivial to defeat this defense by just changing the MAC address, but an Attacker must realize they need to do that first.
A router reject message is obvious. The system will tell them directly that connection was refused, but a jail doesn’t. A jail provides no information about why the device can’t reach anything because the device itself doesn’t know why it can’t reach anything.
While it’s true that MAC address filtering may not be drastically difficult to defeat but it adds time and effort to an attacker’s operation. The attacker now has to spend valuable time trying to figure out why they can’t access your network. With every extra defense we add into a network, every additional minute or hour we take from the attacker, we shift that dilemma further left. Every sensor we place, every block we establish, every hour we take creates a mental effect. With enough mental effects we might be able to get our attackers to move on to a softer target.