Are MAC Address Filtering and SSID Hiding still worthwhile?

They're stumbling blocks, but not insurmountable. SSID hiding can provide some protection from people looking for any SSID they can get their hands on, and MAC filtering can keep casual riffraff out. As the only methods of protecting a WLAN they're pretty weak.

For someone who targets your network specifically, encryption (especially unbroken encryption) will provide vastly better security. MAC spoofing is trivial in most adapters these days, and after you've cracked the network to the point you can monitor in-flight packets, you can get a list of valid MAC addresses. SSID is trivial at that point as well. Due to the automated nature of the toolsets available, MAC filtering and SSID hiding aren't really worth the effort any more. In my opinion.


No, neither of these are worthwhile measures against an attacker. Unless you have an easy to guess password you need to assume anyone who might realistically try to gain access to your network has software to help or a little knowledge of how to get around such techniques.

SSID hiding doesn't improve security since it is trivial to identify the SSID of a network that's in use (download and run inSSIDer for instance), and in fact it can compromise the security of wireless clients that are configured to connect to hidden SSID networks. From a Microsoft TechNet article:

using non-broadcast networks compromises the privacy of the wireless network configuration of a…wireless client because it is periodically disclosing its set of preferred non-broadcast wireless networks…it is highly recommended that you do not use non-broadcast wireless networks.

MAC address filtering doesn't improve security since network traffic includes the unencrypted MAC address of active network devices. This means anyone can find out a MAC address that's on the allowed list and then use easily available software to spoof their MAC address.

Authentication and encryption are the only reasonable ways to secure your wireless network. For a home network that means using WPA2-PSK security with a strong password and an SSID that's not on the list of the 1000 most common SSIDs.

MAC address filtering perhaps provides one benefit: controlling access for non-malicious users. Once you've given someone your WiFi password you have no control over who they give the password to: they can easily tell their friends, perhaps after forgetting that they shouldn't. MAC address filtering means you have central control over which devices belonging to non-hackers can connect.

So if you're worried about someone hacking into your network, forget SSID hiding and MAC address filtering. If you don't want your friends' friends to connect, MAC address filtering might help…although it'd be less hassle to ask your friends not to pass on the password or just enter the WiFi password for them on any devices.


Kismet and other completely passive rfmon scanners have been around for a long, long time. Unless it's on a home wifi network that you never share with guests and seldom add devices to, the marginal increase in security you get from those two actions isn't worth the marginal increase in inconvenience.

Tags:

Wifi