Security provided through MAC filtering: Wired vs. Wireless Networks

  • In wireless networks, the signals travel through the air; anybody can listen to them and capture the source MAC address. Therefore, it's easy for an attacker to find out the white-listed MAC addresses and impersonate them.

    Think of it this way: A group of friends talking to each others, and they only talk to people they know. When one of them says something, he always says his name in the beginning. So, for example, Jack says "Hey, I'm Jack. Today I blah blah blah". If you happen to pass by them, you can hear one of their names and use it in the beginning of your sentence. They'd think that you're Jack. (Please ignore their ability to see you and recognize your voice)

  • In wired networks (more specifically, switch-wired networks), the signals travel through the wires from the hosts to the switch; it's much more difficult for an attacker to listen to them an capture the source MAC address.

    Think of it this way: The same situation in the previous example, but instead of talking, the friends are sending each others post-it notes directly, hand-to-hand. You, as an outsider, have no idea what they're talking about and their names are, so, theoretically, you cannot pretend to be one of them.

In short, what makes MAC filtering ineffective is an attacker who knows a valid MAC address. By having a valid MAC address, the attacker is able to impersonate it and "convince" the server/router/AP that he is the white-listed device.

In wireless network it's easier to capture and acquire a valid MAC address than it is in wired netwroks. That's why MAC filtering is less effective in wireless networks than wired networks.


Switches, Hubs, and Broadcast

In old-style ethernet networks connected with a hub, all packets were broadcast to all stations on the network. This is also the way wireless networks typically act today.

But in order to improve network performance, switches have largely replaced hubs in connection stations together. Once a switch sees a packet originating from one of its physical ports, it makes a note of the sender's MAC address. From that point forward, traffic directed at that MAC address will only be sent down that one single wire, and none of the others.

This connection arrangement dramatically reduces the amount of traffic visible to a surreptitious listener. Instead of seeing all traffic on the network, the listener will only see broadcast traffic and traffic that isn't directed toward a MAC that the switch knows about.

Workaround and Additional Problems

This doesn't make MAC-spoofing impossible; a user can watch for broadcast frames (such as ARP packets) to see which MACs are allowed on the network. But once the attacker begins to use a stolen MAC, the effect on the switch becomes somewhat unpredictable and typically very unstable.

Since the policy on the switch is only send traffic down the wire from which the MAC address was recently seen, and since two stations are now claiming the same MAC, the behavior of the switch becomes undefined. While different switches handle this situation differently, typically what you'll see is some of the traffic goes to one computer, and some of it goes to the other, depending on which one spoke last. Combine this with the continuity and acknowledgement requirements of TCP, and this makes for a largely unusable connection for both parties.

Further Mitigation

To make matters even more difficult for an attacker, "Managed Switches", typically found in higher-end network installations, can use more than just the naive algorithm mentioned above for routing ethernet traffic. Instead of determining MAC address routing by listening, these can be pre-configured by an admin to know were to expect a given MAC address to reside. This means that not only will an attacker have to find a valid MAC address, but he'll also have to plug his device into the same physical plug socket where the valid device was found. Plug your device into any other socket and it just won't work.