And another thing...
This article is a follow-up to Jason Perlow's post this morning, For the love of God, please secure your wireless networks.
Oh, how we've all been there. Securing networks has even become something of a sore spot in my friend and family relations, because I've had to prevent some unsafe practices against the will (but with spousal support) of some of my favorite force-of-nature octogenarian friends.
Jason writes about how many wireless networks are just sitting out there, unsecured, open, free as free can be. He worries about the people using those networks and how they can easily be targets of unscrupulous wardrivers.
But there's one more factor involved. Manufacturers make it almost impossible to use one very simple and powerful security feature available in almost all routers. I first noticed this behavior with Apple products (who else?), but then saw it in many other consumer products, from the Nexus 7 to even the Roku.
Let's talk about MAC address filtering. Wikipedia helpfully defines a MAC address: "A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment."
Think of it as your network card's serial number.
So, here's how the security component works. On top of all your router's other security measures, you can tell it to only allow devices that have one or more specified MAC addresses. That wardriver out there, who might have tried to tunnel into your network — if he doesn't have one of those MAC addresses, he's not getting into your router.
It's simple, it's powerful. It's not the only security you need, but it's a very helpful and strong additional layer.
And almost every manufacturer has nerfed it.
See, when you hook up a new iPad or a new Nexus 7 or a new Roku or pretty much anything else, they're now super-easy to install. You simply search for a familiar SSID (already a dangerous practice — you should hide your SSIDs) and enter in your WPA2 key.
But what about the MAC address? In most cases, you can't get at it until you're already on the network. Most devices don't display it as part of the network setup process. It's only once the network connection is completely and successfully established that you can go into network settings and see it. If then.
So what does this mean? Well, on my network, I often connect the new device to a dummy router that exists solely for new device installation. Once it gets a DHCP lease request, I know the new MAC address. I power down the dummy router, register the new allowed MAC address in my primary router, and go through the real setup process.
But real humans, unlike anal security freaks like me, can't do that. Real humans (like Jason's mother-in-law) want to buy and bring home a printer or an iPad or a Roku and just set it up. As much as we techies want to leave them with MAC address filtering on, it's become clear that we have to turn that protection off — unless we want to get on a plane each time our loved ones buy new devices.
Setting up this feature will never be easy for the ungeeked, because it always requires a router setup change. But it could be made oh-so-much easier by manufacturers by just displaying the MAC address as part of the setup process.
To make it easier for normal humans to get their devices online, our favorite manufacturers have also made it easier for the bad guys to hurt their customers. Now, that ain't right. That ain't right at all.
As Jason said, there oughta be a law!