Poorly secured wireless networks: it's partially the manufacturers' fault

Poorly secured wireless networks: it's partially the manufacturers' fault

Summary: Manufacturers make it almost impossible to use one very simple and powerful security feature available in almost all routers.

SHARE:

And another thing...

This article is a follow-up to Jason Perlow's post this morning, For the love of God, please secure your wireless networks.

Oh, how we've all been there. Securing networks has even become something of a sore spot in my friend and family relations, because I've had to prevent some unsafe practices against the will (but with spousal support) of some of my favorite force-of-nature octogenarian friends.

Jason writes about how many wireless networks are just sitting out there, unsecured, open, free as free can be. He worries about the people using those networks and how they can easily be targets of unscrupulous wardrivers.

He's right.

But there's one more factor involved. Manufacturers make it almost impossible to use one very simple and powerful security feature available in almost all routers. I first noticed this behavior with Apple products (who else?), but then saw it in many other consumer products, from the Nexus 7 to even the Roku.

Let's talk about MAC address filtering. Wikipedia helpfully defines a MAC address: "A media access control address (MAC address) is a unique identifier assigned to network interfaces for communications on the physical network segment."

Think of it as your network card's serial number.

So, here's how the security component works. On top of all your router's other security measures, you can tell it to only allow devices that have one or more specified MAC addresses. That wardriver out there, who might have tried to tunnel into your network — if he doesn't have one of those MAC addresses, he's not getting into your router.

It's simple, it's powerful. It's not the only security you need, but it's a very helpful and strong additional layer.

And almost every manufacturer has nerfed it.

See, when you hook up a new iPad or a new Nexus 7 or a new Roku or pretty much anything else, they're now super-easy to install. You simply search for a familiar SSID (already a dangerous practice — you should hide your SSIDs) and enter in your WPA2 key.

But what about the MAC address? In most cases, you can't get at it until you're already on the network. Most devices don't display it as part of the network setup process. It's only once the network connection is completely and successfully established that you can go into network settings and see it. If then.

So what does this mean? Well, on my network, I often connect the new device to a dummy router that exists solely for new device installation. Once it gets a DHCP lease request, I know the new MAC address. I power down the dummy router, register the new allowed MAC address in my primary router, and go through the real setup process.

But real humans, unlike anal security freaks like me, can't do that. Real humans (like Jason's mother-in-law) want to buy and bring home a printer or an iPad or a Roku and just set it up. As much as we techies want to leave them with MAC address filtering on, it's become clear that we have to turn that protection off — unless we want to get on a plane each time our loved ones buy new devices.

Setting up this feature will never be easy for the ungeeked, because it always requires a router setup change. But it could be made oh-so-much easier by manufacturers by just displaying the MAC address as part of the setup process.

To make it easier for normal humans to get their devices online, our favorite manufacturers have also made it easier for the bad guys to hurt their customers. Now, that ain't right. That ain't right at all.

As Jason said, there oughta be a law!

Topics: Security, Government, Networking

About

David Gewirtz, Distinguished Lecturer at CBS Interactive, is an author, U.S. policy advisor, and computer scientist. He is featured in the History Channel special The President's Book of Secrets and is a member of the National Press Club.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

21 comments
Log in or register to join the discussion
  • mac filtering useless

    Mac filtering doesn't provide any meaningful increase in security. Its very easy to spoof a mac address, and not too difficult to scan for a client attached to a network which has an address already added to the router. If you are using WPA2 (with a strong key) you already have nearly unbreakable security. If a hacker is smart enough to break that, they'll be able to get through the Mac filter in no time. Its a feature that's unused because its unnecessary. Also if you really DO want to use the filtering you can get the address without a setup network by using the "getmac" command on a windows machine in a command prompt... no idea the equivalent on a apple computer.
    bystander101
  • Not as big a problem as it was...

    One of the smartest things that ISPs did a few years ago was to start giving away wireless routers for "free." Up until that time, if you wanted wireless at home, you pretty much had to buy and install your own wireless router. And given that most routers come set up as "open" networks out of the box, and given what's involved in securing them, many users just plugged them in, connected their laptops and forgot about it.

    Then, especially in closely spaced urban areas, you likely had many households feeding off the same internet connection. Fine for them, but bad for the ISP. Once ISP's started throwing in the wireless router, they also made a point of securing the router when they came to your home to install it.
    dsf3g
    • That's not how it is with today's routers

      The vast majority of brand new routers you'll go out RIGHT NOW and buy, even the cheap Belkin N150 ones, are preconfigured with WPA/WPA2 and a password that is on the bottom of the router. I rarely see a router today that is both brand new AND open by default.
      cryptikonline
      • Ah

        I guess it's been a while since I bought one. That's good to know.
        dsf3g
      • Default Passwords

        One how complex are the default passwordS?

        Two how many are there?

        I suspect not very complex and relatively few.

        Does the router set up require you to change the default password? The recent ones I have do but I have a small sample size.
        Linux_Lurker
        • "One how complex are the default passwordS?"

          Actually...fairly complex. Usually 6 or more alpha-numeric characters.
          IT_Fella
        • You'd be surprised

          A minimum of eight characters, usually hexadecimal (0-9, a-f) yielding over 4 billion possible keys, and each router is assigned a different randomly generated key. Some of them are even more complicated. There is no single default password for an entire model anymore.
          cryptikonline
  • I want your job.

    This article is full of so many outright falsehoods and general misinformation that....well...I'm almost at a loss for words.

    Hide your SSID? Come on.

    MAC address filtering? Give me a break.

    Inexcusable, ZDNET, inexcusable...
    corton
    • Exactly.

      Those two features are useless. I remember George Ou talking about issues concerning wireless routers about a half a decade ago.

      (A minute while I search in Google...)

      Ah, I found one: http://www.zdnet.com/blog/ou/wireless-lan-security-myths-that-wont-die/454
      Grayson Peddie
  • 2 problems with the OP suggestions

    Hiding the SSID - many,many Android devices will not attach to a router which is not broadcasting its SSID

    MAC Filtering - so if a guest arrives and wants to use your router , you do what?
    chips@...
    • A bit of a hassle...

      I guess you could pull out a second router, connect it to the first and have it as an unsecured network while your guests are there. Or turn one of your computers into a wireless hotspot and connect it to your router via an Ethernet cable. Or add their MAC address temporarily to your router and then remove it later when they leave.

      Yeah, none of those are appealing solutions at all.
      immanuel_aj
  • Mac address filtering useless

    I am surprised at this point in time anyone still thinks Mac address filtering is remotely a security advantage? Especially given that WPA2 is available on almost every device and does way more to secure a wireless access point. For a neighborhood I think anything beyond using WPA is pointless and makes no sense for the average consumer. Given the distance of wireless anyway I think its a stretch to think so many are out there trying to use your wireless anyway. I have a neighborhood filled with 2.4Ghz wireless stations and most use at least WPA if not WPA 2 and one still has WAP. I do not find any one of them capable of a decent signal from over 100Ft. Mac filtering might be of usefulness in a business environment but even then I think Mac filtering provides more headaches then security.
    JohnnyES-25227553276394558534412264934521
  • Sure it's helpful

    Mac address filtering isn't the answer all by itself, but it's another important component in a whole set of practices. Some routers have the ability to send emails to a designated addressee for periodic logs and so forth. Why not have them send an email with "Such and such an unknown MAC address attempted to connect". That way you easily have the MAC address to add to the whitelist. You'd also have some information that someone you don't know is trying to connect.
    MC_z
  • Maybe not popular, but not useless

    To some it's just too much effort and too technical. Personally however, I don't see MAC address filtering as useless. It can still be at least one effective layer of security if your willing to actually utilize it effectively, and just like ice cream cake - another layer probably wont hurt to say the least.

    I would think most hackers who would go far enough to realize they need to obtain and spoof a usable MAC address (which is allowed on the network already), are more likely to move on to the next of many unsecured networks. At a minimum, it's a deterrent, like putting a pad lock on your shed.
    DJ-DJ
    • However...

      What I gather from reading the comments is:
      If you have two wireless networks, the first is unsecured but uses MAC address filtering, the second is secured with WPA2 but has no MAC address filtering. A hacker would go after the unsecured one since it's a lot easier to spoof a MAC address rather than break the WPA2 encryption.

      So why go through the hassle of using MAC address filtering when WPA2 is stronger than it?
      immanuel_aj
      • Two? One set up to be less secure than the other?

        I'm only thinking in terms of one wireless network. I quoted the following from about.com (http://compnetworking.about.com/cs/wirelessproducts/qt/macaddress.htm)
        simply because it sums up what I had in mind and intended to communicate pretty well.

        Hopefully it's okay to post a link.

        "When MAC address filtering is enabled, however, the access point or router performs an additional check on a different parameter. Obviously the more checks that are made, the greater the likelihood of preventing network break-ins."

        Again, you can either put a padlock on your shed or not. It's not full proof but, in my opinion, it makes more sense to put the lock on.
        DJ-DJ
  • Not entirely useless

    My main use for the MAC address is that my router allows schedules to be placed on the mac address.
    This means I can limit the internet use for the myriad iDevices we have in our household.
    The annoying thing is I can't say "limit it for these and allow any others".
    Pachanga-4184c
  • The typical mix of ignorance and arrogance in the comments...

    Well the idea of the different security settings is that if you care about security, you will use them, If you are lazy, or don't care, well that is your problem, and no one else's.

    So, you have a Network, with a wireless node or access point or repeater. You read some articles online and you decide to enable WPA, instead of WEP. Good for you, that is a great start!

    Now, if you broadcast the SSID (name of the network you entered) then the guy with the laptop who wants to play WoW on your bandwidth can see it, and try to crack in. So, you hide the SSID. layer two, enabled.

    Why, do you need your own SSID broadcast anyhow? Unless you are actually providing a public access point? You don't need to broadcast it. It is no one's business that you even have Wifi, so do yourself a favour, and hide the SSID. Besides, you should know what it is, so should anyone you have authorized to use it. Along these lines, it is a great idea to change it now and then also. If someone wants to use your network, oh my they will just have to ask what it is... oh such a chore .. they have to ask what the WPA key is anyhow, right? Please, think before you spout off about how much WORK it is... LOL

    Now, back to the guy sitting in his car, in the alley out back, wanting to use your WiFi for surfing porn. So, he gets the SSID from someone, or guesses it, because you are an idiot and used your name. Well, if you also add MAC filtering, then he cannot even TRY to log-on, because the router will not accept it, because his MAC is not on the white-list. So, that is layer three. If the guy is STILL picking away at your WiFi, he is pretty determined.

    So, layer four, static IP addressing. I always use this. No lazy DHCP used on my networks, I set things up properly, I use the static IPs, and filter them, also using the MAC address filtering, and WPA, and I hide the SSID. Oh my, it took 15 minutes to set up on like five systems. If you cannot set aside even one hour to secure your network, I suggest you set up your PC on the front lawn on a table with free coffee! You might as well replace your car ignition with a light switch, and take the entrance doors off your house also. After all, your time is so important that you cannot possibly waste all those accumulated seconds opening locks and logging in or fumbling for keys, right?

    So. The basic bottom line is, none of those methods are useless, none are a waste of time, and they all add layers. The more deterrents and layers you add, the chances your would-be hacker is going to find a new mark. Still many people will argue, because they are ignorant and proud of it, or self-righteous and lazy and full of excuses and reasons to NOT do things. Well guess what, no one cares! If you want to have an unsecured or half-ass network setup, you are perfectly in your rights to do so. However, if I have to set up your network and I feel you might blame me for people getting in later, but you still want "easy access" than that is your right, and I will do that right after you sign the waiver form. :)

    If a hacker cannot see, and thus cannot try to log-on without actually doing some work, and he still persists by other means, he is seriously hating on you, or is very determined to get your collection of kitten pictures. At this point, you might seek further security options, like a shot gun, or a baseball bat. The fact is, no security is perfect, if it was, no one would have access. It is all up to you, what you feel is important, or worth the level of effort you want to invest. However, it is a good idea to not place all your eggs into one basket when it comes to security.
    Kieron Seymour-Howell
    • Oh, and before I get flamed for that comment...

      Keep in mind this is zdnet.com, not TechRepublic. The majority of the readers here are home users, not business users. The layered approach is great for blocking iPhones and tablets or other wireless devices, but it really does not block a determined hacker. The determined hacker is going to be less than 1% of your problem. And, of course I am familiar with George Ou's books as well as many other authors' articles and resources on network security, but this is a home user oriented site. If I was posting this on LinkedIn, or TechRepublic I would be singing a slightly different tune. It is wise to tailor advise to specific groups of people.

      Yes, there are hacking tools and devices that will sniff out weaknesses in networks, and I still will advise the layered approach, because it will filter out the clear majority of opportunistic people who will be the ones who will try to access your network. Think of the layered approach as traffic control as much as security. If I can offload 90% of the would-be hackers with the less effective methods, then you are darn right I am going to use them, but AS WELL as the more secure methods. Any security system, is not going to be perfect, but that does not mean you only have one very expensive lock, no, you use more than one, because time and effort to pass through multiple layers for the majority of inexperienced criminals will deter most of them and I believe that is worth the effort.
      Kieron Seymour-Howell
    • Re: So, you hide the SSID

      Did you even read, and understand, the explanation of why hiding the SSID can make all your machines LESS secure?
      ldo17