MAC Address Filtering and Hiding SSID Won’t Protect Your Wi-Fi Network
Linda Ikechukwu
It's worrying that years after pseudo Wi-Fi security practices like MAC address filtering and hiding SSID broadcast have been proven to be no better than putting lipstick on a pig, some organisations still use them.
While these practices may offer some utility in specific circumstances, they're nearly useless in mitigating modern threats. They only provide a false sense of protection. MAC addresses have become more dynamic in recent years (eg. in iOS 14, macOS Sequoia), and soon these approaches will outdated.
The true security of a Wi-Fi network depends on the effectiveness and strength of the authentication and encryption methods used, as I explain in Everything You Should Know About Wi-Fi Security. Disabling SSID broadcast or using MAC address filtering alone provides neither, and here's why:
MAC Address Filtering is like locking your front door but leaving the key under the mat
MAC address filtering does not provide any tangible security benefits to a Wi-Fi network because of the somewhat flexible nature of MAC addresses; a device can easily change it’s MAC address at any time.
A little background on MAC Addresses
A MAC (Media Access Control) address is a unique identifier assigned to each network adapter (aka Network Interface Card or "NIC") within a client device. It is used to uniquely identify devices on local networks to ensure data is sent to the correct destination. While the MAC address used to be considered a permanent hardware device identifier, that is no longer the case.
MAC addresses are a precursor to IP addresses. They are used to address packets between devices on local networks, at the data link layer of the TCP/IP protocol stack. All devices have both "physical" and "logical" addresses on the network, and the MAC address represents the "physical" address of a device.
When sending data, a device includes both its own and the recipient's MAC addresses in packet headers. This ensures that data reaches the correct recipient and that the recipient can respond back.
Modern devices typically have multiple NICs—for example, a Wi-Fi NIC, Cellular NIC, Ethernet NIC, and Bluetooth NIC—each responsible for translating data into the appropriate format for the respective network medium (e.g., a Wi-Fi NIC handles Wi-Fi radio communication).
Each NIC is assigned a unique (-ish) MAC address by its manufacturer, typically a 48-bit number displayed as 12 hexadecimal characters. The first 24 bits represent the manufacturer’s code (OUI), and the last 24 bits are unique to the specific NIC.
Example, in the MAC address 00:1A:2B:3C:4D:5E
,
• 00:1A:2B identifies the manufacturer.
• 3C:4D:5E uniquely identifies the NIC within that manufacturer’s pool.
To find your MAC address:
- MacBook: Go to System Settings > Wi-Fi > Advanced or type
ifconfig en0
in the terminal. - Windows: Run
ipconfig /all
in cmd and check under Wireless LAN Adapter > Physical Address.
Despite its uniqueness, a MAC address can be manually changed by users, network administrators, or software, which is why MAC address filtering alone is not a reliable security measure.
Source: LearnTomato
Why MAC Address Filtering Does not Work
Imagine you’re hosting an exclusive party with a guest list. When guests arrive, they say their name, and if it’s on the list, the bouncer lets them in. This is how MAC address filtering or allowlisting works.
When a device tries to connect to a Wi-Fi network, the Wi-Fi NIC sends an authentication request to the router or access point, including it’s MAC address. The router/AP checks the MAC address, and if MAC address filtering is enabled, it compares the address to its MAC allowlist or denylist to decide if the device can join the network. Once connected, the NIC’s MAC address is used to uniquely identify the device on the network, ensuring proper routing of data packets.
There are two types of MAC address filtering:
- Allowlist Filtering: The network administrator creates a list of approved MAC addresses. Only devices on this list can connect, much like only invited guests can enter your exclusive party. If the MAC address isn’t on the allowlist, access is denied.
- Denylist Filtering: Here, specific MAC addresses are blocked from connecting, but all others can join. It’s less restrictive since only listed devices are denied access, making it a less secure filtering method.
While allowlisting is more secure than denylisting, they both still offer little to no security by themselves, for the following reasons:
Management Complexity
Adding every new device to the Access Control List can be a tedious process, especially in environments with many devices. Managing this can become overwhelming at scale.
Vulnerability to MAC Address Spoofing
MAC addresses used to be fixed in hardware. But, today, changing a MAC address is very easy. For instance, on macOS, you can change it by typing the command ifconfig en0 ether xx:xx:xx:xx:xx:xx
in the terminal, where you replace xx:xx:xx:xx:xx:xx
with the desired MAC address. On Windows, you can go to Device Manager > Properties > Advanced > Network Address and enter the new address.
Since MAC address filtering only checks the MAC address and not the actual device, spoofing a MAC address can allow an attacker to bypass the filter if they use an approved address. If someone is denylisted, they can simply change their MAC address and gain access. For allowlisting, an attacker can use network traffic monitoring tools like airodump-ng to discover allowed MAC addresses, and spoof one to gain access. Tools like this can identify connected devices within minutes, as shown in the article Bypassing MAC Filters on Wi-Fi Networks.
MAC Address Randomization
MAC address randomization is a privacy feature designed to prevent device tracking: If MAC addresses remain constant, it becomes easier to track and profile a device's movement across different networks. MAC address randomization is designed to address this concern.
On Windows 10 and 11, users can enable random MAC addresses by going to Settings > Network & Internet > Wi-Fi > Manage known networks > Properties, and toggling Use random hardware addresses to On.
In macOS Sequoia, go to Apple menu > System Settings > Wi-Fi and use the Private Wi-Fi Address settings.
In Linux, devices using NetworkManager can enable MAC address randomization.
Hiding your SSID is like camouflaging with bright colours
An SSID broadcast is how a router transmits your wireless network name (the service set identifier, SSID) to nearby devices, making the network visible in the list of available Wi-Fi connections. This allows users within range to easily select and connect to the network.
Hiding the SSID is a security practice where routers or access points stop broadcasting the network name. The belief is that by hiding the SSID, only users who know the exact name of the network can connect to it, offering an extra layer of security by making the network harder to find. However, that couldn’t be farther from the truth. While hiding SSID makes the network name invisible to casual users, it doesn’t secure the network from external threats.
Devices attempting to connect will send out requests containing the SSID (even when out of range), and hackers monitoring Wi-Fi traffic can easily intercept these requests and discover the hidden SSID.
Behind the Scenes of a Wi-Fi Connection
To understand why hiding your SSID provides no real security, it’s useful to first look at what happens when a device connects to Wi-Fi.
-
Beacon Frames Broadcast: Routers send out beacon frames containing the SSID and network details to help devices connect. If the SSID broadcast is disabled, the router still sends beacon frames but without the SSID.
-
Network Scanning (Passive & Active): Devices scan for networks by listening for beacon frames. For hidden networks, the SSID isn’t visible, so users must enter it manually. The device then sends probe requests containing the SSID, which can be intercepted by anyone monitoring traffic.
-
Authentication: Once a network is selected, the device starts the authentication process by sending the SSID to the router. Whether the SSID is hidden or not, this step exposes it to anyone capturing Wi-Fi traffic.
-
Association: After authentication, the device sends an association request containing the SSID to the router. The router responds, allowing the device to join the network.
-
4-Way Handshake: For secure networks, the device and router perform a 4-way handshake to exchange encryption keys, securing the connection.
-
IP Address Assignment: The device requests an IP address via DHCP, allowing it to communicate on the network.
In summary, even when the SSID isn’t broadcasted, it still appears in later steps, making hiding the SSID ineffective as a security measure.
Why Hiding SSID Broadcast Does not Work
Imagine a driver is picking you up from the airport. They don’t know you, and you don’t know them, so they hold a sign with your name, “Jane.” When you spot the sign, you approach and say, “I’m Jane.” This is what happens when a client connects to a broadcast network where the SSID is visible.
Now, picture the driver trying to be secretive and not holding a sign. You’d have to walk around asking, “Who’s picking up Jane?” repeatedly, until the driver responds, “I’m here for Jane.” This mirrors connecting to a hidden network, where your device constantly sends out requests looking for the hidden SSID.
In both scenarios, once you identify each other, you exchange credentials and proceed securely. However, the search process happens entirely in public, as it broadcasts the SSID to anyone nearby monitoring the traffic.
Hidden SSIDs can still be uncovered by network sniffers
While SSID broadcast hiding might seem like a security measure, it offers little real protection. Disabling the SSID prevents casual users from seeing your network, but attackers can still detect it easily.
Tools like Wireshark and Kismet can reveal hidden SSIDs. Since you can’t fully hide the router’s activity, SSID hiding offers superficial security, deterring casual users but not those with basic tools or knowledge.
Hidden SSIDs make networks worse for users
In exchange for meager security benefits, hiding your SSID complicates the Wi-Fi connection process. In Windows, users must manually create a network profile, navigating several configuration screens. Even Microsoft advises against it.
Finally, hidden SSIDs can cause performance issues. Devices must actively search for the network by sending probe requests, rather than passively listening for beacon frames, leading to slower connection times and degraded roaming performance in larger networks. As a result, hiding the SSID adds complexity without improving security, while also affecting network performance.
There’s a better way
You don't need a patchwork of mediocre "security" mechanisms to secure a Wi-Fi network. What you need is Enterprise Wi-Fi security. Specifically, WPA2/WPA3 Enterprise 802.1X certificate-based Wi-Fi. Enterprise Wi-Fi is widely regarded as the most secure Wi-Fi network security mode. It offers the strongest possible form of authentication and it addresses network security and privileged access use cases that are difficult or impossible to manage with other methods. This system also allows for mutual authentication—the client device can authenticate the RADIUS server to ensure it's connecting to the right network, avoiding spoofed networks.
To roll out EAP-TLS certificate-based Wi-Fi authentication at scale for your organisation, you need an internal PKI and a RADIUS server, technologies which can be complicated to configure and maintain on your own.
Smallstep takes care of this for you.
With Smallstep's consolidated WPA-Enterprise Wi-Fi solution, we provide you with a PKI and RADIUS server out of the box. Smallstep supports modern hardware-attested device certificate enrollment with ACME, as well as legacy enrollment protocol support like SCEP and NDES. We also offer a seamless drop-in replacement for legacy technologies such as Active Directory Certificate Services (AD CS).
Wi-Fi is just one piece of Smallstep's Device Identity Platform. Device identity ensures that only company-owned devices can access your enterprise's most sensitive resources like Wi-Fi, VPN, SaaS and Okta apps, internal tools, and so many more. Our collaboration with Google and Apple on ACME Device Attestation (ACME DA) provides the strongest possible guarantee of authentic device identity, preventing credential exfiltration, phishing, and impersonation attacks.
Move away from outdated Wi-Fi security practices like MAC Address filtering and hiding SSID broadcastthat do absolutely nothing for your Wi-Fi network.
Smallstep’s certificate-based solution for Enterprise Wi-Fi networks takes the hassle out of deploying EAP-TLS and 802.1X network authentication. See a demo here, try it on the app or book a consultation with an expert.
About the author: Linda is an educator at heart, and her superpower is demystifying complexity. Since joining SmallStep as a developer advocate, her new mission is now to demystify and educate about PKI and digital certificates :)