WPA3 Wi-Fi still saddled with security flaws, researchers claim [u]

Posted:
in General Discussion edited April 11
WPA3 -- a Wi-Fi security protocol launched by the Wi-Fi Alliance in 2018 -- is, in practice, better than WPA2, but still fraught with security flaws, according to a recent research paper.

Netgear Nighthawk AX12 Wi-Fi router


"In light of our presented attacks, we believe that WPA3 does not meet the standards of a modern security protocol," wrote authors Mathy Vanhoef and Eyal Ronen, quoted by Ars Technica. The pair argued that many of the same attacks continue to work and will likely remain effective for years, especially with lower-cost Wi-Fi devices.

WPA3 makes use of a technology dubbed "Dragonfly," more formally Simultaneous Authentication of Equals. This improves a previous four-way "handshake" with a Pairwise Master Key as well as "forward secrecy." In combination, the idea was that WPA3 would be more resistant to password guessing attacks.

The Alliance failed to listen to recommendations about moving away from hash-to-group and hash-to-curve password encoding, Vanhoef and Ronen said, and the result is a group of "Dragonblood" proof-of-concept exploits. Those exploits will also work against networks equipped with the Extensible Authentication Protocol, or EAP, so long as they have EAP-pwd enabled. It's said in fact that with EAP-pwd, an attacker could impersonate any user without knowing the person's password.

The simplest WPA3 exploits involve a transition mode that lets WPA3-ready devices work in backwards compatibility with those that aren't. Another set involves side-channel leaks that leak info about the passwords being used.

In a response, the Alliance said that the paper "identified vulnerabilities in a limited number of early implementations of WPA3-Personal," and that WPA3-Personal is not only "in the early stages of deployment," but that "the small number of device manufacturers that are affected have already started deploying patches to resolve the issues."

Neither the researchers nor the Alliance have identified any "Dragonblood" exploits being used by real-world hackers.

Mac, iPhone, and iPad owners can mitigate WPA3 threats by updating compatible Wi-Fi routers to the latest available firmware. They should also use unique, ideally randomly-generated router passwords that are at least 13 characters long -- password management apps may make it easier to meet requirements.

At present, it isn't clear if Apple's line of AirPort routers, now discontinued, will see a firmware update for the exploits. Sources inside Apple not authorized to speak on behalf of the company has told us previously that there is still a corps of software engineers tasked with keeping the AirPort "as safe as possible for as long as possible."

Update: On Thursday afternoon, the Wi-Fi Alliance cited a later tweet by Vanhoef stating that WPA3 is better than WPA2, but the flaws are still serious.
«1

Comments

  • Reply 1 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    llamacornchipn2itivguy
  • Reply 2 of 25
    SoliSoli Posts: 8,678member
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    edited April 11 jbdragonbonobobrusswcornchipfastasleep
  • Reply 3 of 25
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    Your primary rule is flawed.  The concept of “more secure than your neighbor” assumes the attacker is searching for the lowest hanging fruit.  

    If the attacker is specifically targeting YOU for some reason (see: every celebrity hack ever), then simply trying to be more secure than your neighbor may be a pretty low bar.
    edited April 11 cornchipfastasleep
  • Reply 4 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    Your primary rule is flawed.  The concept of “more secure than your neighbor” assumes the attacker is searching for the lowest hanging fruit.  

    If the attacker is specifically targeting YOU for some reason (see: every celebrity hack ever), then simply trying to be more secure than your neighbor may be a pretty low bar.
    Unless you are rich or famous or powerful, there is no reason for a hacker to go after you and only you.  The vast majority are simply looking to hack somebody, anybody -- in the same realm as a credit card skimmer is not looking for YOUR card number.   They just want A card number.
  • Reply 5 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
  • Reply 6 of 25
    SoliSoli Posts: 8,678member
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    edited April 11 cornchip
  • Reply 7 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
  • Reply 8 of 25
    I’m not sure I understand the article’s point about Apple’s now-discontinued AirPort routers. Do they even support WPA3? If not, then why would Apple need to patch vulnerabilities?

    The real issue is the tragedy that we have a brand new, should-be-more-secure protocol and they’re already finding holes in it. Seriously?
    n2itivguy
  • Reply 9 of 25
    SoliSoli Posts: 8,678member
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
  • Reply 10 of 25
    I'm confused about your statement speculating wether Apple will see a firmware update for the exploits. Airport Routers are all still WPA-2, so do these exploits also affect WPA-2 routers or would Apple need to eventually need to do a WPA-3 firmware update, if that's even possible given the firmware in use.
  • Reply 11 of 25
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    This is really ridiculous. Your point about outrunning the friend and not the bear might have been true ten years ago (maybe) but it isn't today, when automated scans sweep every target in range, and are capable of trying many types of exploit.

    "Security through obscurity" is occasionally better than no security, but it's not better than any sort of real security. Immediate notification is basically useless in most contexts now due to attack volume. (If I looked at every time fail2ban banned an IP on a mailserver I'd never have time to eat or sleep.)

    As others have pointed out, your notion that MAC security does anything useful is risible.

    In short, this is an excellent example of why you should never take security advice from strangers on the internet. (Don't take mine, either. Pay a professional.)
    IreneW
  • Reply 12 of 25
    Johan42Johan42 Posts: 92member
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    This is why I laugh every time I see someone from this forum talk with such confidence over something they think they know, when in reality they don’t...such as how trivial it is to spoof a MAC address.
  • Reply 13 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Soli said:
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
    I'm not conflating anything....   MAC authorization lies on top of any other security I have, not instead of.   And, as I have said, if they want in, they will get in.  But unless you have something they know that they want, thieves will generally pick the easiest target.  So, that would be one without MAC authorization.  And, MAC authorization does not make anything difficult for me -- I only need to update it when I purchase a new device and that is just a couple of clicks.
  • Reply 14 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    This is really ridiculous. Your point about outrunning the friend and not the bear might have been true ten years ago (maybe) but it isn't today, when automated scans sweep every target in range, and are capable of trying many types of exploit.

    "Security through obscurity" is occasionally better than no security, but it's not better than any sort of real security. Immediate notification is basically useless in most contexts now due to attack volume. (If I looked at every time fail2ban banned an IP on a mailserver I'd never have time to eat or sleep.)

    As others have pointed out, your notion that MAC security does anything useful is risible.

    In short, this is an excellent example of why you should never take security advice from strangers on the internet. (Don't take mine, either. Pay a professional.)
    First, it is not either/or.  We are not talking ONLY MAC authorization.   It sits on top of any other security and in addition to.
    Second, we are not talking industrial strength but home security.
    Third, "Security through obscurity" is a standard industrial method.  Again, not their only method, but part of their security.  It's also the reason you don't leave valuables in plain view in your car.
    Fourth, Immediate notification has saved me twice when my credit card was hacked.  Both times it was for small amounts that I would have passed by a month later while reviewing my credit card statement.

    But, chiefly, the part you are missing is:   Layers of security are better than any one single of those layers by itself.
  • Reply 15 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Johan42 said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    This is why I laugh every time I see someone from this forum talk with such confidence over something they think they know, when in reality they don’t...such as how trivial it is to spoof a MAC address.
    OK, you can rely on your 13 character password.   Feel safe my friend.   But, actual security professionals know not to rely on a single barrier and put multiple layers into place.
  • Reply 16 of 25
    SoliSoli Posts: 8,678member
    Soli said:
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
    I'm not conflating anything....   MAC authorization lies on top of any other security I have, not instead of.   And, as I have said, if they want in, they will get in.  But unless you have something they know that they want, thieves will generally pick the easiest target.  So, that would be one without MAC authorization.  And, MAC authorization does not make anything difficult for me -- I only need to update it when I purchase a new device and that is just a couple of clicks.
    You should also keep your SSID hidden because then they'll never know your network exists. /s
  • Reply 17 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Soli said:
    Soli said:
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
    I'm not conflating anything....   MAC authorization lies on top of any other security I have, not instead of.   And, as I have said, if they want in, they will get in.  But unless you have something they know that they want, thieves will generally pick the easiest target.  So, that would be one without MAC authorization.  And, MAC authorization does not make anything difficult for me -- I only need to update it when I purchase a new device and that is just a couple of clicks.
    You should also keep your SSID hidden because then they'll never know your network exists. /s
    I have thought of that.   Even tried it.   It was too much a pain in the neck to deal with.   But, that was a few years back.  Things may have improved since then. 

    Why would anyone put all their security eggs in a single basket?   Layers make sense.   And, to criticize anyone of those those layers as inadequate in and of itself, makes no sense because NO single layer is adequate in and of itself.   So, that leaves layers.
  • Reply 18 of 25
    SoliSoli Posts: 8,678member
    Soli said:
    Soli said:
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
    I'm not conflating anything....   MAC authorization lies on top of any other security I have, not instead of.   And, as I have said, if they want in, they will get in.  But unless you have something they know that they want, thieves will generally pick the easiest target.  So, that would be one without MAC authorization.  And, MAC authorization does not make anything difficult for me -- I only need to update it when I purchase a new device and that is just a couple of clicks.
    You should also keep your SSID hidden because then they'll never know your network exists. /s
    I have thought of that.   Even tried it.   It was too much a pain in the neck to deal with.   But, that was a few years back.  Things may have improved since then. 

    Why would anyone put all their security eggs in a single basket?   Layers make sense.   And, to criticize anyone of those those layers as inadequate in and of itself, makes no sense because NO single layer is adequate in and of itself.   So, that leaves layers.
    Apparently my sarcasm was too subtle. Hiding your network name doesn’t mean you’re hidden. Wardrivers see hidden and unhidden networks with the same ease. There is even a built-in macOS diagnostic app that will show hidden networks. That means it’s not a layer of security. You’re only hiding it from people that would never be a threat.
    edited April 12
  • Reply 19 of 25
    Johan42 said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    This is why I laugh every time I see someone from this forum talk with such confidence over something they think they know, when in reality they don’t...such as how trivial it is to spoof a MAC address.
    OK, you can rely on your 13 character password.   Feel safe my friend.   But, actual security professionals know not to rely on a single barrier and put multiple layers into place.
    That 13 character password is a better deterrent than the gimmicky “security” features in modern routers.
  • Reply 20 of 25
    GeorgeBMacGeorgeBMac Posts: 4,128member
    Soli said:
    Soli said:
    Soli said:
    Soli said:
    Soli said:
    THE primary rule remains:   "If they want in bad enough, they will.   The trick is to make it hard enough that they go after your neighbor instead."
    ...  That's sort of a take off on the joke that you don't have to outrun the bear, just your friend.

    Too often it seems we think we can rely on having big locks (aka "13 character passwords") on things.   But, often better is:
    1)  Security through obscurity
    2)  Immediate notification (such as when a sign on is attempted or a new device connected or especially if there is an invalid attempt.)

    For myself, I keep MAC authorization enabled so that, if I don't know your MAC address, you aren't getting in.
    I appreciate your vigilance, but you should know that it's trivial to locate a valid MAC address as they are sent with each and every packet, and they are easily spoofable since they are a virtual representation of the BiA (burn-in address). It's effectively just a speedbump for any would be attacker, and one so small that they don't even have to slow down.

    To WPA2's credit, this protocol has been going strong since its release in the mid-aughts, and without a successor that greatly increases protection it looks like it'll be used for many years to come.
    As I said, there are no bullet proof security schemes.   If they want in bad enough, they will get in.   The trick is to make it hard enough that they go elsewhere for easier pickings.  Finding and spoofing a valid Mac address can be done, but it would be easier, quicker and cheaper to go pick on somebody else.
    Do as you wish but this causes more work for you and is no real additional hurdle for anyone who may want to access your network or traffic. It's like having to choose to between carrying a backpack that is 10 kilos and one that is 10.01 kilos. Sure, one is technically heavier than the other, but you wouldn't waste a moment worrying about that extra weight because it's a non-issue. If they have to choose between to you or a neighbor with WPA2 then you locking your network down with a MAC address will not be a deterrent. If you want to keep your network secure just use WPA2-PSK (AES) and be done with it.

    PS: If you're on any public network or one you can't completely trust then use a VPN service. You may also want to use a DNS that isn't supplied by your ISP.
    No, I disagree with your analogy.  Because it CAN be done doesn't make easy or quick to do.   And, in this case, they are no more likely to want to hack my WiFi as any of the hundreds of houses around me.   So, they are most likely to go elsewhere rather than spend the extra time and effort to figure out what is blocking them, how to get around it and then do all the work to do it.   They are much more likely to simply to just go next door.
    Don't conflate your inability to do something with its level of difficulty. Anyone who is able to grab your network packets in an attempt to try to break your wireless encryption will be able to adjust their MAC accordingly. In fact, this is already done specifically so that their BiA as a default MAC isn't logged by systems they are hacking.


    Note: That's for a manual change which is more effort but still ridilcously easy.

    Work smarter, not harder. Security works when you protect yourself through reasonable actions, not when you make life difficult for yourself without affecting a would-be attacker.
    I'm not conflating anything....   MAC authorization lies on top of any other security I have, not instead of.   And, as I have said, if they want in, they will get in.  But unless you have something they know that they want, thieves will generally pick the easiest target.  So, that would be one without MAC authorization.  And, MAC authorization does not make anything difficult for me -- I only need to update it when I purchase a new device and that is just a couple of clicks.
    You should also keep your SSID hidden because then they'll never know your network exists. /s
    I have thought of that.   Even tried it.   It was too much a pain in the neck to deal with.   But, that was a few years back.  Things may have improved since then. 

    Why would anyone put all their security eggs in a single basket?   Layers make sense.   And, to criticize anyone of those those layers as inadequate in and of itself, makes no sense because NO single layer is adequate in and of itself.   So, that leaves layers.
    Apparently my sarcasm was too subtle. Hiding your network name doesn’t mean you’re hidden. Wardrivers see hidden and unhidden networks with the same ease. There is even a built-in macOS diagnostic app that will show hidden networks. That means it’s not a layer of security. You’re only hiding it from people that would never be a threat.
    Ok,  so then, apparently (if I follow your illogical logic) since there is no completely fail safe WiFi security available, "That means [there is no] security" and, by extension, we shouldn't even bother. 

    That's fine.  you can leave your WiFI wide open since there are no fool proof security systems available.  I'll do what I can to keep mine as safe as possible.

Sign In or Register to comment.