Sign in Subscribe

Wireless Security

Stephen Lecrenski

2 min read
Wireless Security
Photo by Jakub Żerdzicki / Unsplash

MAC Address Filtering as a First Guard

Even if someone manages to brute-force or sniff my WPA2/WPA3 password, they are stuck at the gates if their Hardware Address (MAC) isn't on my "Allow List."

While MAC spoofing is possible for a sophisticated attacker, denying all unknown IDs by default forces an intruder to perform active reconnaissance to even figure out which addresses are permitted. It turns a "passive" attack into an "active" one, increasing their chance of detection.

Preventing "Lateral Movement"

The biggest danger of a compromised password isn't that someone is "stealing my Wi-Fi" to browse the web; it's Lateral Movement.

  • The Scenario: A guest or a compromised IoT device (like a cheap smart bulb) gets onto the network.
  • The Risk: Once inside, they can scan for open ports on your NAS, your Arch Linux workstations, or your development servers.
  • The Defense: By denying any device you haven't explicitly provisioned, you ensure that the internal "trusted" zone remains truly isolated.

The "Shadow IT" Problem at Home

Even in a home lab or a personal network, "Shadow IT" exists. This could be a family member's unpatched laptop, a work-provided device with unknown telemetry, or an old tablet running an ancient version of Android.

  • By requiring an explicit "Allow," you force a security audit every time a new device wants to join.
  • You can ask: Does this device need to be on my main VLAN, or should it be shoved into an isolated Guest IoT sandbox?

Mitigating Password Leakage

Passwords leak in ways that have nothing to do with my own technical hygiene:

  • Cloud Syncing: If you ever signed into your Wi-Fi on a friend's phone, that password might be backed up to their Google or Apple cloud account.
  • Social Engineering: A guest might "helpfully" give your password to someone else.
  • Credential Stuffing: If you've reused that password elsewhere (we've all been there), it's already in a database in a dark corner of the internet.

By denying by default, the password becomes necessary but not sufficient.

Honestly I would publish my WiFI password on the public internet and have no fear of being hacked.

ZenArmor

In my home setup I use ZenArmor. I protect the interfaces which I have WiFi routers distributed throughout my perimeter. I create policies for secure access, guest access and even create policies to prevent my kids devices from accessing sites not for children.

I'll update this post later for more details. Keep an eye out it will be interesting!

Read more