> MAC addresses can very easily be spoofed. It is not a preferred method to proper hardening, but then when it comes to wireless, nothing is.
I don’t ordinarily use wifi. I just have a pc, and a Nook Simple Touch (ebook reader) rooted to do some tablet things (which I ordinarily keep with the wifi turned off, and don’t use to purchase books on the net). My router allows wifi access only to those two MAC addresses. How would anyone else get in? Wouldn’t they have to produce a large number of MAC addresses until one matched one of the two my router allows, and then have to do the same thing to match the password — all while still within range of my router? I doubt that any of the few neighbors within range of my router is doing that.
I don’t use my pseudo-tablet at public sites, but I’m curious to know if that can that be done there with hacking software in just a matter of minutes? It seems to me that router protection software ought to spot systematic attempts to produce a wide range of MAC addresses or wide range of passwords within a short time, and be able to stop access temporarily and give a warning.
[I have almost no knowledge in this area, though, and am just speculating.]
When your tablet or any other wireless device first connects to your router, there’s a good deal of handshaking that occurs before access is granted. Any competent network hacker could sniff a few of the packets that transmit between your device and your router and extract the MAC address from the headers. If that’s the the ONLY protection you have, they can now spoof your MAC address and gain access to your device. MAC address spoofing is really not difficult, and there are publicly-available tools to do it on the Internet.
What you’re describing is what my network engineer buddy calls “MAC splat” where a device just spams an AP with MAC traffic if that’s the only thing keeping the device off the network. MOST APs, even consumer-grade, have DDOS protections that would log these attempts and block the originator for minutes or hours, depending on the setting.
If you have other safeguards in place such as WPA2 AES encryption, hidden SSID, and you’ve turned off things such as WPS, then you’re as safe as you will ever be without configuring additional authentication infrastructure. Just remember that all of the negotiation process happens in clear text, so if you’re connecting to a wireless device for the first time, know that information such as your MAC address is being distributed in the handshaking packets, and there’s really little you can do about it.