Is blocking device necessary on Wi-Fi with a password set?

My pedigree in writing about Apple’s Wi-Fi products dates back to 2000—it seems so long ago! But after 15 years, I’m still discovering new things about Apple’s products and Wi-Fi in general I didn’t know. Witness an email from a reader (who prefers to remain anonymous) about a problem he encountered with Timed Access Control.

This feature lets you control access to a base station by using an adapter identifier that’s found on every network device, whether ethernet, Wi-Fi, or other. The reader was using it to control access for 67 devices on his network, on which there was already a password set. But when he crossed from 66 to 67, he encountered a problem.

With some input from Apple, I learned something new, that I can unpack as part of a general approach to discussing restricting access by device.

MAC attack

Every network adapter has a Media Access Control (MAC) address. The MAC address allows networking hardware to talk to other networking hardware by having a burned-in unique address. Manufacturers have their own prefixes, and are supposed to assign an unique address, never reused, that’s built into a device when it ships. It’s a 48-bit number written as a series of six two-digit hexadecimal numbers separated by colons (like D0:03:4B:99:1B:16).

Some hardware allows you to “clone” a MAC address, which more specifically means you can modify the built-in address to another one, which can be useful when updating devices that die and need replacemen—or for more nefarious purposes, such as masquerading as a legitimate device. I’ll get into that in a moment.

You can find a Mac’s MAC addresses in the Network pane of System Preferences. Click any adapter at left, and then click the Advanced button, and the Hardware tab. In iOS, you go to Settings > General > About, and then swipe down to Wi-Fi Address.

Apple has offered MAC-based access limitations for its base stations for severals years, letting you limit access only to defined Wi-Fi adapters, including specific ranges of hours and days. (See our updated guide on using Timed Access Control.) Ethernet-connected computers and mobiles are unaffected; routers from other makers typically allow more detailed access control settings and include wired and wireless connections.

At the dawn of Wi-Fi, it seemed like using a MAC address to limit access would be an alternative to the wonky password systems of the day: You could run a quasi-open network, and rather than a generic password, limit access to those whose information you’d punched in. Well, that didn’t fly. A password-protected network encrypts the data, preventing snooping, and cloning MAC addresses on Wi-Fi adapters was trivial, allowing hijackers to sniff a legitimate MAC number, clone it, and then hop on the network.

Using a strong password is the most sensible way to restrict access, but you can pair a protected network with MAC address limits for some users or even devices.

You only block the ones you love

My correspondent uses a WPA2 Personal passphrase, the strongest option you have to prevent network access, alongside Timed Access Control, and had painstakingly entered dozens and dozens of local devices. However, he hit a snag. Starting at device #66, his base stations started to behave erratically. He eventually found a non-authoritative source that said the limit was 65 MAC addresses, even though it can accept more. He removed outdated entries and things went back to normal.

My recommendation to him was to remove all Timed Access Control entries, as the WPA2 Personal passphrase is currently seen as uncrackable if the phrase is reasonably long—about 12 or so truly random characters, or a set of three or more randomly paired words separated by a space. (See my column on Diceware and the unintuitive nature of word-based passphrases.)

(He also discovered another interesting property, which I confirmed with Apple. Timed Access Control entries propagate across a network of 802.11ac AirPort Extreme and Time Capsule models. Whenever you change the access list (not just descriptions, but adding and removing addresses or modifying the entries) and click Update to apply the changes to the router configuration through a restart, those entries are copied automatically to other base stations. This is the only feature for which that happens, Apple said.)

The only way in which I think this kind of access control is useful is when you’re trying to limit access to people you know, which is typically going to be children, although you may also choose to have certain devices that have an always-on Internet connection to be restricted as well.

One set of friends had the problem that their precocious kid was reading Wikipedia at 2 a.m., and they didn’t want to seize his iPod touch. Other folks just want to set reasonable limits as to time of day so they don’t have to hector kids to get offline—the computer or iOS device (or Android, Chromebook, etc.) just stops having Internet access. And in some cases, maybe you don’t want your wireless IP camera or other Internet of Things devices to always be doing something Internet-related 24 hours a day.

Apple’s base stations aren’t as robust as many other Wi-Fi routers in terms of controlling duration as well as time of day, or restricting access to specific websites or blacklisting some sites. But for limited purposes, they work well enough.

However, a WPA2 Personal passphrase should be your first line of defense. Rely on Timed Access Control only as a way to throttle devices you already trust, rather than to repel people you don’t.