Wifi hotspot whitelisting

[Lppsoeht]

Feature request: Ability to deny any new wifi connection from any device not listed in the whitelist. For the feature to be useful, new WiFi connections tries should be limited to max 1 per x seconds.

[thestinger]

MAC addresses can be trivially spoofed to match a whitelisted device. This approach to Wi-Fi network security doesn't work.

[Lppsoeht]

MAC addresses can be trivially spoofed to match a whitelisted device. This approach to Wi-Fi network security doesn't work.

Still, I'm not thinking of the smart opponent, even if that was my case can't a WiFi network defend itself against a "mac address bruteforcing" by limiting the time rate in which a new device can connect to the network? Let's say our WiFi hotspot limits the new connection attempts to 1 every 2 seconds, I wish to see the bad guy gaining the whitelisted Mac address very soon. Maybe they can suppose the device I've whitelisted but still, it becomes hard.

Is this at least possible to implement @thestinger ? If so, why wouldn't it be useful in certain circumstances?

[thestinger]

It's possible to see the MAC addresses of the AP and each client over the air without anything special. There's nothing hidden about it. This is why a hidden AP is not actually useful, and a hidden AP reduces the privacy of clients because they broadcast each known hidden AP they have saved as known networks every time they scan for networks. iOS warns users about joining a hidden AP because of this privacy leak. An attacker can spoof the MAC of another client, boot them off the network and use it instead. They could also use the MAC of a client that's now asleep and not actively using it to avoid the conflict.

[Lppsoeht]

It's possible to see the MAC addresses of the AP and each client over the air without anything special. There's nothing hidden about it. This is why a hidden AP is not actually useful, and a hidden AP reduces the privacy of clients because they broadcast each known hidden AP they have saved as known networks every time they scan for networks. iOS warns users about joining a hidden AP because of this privacy leak. An attacker can spoof the MAC of another client, boot them off the network and use it instead. They could also use the MAC of a client that's now asleep and not actively using it to avoid the conflict.

How does an enemy see those data? Are you assuming there's only WiFi hotspot and his clients in the WiFi range or?... I never heard of the ability to scan precisely which mac address is connected to which.

[thestinger]

I never heard of the ability to scan precisely which mac address is connected to which.

That's very trivial to do. It's shown by basic Wi-Fi monitoring software.

[Lppsoeht]

I never heard of the ability to do it while not being connected to the network nor being the hotspot

[thestinger]

https://www.aircrack-ng.org/doku.php?id=airodump-ng

[WaleedMortaja]

@thestinger Most of the people are not tech savvy to do such monitoring. Sometimes, one wants to temporary kick a device to reduce the burden on the network without the hustle of changing the password (and then changing it on the clients). I know that allow list is not perfect because of monitoring and spoofing. However, it is a very very good defense against most of the people.

[thestinger]

The hotspot feature isn't really meant for hosting a serious, regular network joined by other people. If you want to do that you should really use client keys rather than a shared password, so you can just remove one of the keys.

[WaleedMortaja]

@thestinger One of the uses of hotspot is to share internet (coming usually from e/SIM). in that situation hotspot is used regularly. Anyway, do you mean WPA-Enterprise (radius) by "client keys"? Because I only see WPA-Personal options. Thank you for your time and fast reply!