Wifi Mac Address Sniffing: Is it Possible?

TL;DR

Yes, an attacker can sniff Mac addresses on a wifi network. However, simply knowing them isn’t enough to compromise your security directly. It’s usually a step in a larger attack like deauthentication or man-in-the-middle attacks. Modern operating systems and routers offer protections, but it’s still important to be aware of the risks.

How Mac Address Sniffing Works

Every device with a wifi adapter has a unique Media Access Control (Mac) address. When devices communicate on a wifi network, their Mac addresses are included in the data packets sent over the air. An attacker can use special software to ‘listen’ for these packets and record the Mac addresses of connected devices.

Steps an Attacker Might Take

1. Put the Wifi Adapter into Monitor Mode: This allows the adapter to capture all wifi traffic, not just data intended for it.
2. Capture Packets: Use a packet sniffer (see ‘Tools’ below) to record all wireless communications.
3. Extract Mac Addresses: The software will display a list of connected devices and their corresponding Mac addresses.

Tools Used for Sniffing

• Wireshark: A powerful, free packet analyzer that can capture and analyze wifi traffic. It requires some technical knowledge to use effectively.
• Aircrack-ng Suite: A collection of tools used for auditing wifi security. Includes tools for capturing packets (airodump-ng) and analyzing them.
• LinSSIDer/Kismet: Graphical tools that can scan for networks and display connected Mac addresses.

Example using airodump-ng

Airodump-ng is part of the Aircrack-ng suite. It’s commonly used on Linux systems.

sudo airodump-ng wlan0

This command will scan for wifi networks and display information, including the BSSID (Mac address of the access point) and associated station Mac addresses.

What Can an Attacker Do With Mac Addresses?

• Deauthentication Attacks: An attacker can use a Mac address to disconnect devices from the wifi network. This forces them to reconnect, potentially allowing the attacker to intercept their login credentials.
• Man-in-the-Middle (MitM) Attacks: By spoofing the access point’s Mac address, an attacker can redirect traffic through their own device and steal sensitive information.
• Tracking Devices: While not a reliable method for precise location tracking, Mac addresses can be used to identify devices that frequently connect to specific networks.

How to Protect Yourself

1. Use WPA3 Encryption: This is the most secure wifi encryption protocol currently available. WPA2 is acceptable but less secure than WPA3.
2. Enable MAC Address Filtering (with caution): Some routers allow you to specify which Mac addresses are allowed to connect. However, this can be bypassed by Mac address spoofing. It’s more of a deterrent than a strong security measure.
3. Regularly Update Router Firmware: Updates often include security patches that address vulnerabilities.
4. Use a Strong Password for Your Wifi Network: A complex password makes it harder for attackers to gain access to your network.
5. Be Aware of Public Wifi Risks: Avoid connecting to unsecured public wifi networks, or use a Virtual Private Network (VPN) to encrypt your traffic.
6. Check Connected Devices Regularly: Review the list of connected devices on your router and remove any unknown or suspicious entries.

Mac Address Randomization

Modern operating systems often randomize Mac addresses when connecting to new wifi networks, making it harder for attackers to track devices. This is a good security feature but isn’t foolproof.