A physical assault carries a high chance of being noticed, and unless carried out by law enforcement, a significant chance of being punished with jail time. So it's not something that has a high chance of happening. Additionally, it's hard to defend against, and you definitely don't want to defend against a SWAT team.
Whereas a bored teenage neighbor could attack your wireless network with a very small chance of being detected. Or with a sensitive directional antenna it doesn't even have to be your neighbor if the goal is just to sniff traffic. Plus, the only cost to you in defending against this attack is entering a more complex password on new devices. Stick a note on the fridge or choose a phrase.
I'm no security expert, but after I saw each new wifi password standard cracked within days of its release, I stopped passwording my wifi and used a little script I put on a home linux server to watch the router and if it spotted any unrecognized MAC addresses getting an IP address from DHCP, it would throw them out within a few seconds.
These days, I just turn on the MAC address filter that's built in to most wifi base stations. Now, unless I've manually entered your MAC address into my whitelist, my router won't connect you. My wifi shows up as "open" to any machine that passes by, yet it won't connect.
Many (most?) of you know more about security than I do. How secure is the MAC address whitelist approach compared to a password approach?
* WPA2 hasn't been 'cracked'
* Without 'passwording', all your traffic is unencrypted and can be trivially sniffed
* Spoofing one of your whitelisted MAC addresses in order to use your network is easy
First: thanks to ALL of you who answered. This was very informative. If I understand correctly:
1) I would define something as "not cracked" if it is as strong as its password--in other words, there's no way to circumvent it that isn't a general vulnerability (peek through my window, get a keylogger on my machine, etc.) I assume you're telling me that this is the case with WPA2.
2) It sounds as though you are saying that something like WPA2 doesn't just authenticate a login but remains in use as an encryption key for subsequent wireless data interchange between client and base station. If I'm understanding correctly, that's a powerful point.
3) I knew that MAC addresses could be spoofed, but I was thinking they wouldn't know WHICH MAC address to pretend to have. Of course, if I'd been a little smarter, I would have noticed that my own linux process was using the MAC address a client claimed to have to throw out unrecognized machines (before I had MAC address filtering as a built-in router feature). If they were sending their MAC address to me, then my own client machine would be sending its MAC address in clear text to them, telling them which MAC address to pretend to have. Duh.
Well, I feel a little dumber and a little smarter. Time to go change my network. Thanks again.
This approach is very easy to bypass by any knowledgable hacker.
Since you said your WiFi is open, the only thing that needs to be done is fire up the aircrack-ng airdump and sniff, there I would see your MAC, in the clear. Then I could set my own to it or select any other mac I have seen connecting to for a longer while ,and use it and access your router and add my other mac on its whitelist.
Someone's said in the Ars Technica comments that MAC addresses are freely available in the packets-in-flight, and MACs are spoofable, so MAC filtering will only deter the casual, passing wifi-borrower, not anyone actually determined to gain access.
WPA2 with good password, at least, would put up a non-negligable barrier in terms of the number crunching required; in contrast, getting around MAC filtering would take effectively no time at all.
The only in-the-wild attacks against WPA2 are variations of brute-force attacks.
There are precomputed rainbow tables of common SSID+passphrase combinations floating around, but as a general rule, WPA2 with a sufficiently complex passphrase should be secure against anyone who doesn't have a massive compute cluster at their disposal.
This provides no security at all. A good solution would be to use a VPN like OpenVPN; i.e., you treat the wifi as an insecure channel just as the internet, and only after connecting to the VPN you would be able to get to the internal network and the uplink.
Unfortunately, MAC addresses can be spoofed by a dedicated attacker. It prevents your neighbor from using your connection without paying, until they decide to listen to what your address is and then just use your address when you go to bed.
It's a terrible way to secure a network. MAC addresses are easily spoofed, and without encryption anyone can sniff your traffic anyway. Even using WEP is better since then there's (usually) a requirement to see a connected client for longer than a few seconds in order to break the encryption. The only reasonable approach for a home network imo in practice is WPA2 PSK with a decent password.
a bored teenage neighbor could attack your wireless network
He would have to be very bored indeed. Singling out my home to spend considerable time at an inconvenient in-range location to crack passwords to access ... what, exactly? view pictures of my toddlers? copy my slightly deranged music collection? If he's looking for free network access, he can go down the street and get it from McDonalds or Starbucks or wherever while sitting in a comfortable chair sipping a soda.
I realize a bored teen is different from a SWAT team. Both, however, would need unusual motivation to turn their talents on my abode.
Whereas a bored teenage neighbor could attack your wireless network with a very small chance of being detected. Or with a sensitive directional antenna it doesn't even have to be your neighbor if the goal is just to sniff traffic. Plus, the only cost to you in defending against this attack is entering a more complex password on new devices. Stick a note on the fridge or choose a phrase.