12-09-2024 06:36 AM
Hi. I have seen several old threads dating back to 2021 that ask how to block or remove unknown devices from the WiFi network. I am using the Home App. I understand how to pause devices, but that is only for a 2 hour max. I have also seen the replies that suggest renaming your network and creating a new password, but those do not address an ongoing problem.
I want to block or remove unknown devices. This seems like a simple request and it defies logic that Google has not provided a means to do this from its Home App or otherwise. Does anyone have a fit for this problem? Please help. It seems to be a longstanding problem that has never been addressed. Thank you.
12-09-2024 12:00 PM
Hello @OzzyR
This turns out to be a hard problem. Allow me to spend a little time giving some background, and I'll close with what makes it hard to solve in an acceptable way.
Let's start by defining a couple of terms in the context of WiFi:
In a commercial / enterprise network, devices are often provisioned with a cryptographically signed certificate that can be used to solve the authentication problem, typically by tying that certificate to a particular user, and a centralized policy database can be used to look up that identity to make a decision about whether to authorize access. It's also used to negotiate a private encryption key to secure all of the traffic between the network and that device.
But, in a home network, we don't have any of that. All we have is a single shared password that all devices have. Possessing this key is used to prove authorization. There is no authentication. Devices that don't have that key just aren't allowed.
So, this is pretty limited, as you have pointed out.
But, what else can we do to provide some more flexibility? Maybe we can use the device's MAC address (a unique 48-bit identifier each device has programmed in from the factory) to which devices we want to authorize? The problem is, devices don't have to use that MAC address. In fact, many now generate a random address when they first connect to a network, and may generate a different one every time they reconnect. A device could even pretend to be another device by using a different MAC address. There's no way to authenticate that the device really is who it says it is.
What some have suggested is having a default policy of denying access to devices that have the shared key, but are using a MAC address we haven't seen before. From the above (random MAC addresses, etc), we can see that this might work in theory, it has some usability issues. If the system was operating in this mode, the system owner would have to approve every new device connection – but would also have to approve every time a device that has connected in the past tries to connect using a new random MAC address.
So, from a design perspective, while this kind of policy works, it ends up generating a lot more support calls from people who don't understand why their devices can't connect, or don't stay connected for long. My guess is that's why they haven't implemented something like this, and instead recommend being cautious about which devices get the shared key, and using the guest WiFi feature to allow devices to connect temporarily without having to share the common key.
Probably more than you wanted to read about this topic, but I hope it's at least somewhat useful.