Editing Wake-on-LAN (section)

===Unauthorized access===
Magic packets are sent via the [[Data link layer|data link or OSI-2 layer]], which can be used or abused by anyone on the same LAN, unless the L2 LAN equipment is capable of and configured for filtering such traffic to match site-wide security requirements.

Firewalls may be used to prevent [[Client (computing)|clients]] among the public [[Wide area network|WAN]] from accessing the broadcast addresses of inside LAN segments, or routers may be configured to ignore subnet-directed broadcasts.

Certain NICs support a security feature called "SecureOn". It allows users to store within the NIC a hexadecimal password of 6 bytes. Clients append this password to the magic packet. The NIC wakes the system only if the MAC address and password are correct.<ref>[https://linux.die.net/man/1/wol wol(1) - Linux man page]</ref> This security measure significantly decreases the risk of successful [[brute force attack]]s, by increasing the search space by 48 bits (6 bytes), up to 2<sup>96</sup> combinations if the MAC address is entirely unknown. However, any network eavesdropping will expose the cleartext password.

Abuse of the Wake-on-LAN feature only allows computers to be switched on; it does not in itself bypass password and other forms of security, and is unable to power off the machine once on. However, many client computers attempt booting from a [[Preboot Execution Environment|PXE]] server when powered up by WoL. Therefore, a combination of [[Dynamic Host Configuration Protocol|DHCP]] and PXE servers on the network can sometimes be used to start a computer with an attacker's boot image, bypassing any security of the installed operating system and granting access to unprotected, local disks over the network.