What is MAC Spoofing?

Quick Answer: MAC spoofing is when a device’s MAC address is changed—either through software settings or special tools—to mimic another device, often to bypass network restrictions, enhance privacy, or carry out unauthorized activities.

MAC spoofing delves into the nitty-gritty of how wireless and wired communications work. Put simply, it’s when one device pretends to be another, similar to using a fake ID to get into an exclusive event. 

It can be confusing and cause some unfortunate issues within a network. Let’s explore how it happens and what it looks like in more depth.

For more information on how MAC and Layer 2 work, we have a great Network+ Course by CBT Nuggets for the basics!

What is a MAC address?

A MAC, or Media Access Control address, is a set of numbers that identify a device. Theoretically, they should be unique and identify only that device, presented in Hex format (0-9 and A-F) like so: F0:0F:F0:0F:00:FF. 

MAC addresses always have six groups of two characters and never have a character other than a number or A through F. They can identify pretty much anything that can communicate, regardless of whether it’s internal or external to a system. 

A good example is your home computer. At a minimum, your motherboard and your wired NIC (where the ethernet port is) have different MACs. If you look into your settings, your wireless and wired have different ones as well!

For example:

These are two adapters on the same computer—they actually pass through the same physical interface.

MAC addresses come in two major parts; the first three sets of two are called the OUI, or Organizationally Unique Identifier. This is from the manufacturer and can be used to identify a device on a network if it doesn’t give you a helpful hostname. 

There are even helpful online lookup tools, like OUI Lookup by Wireshark. These tools let you input the MAC or OUI portion and spit out the manufacturer associated with it. Manufacturers can have multiple OUIs assigned to them, and some, like Cisco, have many.

The latter set of three is what’s called NIC-specific, and it is theoretically unique to your device. No device from the same OUI group should have the same NIC-specific suffix, which is one reason why the OUI is essential. A device may have the same NIC-specific address or the same OUI, but it shouldn’t have both. This is subject to the manufacturer, though, and mistakes do happen. 

What Do MAC Addresses Do?

A MAC address is used to identify, as stated before. This leads to a more important function for network engineers: It’s used to know where to direct traffic. MAC addresses are a Layer 2 function, and Layer 2 is where most of your traffic gets processed for every connection you make. Wi-Fi and Ethernet both use this to form tables and later attach them to your IP address. (Though how Wi-Fi does it is pretty different; for more detailed info, I suggest looking into our excellent Wireless Analysis Professional course.)

Therefore, if you don’t have a MAC address, you can’t have an IP, and your traffic goes nowhere. This holds across PHY layers in ISA100.11a as well from the industrial side, which actually routes internally entirely by MAC and only touches Layer 3 cross networks. This is pretty novel for networking. MACs can also be used to identify you to authenticators in an 802.1X connection or through MAC filtering. 

What is MAC Spoofing?

MAC spoofing is essentially faking your MAC address—plain and simple. It's often used to bypass security measures. When someone manually sets their MAC address, it’s referred to as a locally administered address in official documentation. This is different from the burned-in address (BIA) or universal address to which the device was initially assigned.

You can usually tell by the way that the address is organized by something called the second to last, least significant bit in the address. (If LSB sounds foreign to you, I’d suggest checking out CBT Nuggets' Wireless Network Administrator training) This LSB will be set to 1 if it’s local and 0 if it’s universal (meaning it was put in by the manufacturer or “burned in.”)

MAC spoofing lets someone get around MAC-AUTH policies, which admit a computer or client into a network based on its MAC address. This is also called MAC filtering. It enables it to use another machine’s identity—a specific one, generally. 

Security Risks of MAC Spoofing 

MAC spoofing can cause massive security risks and is key to a number of cyber security attacks, including man-in-the-middle attacks and rogue/evil twin attacks on the wireless. These two depend less on access and more on convincing you that they’re who YOU want to talk to. Here's how they generally work: 

Evil Twin Attack 

For an evil twin attack, the aggressor or malicious actor is trying to convince you or the network that they’re someone else to receive your traffic. Spoofing your MAC to gain access to a network can be seen as a preceding or enabling factor for this. This is different in that they’re not just trying to get on the network, but actively pretending to be a specific client, such as a server or appliance.

Man in the Middle Attacks

A man-in-the-middle attack starts similarly but doesn’t impersonate a particular structure but rather a piece of infrastructure, generally an AP. This is a widespread wireless attack that often occurs in public places. The malicious actor will pretend to be an AP from a trusted spot and present a very similar SSID and screen. 

It will directly or indirectly log pass your traffic on to the designated point you want it to while logging everything that happens, generally things like financial information or keystrokes and passwords. 

Be VERY careful when using open Wi-Fi networks, especially in public places. There’s also a variant of this where the malicious actor instead simply wants to deny your service and sends either nonsense requests or things like deauthentication packets to the AP. This would keep the client it’s impersonating from actually using the network.

Final Thoughts

The well of issues that MAC spoofing creates and even sometimes solves is deep, but armed with a knowledge of the basics, you’re well prepared to combat or use it at Layer 2 or higher.

With this knowledge, be sure to protect yourself and your network from malicious actors! MAC authentication by itself is not secure, as we discussed. Take appropriate measures to positively identify devices on your network and avoid being spoofed.

Want to learn more about cybersecurity? Consider our Cybersecurity Threats, Attacks, and Vulnerabilities Online Training.