MAC Spoofing

Background

When computers connect together on a network, a network card or wireless network card are typically used. Each network card or wireless network card has a Media Access Control (MAC) address that is used to tell them apart. The MAC address is a series of 12 characters usually in the form xx-xx-xx-xx-xx-xx and is burned into the hardware of a network card. The first 6 characters distinguish what company made the card and the rest are unique to identify that specific card. This is in accordance with IEEE (Institute of Electrical and Electronics Engineers 1) standards. MAC address spoofing refers to someone changing their MAC address in order to resemble that of another network card for various reasons (Wright 2003).

How does it work?

Networking involves sending and receiving chunks of data between computers. By splitting data into extremely small chunks called packets, we are able to share this data over greater distances in less time. When multiple computers are connected to a network, this data needs to know where it is going to and coming from in order to ensure that everything is delivered to the right place. Each computer on a network typically has an Internet Protocol address (IP) and a MAC address (MAC). This information is added to the packet. When a packet comes to a computer, the computer opens the packet, reads the addresses and decides whether or not the packet is destined for that machine. This process is outlined in the networking OSI model which is beyond the scope of this fact sheet. (Briscoe 2002)

The problem is that it is possible for people to now change their computer’s settings to replicate someone else’s IP and MAC address. This can be done on a wired network; however, wireless networks are at a much greater risk because there is no physical connection needed and the attacker may connect from anywhere within the network's wireless radius. Also, there are a wide variety of wireless network cards that support the altering of MAC addresses (Wright 2003). An attacker may pose as an authorized client or even “spoof” or “masquerade” as things such as wireless routers 2. The problem here is that a user may connect to it thinking that this is the router their network is associated with and may unintentionally send personal information to it (Bellardo and Savage 2003).

For example, a wireless network signal is broadcast by a router. An attacker may find this signal, find out all of its information such as name, IP and MAC addresses with a scanning tool then change his computer to carry the same name, IP and MAC addresses. Now when the unsuspecting client tries to connect to the router with their user name and password, the attacker can capture this information.

A Closer Look

In any given city, there are people with wireless networks everywhere. By the use of a laptop, PC, personal data assistant (PDA) or hotspot locator (small electronic device that signals when it finds a wireless network in the area) an unauthorized user can find these wireless networks simply by walking down the street. If the network they found is secure, s/he may use MAC spoofing to gain access to this network depending on the level of security in use. Even though there are many different ways to attempt to secure a wireless network, most home users or even some organizations do not use security or they may rely on forms of security which have been proven vulnerable by several experiments (Bellardo and Savage 2003, Wright 2003). Spoofing techniques can involve software downloaded from the Internet, embedded into an operating system or even software provided by the vendor of the network card. Also, the attack usually involves the use of several small applications openly available on the Internet (Wright 2003).

Implementing a wireless network makes that network vulnerable because an attacker may access it from beyond the physical security perimeter of the organization. Some network administrators use access control lists based on MAC addresses authorized to access the network. If a client’s MAC is listed, then they are permitted access to the network (Arbaugh et al. 2001). Therefore a “spoofed” MAC of an authorized user would allow an attacker to gain entry to the “protected” network. Other security measures include wired equivalency privacy (WEP), however, this protocol contains much vulnerability (Borisov et al. 2001).

There are legitimate uses for MAC address “spoofing” for example; an Internet service provider (ISP) may register a client’s MAC address for service and billing tracking. If the client needs to replace their network card, do to a failure or maybe a new computer, they can simply set the MAC address of the new card to that of the old one (Netgear n.d.). Also, some software requires you to input your MAC address to access certain services. In this case, if the user needs to replace his/her network card, they may change their new network card MAC address to “spoof” their old one. This can eliminate the need to re-register the software product.

Illegitimate uses are the real problem however. The Internet has increased the market for images of child sexual abuse and child exploitation in recent years (Chopra et al. 2006). MAC address spoofing allows a user access to an otherwise protected network. This allows the user to download images of child sexual abuse over a network registered under somebody else’s Internet account. While the illegal traffic may be tracked to the IP from which it originated, if an attacker gained access to a protected or even non-protected network, s/he would most likely be long gone by the time investigators arrived at the scene. While there are still people with unprotected wireless networks in their homes, corporate or protected networks typically provide faster Internet connections and may give the attacker a sense of anonymity as there is greater probability that many innocent workers may be investigated before him/her.

Reasons people spoof

Connecting new hardware to an Internet connection:
Sometimes when an ISP has a MAC address of a user’s computer registered to an Internet account, the user may decide to add a router to the network so that s/he can share their Internet connection with other computers in the house. In this case they will have to set the router to spoof the MAC of the computer that was connected. This makes the ISP believe that the router is still the one PC that the user has registered (Netgear n.d.). Depending on the ISP, this act could be contrary to the terms of the Internet account.

Avoiding Network Intrusion Detection Systems (NID):
The user may use a pre-configured file to constantly change their MAC address while performing large file transfers in order to avoid being caught by the NIDS. Usually this security implementation will track the origin of large transfers to the MAC address, but if the MAC address is constantly changing, then it appears to the NIDS as many different people transferring many small files (Wright 2003).

Getting past access control lists:
Some network administrators will write a list of all the MAC addresses of the computers authorized to access their network. In this case, the attacker will change the MAC address on their computer to one that s/he finds connected to the network. This information is usually transmitted through the air openly. To associate and be recognized as this authorized user, the attacker will launch a Denial of Service (DoS) attack against the authorized user until his/her computer disconnects from the network. The attacker will then use this opportunity to reconnect to the wireless network as the MAC address s/he stole from the authorized user (Wright 2003)

A DoS is accomplished by sending the user a constant stream of traffic overwhelming their PC until the it has no idea how to handle it. Once this happens, the user will be prompted that his/her computer must be restarted. By restarting, this gives the attacker the opportunity to connect to the network as the authorized user.

Implications for Law Enforcement, Parents, and Youth

While it is possible to track illegal Internet traffic to a specific IP and to retrieve the name and address of the IP’s registrant, it is very difficult to track which computer in a particular network engaged in the activity when the real offender is no longer connected to the network. MAC spoofing allows unauthorized access to someone else’s network; therefore, responsibility for any illegal activity will fall on the authentic user. As a result, the real offender may go undetected by law enforcement.

There are many new forms of security available to users of wireless networks; however, many homes and organizations find them either too expensive or just “too much work” to implement. Many papers referenced in this fact sheet provide different solutions to either detect or prevent MAC spoofing. These solutions can range from nearly no cost to fairly expensive. While there are new security implementations becoming available such as WPA and WPA-2 (Wi-Fi Protected Access), wireless standards remain a security risk. The lack of awareness of these threats is mainly what causes such lack of security (Bellardo and Savage 2003). The best way for home users to protect themselves is to only use wireless networks when necessary and to use WPA-2 security while changing the password on a regular basis. Businesses should avoid placing any sensitive information on a wireless network and when implementing a wireless network, consider hardware which contains the latest security developments such as MAC spoof detection/prevention or wireless fingerprint security.

Investigators can spend a tremendous amount of time and effort investigating innocent computers (and users) before they realize that none of the computers on the network committed the illegal activity. The threat to the children is that it may take longer to apprehend such offenders as their exploitation may be carried out at one location, but shared on the Internet from another location that has no connection to their abuser. This constant shift of evidence can create multiple scenes that need to be investigated by police.

It is important to stress that people need to take the appropriate steps to make their wireless networks secure against such attacks if not for their own safety then for the safety of children. Adding wireless access to anyone’s network opens vulnerabilities. It is up to the owners to do what they can to mitigate risks.

References

Arbaugh, William A., Shankar, Narendar, and Wan, Y.C. Justin. (2001). Your 802.11 wireless network has no clothes.

Bellardo, John, and Savage, Stefan. (2003). “802.11 denial-of-service attacks: Real vulnerabilities and practical solutions.

Borisov, Nikita, Goldberg, Ian, and Wagner, David. (2001). Intercepting mobile communications: The insecurity of 802.11.

Briscoe, Neil. (2002). Understanding the OSI 7-layer model.

Chopra, Munish, Rueda, Luis, Martin, Miguel V., and Hung, Patrick C.K. (2006). A source address reputation system to combating child pornography at the network level.

Netgear. (n.d). No Internet with new router, computer, or adapter: MAC spoofing.

Vichr, Roman, and Malhotra, Vivek. (2003). Securing 802.11 transmissions, part 1.

Wright, Joshua. (2003). Detecting wireless LAN MAC address spoofing.

Produced by:

The National Child Exploitation Coordination Centre (NCECC)
Research and Development Section in Collaboration with the NCECC’s Technology Unit

1. IEEE is a professional association that provides guidelines for technological advancements, primarily in areas of engineering (see www.IEEE.org).

2. Devices used to connect wireless computers to a network.