What a MAC Address Is
A MAC (Media Access Control) address is a 48-bit identifier assigned to every network interface during manufacturing, written as six hex pairs (e.g., A4:C3:F0:12:34:56). The first three bytes identify the manufacturer (OUI); the last three are device-specific. MAC addresses operate at Layer 2 — they identify devices on a local network segment and are never forwarded across routers. They are visible to anyone with access to the local network, including in Wi-Fi frames captured in monitor mode.
How MAC Spoofing Works
The MAC address an adapter broadcasts is controlled by the operating system's network stack, not hardware alone. Changing it requires a simple driver or OS setting — no special hardware needed:
- Linux:
ip link set dev wlan0 address AA:BB:CC:DD:EE:FF - macOS:
sudo ifconfig en0 ether AA:BB:CC:DD:EE:FF - Windows: Device Manager → Network Adapter → Properties → Advanced → Network Address
The change takes effect immediately and persists until the next reboot or until changed again. It survives network reconnections.
Legitimate Uses of MAC Spoofing
- Privacy (MAC randomization): iOS, Android, Windows, and Linux randomize the MAC address used per Wi-Fi network to prevent cross-network device tracking. This is MAC spoofing in service of user privacy.
- Network testing and development: Simulating multiple devices for DHCP testing, testing MAC-based VLAN assignment, or replacing hardware while maintaining DHCP reservations.
- ISP equipment replacement: Some cable modems/ONTs are provisioned by MAC address; spoofing lets a replacement device inherit the provisioned identity temporarily.
Attack Uses of MAC Spoofing
- MAC filter bypass: MAC filtering allows only specific MAC addresses to associate with a Wi-Fi AP. An attacker in passive monitor mode sees all MAC addresses communicating with the AP — including allowed ones — and clones an allowed MAC to join the network.
- DHCP exhaustion: By rapidly spoofing different MAC addresses, an attacker can request a new DHCP lease for each, exhausting the router's IP pool and preventing legitimate devices from getting addresses.
- ARP poisoning: MAC spoofing is used alongside ARP poisoning to impersonate another device's MAC and intercept its traffic (see ARP Poisoning guide).
- Captive portal bypass: Hotel/airport Wi-Fi portals often authenticate by MAC. Cloning an authenticated device's MAC can bypass the login page.
Why MAC Filtering Is Not a Security Control
MAC filtering is security theater: it requires an attacker to know one allowed MAC address (trivially obtained by capturing any Wi-Fi frame), add 30 seconds of spoofing effort, and they're in. It adds zero meaningful protection over WPA2/WPA3 encryption, while creating ongoing management overhead for the admin. Do not rely on it. Use strong encryption and a strong password instead.
Detecting MAC Spoofing on Your Network
Several signals suggest a device is spoofing its MAC:
- Two devices with the same MAC appear in the router's ARP table simultaneously.
- The OUI prefix doesn't match the device type (e.g., a Samsung phone's MAC has an Apple OUI prefix — indicating randomization to an Apple-registered block or a spoofed address).
- Randomized MAC addresses typically have the locally-administered bit set (second-least-significant bit of the first byte = 1), e.g.,
x2:xx:xx:xx:xx:xx.
Frequently Asked Questions
Does MAC filtering protect my network?
No. MAC filtering is trivially defeated by spoofing — an attacker captures a frame, reads an allowed MAC (visible in plaintext even on WPA2 networks), and clones it. It creates administrative overhead with no meaningful security benefit. Use WPA2 or WPA3 encryption instead.
Is MAC randomization the same as MAC spoofing?
Same mechanism, different intent. MAC randomization (built into iOS 14+, Android 10+, Windows 10+) changes the per-network MAC to prevent cross-network tracking. MAC spoofing in an attack context impersonates another device or bypasses controls. The underlying technique is identical.