Security: MAC Address and ARP (Notes)

Every network interface controller (NIC) has a Media Access Control (MAC) address which is unique to the interface. A device may have multiple network interfaces (e.g., a ethernet network interface and a wireless network interface) and will a MAC address for each interface (e.g., a Rasperry Pi 4 has one MAC address for the ethernet and one MAC address for the wi-fi).

MAC addresses work at Layer 2 (Data Link Layer) of the OSI (Open Systems Interconnection) model and are part of the IEEE (Institute of Electrical and Electronics Engineers) 802 standards.

A MAC address is 48 bits split into 6 octets, with 8 bits per octet. 3 octets (24 bits) are used to store the Organisationally Unique Identifier (OUI) and 3 octets (24 bits) are unique to the interface (i.e., in theory no two interfaces should have the same MAC address – more on this below). The 48 bits are represented in hexadecimal. The OUI can be used to identify the organisation that created the network interface, with tools such as the Wireshark OUI Lookup.

Viewing MAC addresses (MacOS X)

Open a Terminal and type: ifconfig , the results should show each interface and an MAC address for each of them.

Viewing MAC addresses (Microsoft Windows)

Open a Terminal and type: ipconfig , the results should show each interface and an MAC address for each of them.

Viewing MAC addresses (Debian Flavour Linux – e.g. Ubuntu, Raspberry Pi OS)

Open a Terminal and type: ifconfig , the results should show each interface and an MAC address for each of them.

Any virtualised network interfaces will also have a MAC address.

Address Resolution Protocol (ARP)

NIC have MAC addresses, but most network addressing is done at Layer 3 (Network Layer) using IP addressing (IPv4 or IPv6). On a local network, a device sends out a Address Resolution Protocol (ARP) request asking other devices on the network who has a certain IP address. The device with the IP address responds with it’s MAC address and a message saying “I have that IP address”.

There is also a reverse ARP request, where a device provides a MAC address and asks “What IP address have you got?”.

Devices can build up a cache of ARP responses so that they do not repeatedly ask for the same information. ARP is a stateless protocol and does not have an authentication method.

MAC and Security

Certain network switches have the ability to lock network ports to a MAC address, so that devices can not be replaced on the network by malicious devices. Switches and Wireless Access Points (including most home wi-fi routers) have options to filter MAC addresses so that only MAC addresses in the user supplied list can connect. As the OUI can be used to identify the organisation behind the NIC, the MAC addresses of devices can be used to monitor networks for unexpected devices – e.g. if an organisation only uses Apple devices and suddenly sees a Lenovo MAC address then they know a rogue device has attempted to connect to their network.

MAC Spoofing

Although a MAC address should be unique to a NIC there are tools available to spoof or alter a devices MAC address, or within operating systems such as Linux commands are available (ipconfig has a hw ether option). Apple iOS devices have an option called “Private Wi-Fi Address” when using wi-fi connections which generates MAC addresses for the device to make it harder to track the device across networks.

Altering a MAC address can be used to overcome the security mentioned above.

ARP Spoofing

As ARP is stateless and does not have an authentication method it can be used in an attack known as ARP spoofing. The attacker’s device would spoof the MAC address of a legitimate device and reply to ARP requests, this can cause devices to send traffic to the attacking device instead of the legitimate device. Depending on the attack the traffic may be sniffed and forwarded to the legitimate device (man in the middle attack) or to drop the packets (a type of denial of service attack).