Spoofed Laptops Bypassing MACsec

Spoofing Attack - Spoofed Laptops

A Sepio customer, who deployed a NAC solution, implemented a MAC based security policy. When challenging his cybersecurity posture during a periodic penetration testing session by his red team, he discovered that malicious actors conducting spoofed laptops attacks could easily bypass their security measures. How do you close this visibility gap?

Let’s follow a Spoofed laptops use case scenario.

A rogue agent, Mr. X, intends to infiltrate SecureCorp, a high-profile organization with stringent cybersecurity measures in place. He knows that gaining physical access to the network is often easier than remote penetration. Particularly when he has the ability to utilize spoofed laptops, enabling his computer to masquerade as a genuine organizational device.

Act 1: Spoofed Laptops Infiltration

1. Using network sniffing tools (i.e., passive tap, unmanaged switch hub), he manages to capture a MAC address of a legitimate device connected to SecureCorp’s network.

2. Mr. X then clones this MAC address onto his unauthorized computer. Believing this would grant him undetected access to the organization’s resources.

Act 2: First Line of Defense

As Mr. X connects his computer to the SecureCorp network, the NAC (Network Access Control) system scans the device and approves it (so do other security solutions that rely on L2, and above, data and traffic). Mr. X can engage in spoofing the MAC address. Creating the same port mapping façade (so that Nmap or other port mapping would not trigger an alert). Traffic wise, it looks pretty much the same (Mr. X is very cautious in his network activity, being patient, and manipulating or injecting traffic in a covert way).

Act 3: Spoofing Unveiled with Sepio’s Intervention

1. Sepio’s solution evaluates the physical layer characteristics of the device, detecting potential spoofing attempts. Every hardware asset has a unique “Asset DNA” (Asset Risks). A superset set of vectors that identify the asset, delivering vendor name, product name, and additional information that goes beyond MAC addresses or IP configurations.

2. Sepio’s platform, immediately recognizes the discrepancy between the cloned MAC address and the asset’s physical characteristics.

3. An alert is generated, indicating the presence of a potentially unauthorized device engaged in spoofing. It provides detailed information about the asset’s connection point, its physical attributes, and a comparison with the legitimate device that shares the same MAC address – followed up with recommended actionable measures.

Act 4: Rapid Response to a Spoofed Laptop Incident

1. SecureCorp’s cybersecurity team receives the alert and quickly isolates the suspicious device engaged in spoofing from the network.

2. Surveillance cameras identify Mr. X in the act, and security personnel apprehend him.

3. The rogue device is confiscated and further analyzed for potential threats and intelligence gathering.


Thanks to the multi-layered cybersecurity measures in place, especially Sepio’s unique capability to detect discrepancies at the physical layer, which NO OTHER SOLUTION CAN DETECT, SecureCorp manages to prevent a potentially devastating security breach.

This incident serves as a testament to the importance of not solely relying on superficial data (like MAC addresses) and highlights the need for deep, hardware-level analysis to ensure network security.

Lessons Learned

Relying solely on MAC addresses or similar L2-L7 identifiers can lead to false sense of security.

Physical layer characteristics (L1) provide an added layer of security and device verification.

Multi-layered security solutions, like the combination of NAC or ZTNA, and Sepio’s platform, ensure robust protection against sophisticated infiltration attempts.

October 19th, 2023