Spoofed Laptops Bypassing MACsec

Spoofing Attack - Spoofed Laptops

A Sepio customer, who deployed a NAC solution, implemented a MAC based security policy. When challenging his cybersecurity posture during a periodic penetration testing session by his red team, he discovered that malicious actors conducting spoofed laptops attacks could easily bypass their security measures. How do you close this visibility gap?

Let’s follow a Spoofed laptops use case scenario.

A rogue agent, Mr. X, intends to infiltrate SecureCorp, a high-profile organization with stringent cybersecurity measures in place. He knows that gaining physical access to the network is often easier than remote penetration. Particularly when he has the ability to utilize a spoofed laptop, enabling his computer to masquerade as a genuine organizational device.

Act 1: Spoofed Laptops Infiltration

1. Using network sniffing tools (i.e., passive tap, unmanaged switch hub), he manages to capture a MAC address of a legitimate device connected to SecureCorp’s network.

2. Mr. X then clones this MAC address onto his spoofed unauthorized computer device. Believing this would grant him undetected access to the organization’s data resources.

Act 2: First Line of Defense

As Mr. X connects his spoofed computer to the SecureCorp network, the NAC (Network Access Control) system scans the device and approves it (so do other security solutions that rely on Layer 2, and above, data and traffic). Mr. X can engage in spoofing the MAC address. Creating the same port mapping façade (so that Nmap or other port mapping would not trigger an alert). Traffic wise, it looks pretty much the same (Mr. X is very cautious in his network activity, being patient, and manipulating or injecting traffic in a covert way).

Act 3: Spoofing Laptop Unveiled with Sepio’s Intervention

1. Sepio’s solution evaluates the physical layer characteristics of the device, detecting potential spoofing devices attempts. Every hardware asset has a unique “Asset DNA” (Asset Risks). A superset set of vectors that identify the device, delivering vendor name, product name, and additional data that goes beyond MAC addresses or IP configurations.

2. Sepio’s platform, immediately recognizes the discrepancy between the cloned MAC address and the asset’s physical characteristics.

3. An alert is generated, indicating the presence of a potentially unauthorized device engaged in spoofing. It provides detailed information about the devices’s connection point, its physical attributes, and a comparison with the legitimate device that shares the same MAC address – followed up with recommended actionable measures.

Act 4: Rapid Response to a Spoofed Laptop Incident

1. SecureCorp’s cybersecurity team receives the alert and quickly isolates the suspicious device engaged in spoofing from the network.

2. Surveillance cameras identify Mr. X in the act, and security personnel apprehend him.

3. The rogue device is confiscated and further analyzed for potential threats and intelligence gathering.


Thanks to the multi-layered cybersecurity measures in place, especially Sepio’s unique capability to detect discrepancies at the physical layer, which NO OTHER SOLUTION CAN DETECT, SecureCorp manages to prevent a potentially devastating security breach.

This incident serves as a testament to the importance of not solely relying on superficial data (like MAC addresses) and highlights the need for deep, hardware-level analysis to ensure network security.

Lessons Learned

Relying solely on MAC addresses or similar, Layer 2 to Layer 7, identifiers can lead to false sense of security.

Physical layer characteristics (Layer 1) provide an added layer of security and device verification.

Multi-layered security solutions, like the combination of NAC or ZTNA, and Sepio’s platform, ensure robust protection against sophisticated infiltration attempts.

October 19th, 2023