MAC spoofing and Cloned Routers

Hello! :smile:
I love Glasswire a lot :heart_eyes: Its one of the best security PC products in its category .
I like the Interface so much its been very useful and very accurate :innocent:.
but I was wondering if it can detect if someone is spoofing my MAC address :fearful:or
if my Router have been cloned or something similar :disappointed_relieved:.
Im curious How would it detect if it can ? :grin:
thanks for replies ! :grinning:

As one user to another, “Why are you worrying about MAC address spoofing and router cloning?” There’s little to be gained from spending much time on either issue. The GlassWire team might have a different perspective on this but I’d be surprised if it was different.

  • For a start, both are normal network activities that exist to ease network management. This means that these features will not be removed because there are good reasons why a MAC address needs to be duplicated or a router cloned.
  • Both these issues require access to your LAN or local area network. I emphasise the word local, because this is very different than access to a remote (non-local) network or the Internet. Much of your security is already bypassed when someone has access to your local network.
  • Intruders onto your LAN are much more likely to want to remain hidden than to reveal themselves so casually. Anyone with malicious intent will not normally be wasting their time mucking around with MAC addresses.

The main protection on a cabled network is that a limited number of people have physical access to plug in cables. The main protection on a wireless network is the user authentication that demands a secure password.

ARP spoofing?

If you meant ARP spoofing rather than MAC address spoofing then that is a different issue which is worth considering. GlassWire does have an ARP Spoofing alert but it is only for your computer and does not protect against ARP spoofing of your router:

MAC addresses

Your MAC address is only used on your LAN and it doesn’t normally get exposed to the Internet. So if someone can spoof a MAC address on your LAN (LOCAL area network) then they are already able to do way more dangerous things.

The one time when MAC address spoofing is useful to intruders is to bypass MAC address filtering. But MAC addresses don’t have to be unique so you can have two devices with the same MAC address on your local network at the same time. In GlassWire it should show up as a duplicate MAC address in the Network tab.

If you have WPS (Wi-Fi Protected Setup) enabled on your router then you should probably disable that as a much bigger security risk.

Router cloning

Cloning a hardware router normally requires physical access to your LAN (LOCAL area network). So if they can swap your router out then they can do almost whatever they like anyway.

One scenario when this could occur is when parents implement a filter to limit what their children can access on the Internet. An enterprising child could bypass the filter by swapping out the router when their parents are out of the house or when they have gone to bed. Not many children would have to try this method because most people are lax with their passwords or have incomplete filtering solutions that children can easily bypass.

Thanks for ur reply .:grinning: (well I use WPA2 )
And I read ur links ty
~Also I wasn’t talking about ARP spoofing no~

Lets just imagine a scenario where for “example” the persons( hackers ) Spoofing my MAC address broke in my home and got access to my Router lol or they used sniffing hacking tools and discovered my MAC address …and that they are near me like a neighbour ! so,very close.

And yes im aware of this that some people do not consider this very problematic but strangely others do so its a bit controversial subject? :yum:
That site explains it very well :frowning:
quote :slight_smile: :"Another security technique some people use is MAC address filtering. Each computer and device contains a unique MAC address, thus the network administrator can create a black and white list of addresses he or she wants to block or to allow onto the network. This can be used with or without wireless encryption or the hidden network technique. If a hacker suspects a target network is using MAC address filtering, she’d just have to bring up a wireless surveying or analyzer program on her laptop " ..." She would simply check out the list of stations or monitor the raw data packets to find a “good” MAC address that he could use. Once a hacker has a MAC address she can emulate, in Windows, she would just bring up the network adapter’s properties dialog and type in the address, . In this way, the hacker won’t be stopped by the MAC address filter." from " 7 Things Hackers Hope You Don’t Know" ( eSecurityPlanet )

And what I was referring to this website explains it very clearly it says ::confounded:

"Each networked device or network interface is assigned a unique Media Access Control address (MAC). MAC address spoofing (or MAC spoofing) is a technique of "faking" this address. Although some legitimate cases exist for doing this, it is also used to circumvent existing security mechanisms, impersonate legitimate devices (end stations or even routers) or to hide an attacker. To combat this technique and protect your network, both detection and protection is required ."
quote from article "Detecting and Preventing MAC Spoofing "(from website Infoexpress)

So yes but when u said " In GlassWire it should show up as a duplicate MAC address in the Network tab"
How to know if it not spoofed or cloned router ?:smile_cat:
So i’m just wondering if Glasswire can detect this or not …or if not it would be great if it could ?!

1 Like

There is no controversy according to the majority consensus of security professionals. MAC address filtering has no value on its own and little value combined with more important security features like a strong password. The controversy that you see is simply people make money by scaring other people.

That is why the eSecurity Planet article is good. But the InfoExpress articles is not. InfoExpress is selling a network security product to detect or prevent MAC spoofing. Infoexpress emphasises the risks because they make money from heightening fear of this issue to sell more product.

Let’s look at your scenario where a hacker spoofs your MAC address. If you refer to the eSecurity Planet article, you’ll notice that MAC address spoofing comes after cracking the password. Once an intruder cracks your password they are in your home. MAC address filtering is like sticking a bucket of water above the front door. The intruder is inconvenienced when the water falls on him/her. But the intruder is already inside the house and once they’re past the water bucket they are not hindered at all.

So MAC address spoofing is not possible without first cracking the password. The password keeps people out. A MAC address filter does not. As the article says:

the hacker won’t be stopped by the MAC address filter.

You are far better to focus on having an uncrackable password. My WiFi password, for example, is a 24-character phrase that will not be cracked by a dictionary attack.

The problem with even considering MAC address spoofing is that a hacker who has already cracked your WiFi password will very likely crack your router password too. Once on your router admin interface, the hacker will be able to turn off MAC address filtering or, if it is left on, add their own MAC address to the allowed list. They will use a fake MAC address so their device is not fingerprinted.

As far as I know GlassWire doesn’t have an alert for duplicate MAC addresses. You would have to view the Network tab to see which devices have duplicated MAC addresses. But I’ve never tested it so I don’t know what GlassWire does. @Ken_GlassWire should be able to clarify what will happen if MAC address spoofing occurs.

Anyway, as far as I’m concerned I wouldn’t even bother checking MAC addresses manually. I would only check if an automatic alert was added to GlassWire.

For anyone who is interested, I have a valid use of MAC address spoofing for GlassWire.

I’m trying to troubleshoot GlassWire remote client disconnections and reconnections. It looks likely that it is not a GlassWire issue so I’ve been trying other configurations such as connecting my laptop to the network directly rather than through my laptop’s docking station.

The problem that is solved by MAC spoofing is that the network adapters in the dock and computer have separate MAC addresses network cards which are assigned different IP addresses by the router. But GlassWire will allow only one IP address for each server. So, to ensure that I assign a constant IP address to the GlassWire server, I have to spoof the laptop adapter MAC using the dock adapter.

The MAC address spoof simply makes both adapters have the same MAC address:
Laptop adapter e.g. 1234567890AB
Dock adapter e.g. 121212121212 becomes 1234567890AB

In Windows 10 (and earlier versions), you can specify a MAC address for a network adapter:
Right-click Start Menu
Select Device manager menu item
Expand Network adapters by clicking on >
Right-click on the network adapter you want
Select Properties
Select the Advanced tab
Select Network address in the Property list
Enter the MAC address in the Value field
Select the OK button to save