Correlating a Device MAC Address to the Type of Device
Typically, when a device successfully connects to a network, the only information the network needs is the Media Access Control (MAC) address, which is usually found on the back of every piece of hardware. Therefore, as we stated in one of our previous posts, it makes total sense only to consider the MAC address, which is unique to a device.
However, manufacturers are devising creative ways to hide this information to make it harder to track individuals based on their devices. Mainly, device manufacturers are allowing users to change their MAC addresses manually. More frequently, device owners and vendors could argue that this feature provides a noble way to protect users' privacy. In fact, it would sound great as a marketing component. Regrettably, allowing users to change their devices' MAC addresses also opens other security gaps difficult to fill.
Correlating a Device MAC Address to the Type of Device
Can you correlate a device MAC address to the type of device, let's say an iPhone, laptop, or a security camera? What happens in situations where the user can easily change their device's MAC address?
You might be in a situation where all you have is records of the MAC or hardware address but do not have the IP address or other details of a device connecting to your network. Typically, finding the IP from a known MAC address should be the task of a ReverseARP application, the counterpart of ARP. But RARP is an obsolete protocol with many disadvantages, so newer protcols like DHCP and BOOTP quickly replaced it.
Today, most companies lack the visibility and ability to correlate a device MAC address with the type of the device (the physical device). Lack of this visibility is scary since it is trivial to change the MAC address on a client device. For instance, a privacy technique like MAC address randomization enables mobile devices to rotate through random hardware addresses to prevent observers from singling out their traffic or physical location from other nearby devices.
What Sonar 24/7/365 Wireless Monitoring Offers
Since Sonar is watching layer 1 and layer 2 of the wireless network, we get all the data that allows us to correlate a device MAC to the physical device. Typically, layer 1 (the physical layer) addresses the network's physical characteristics, such as the electrical characteristics of the signals used to transmit data over cables from one network to another. However, the physical layer doesn't define any particular meaning for those signals, other than the basic binary values 0 and 1. Accordingly, the higher levels of the network model must assign meanings to the bits transmitted at layer 1.
Layer 2, the data link layer, assigns meaning to the bits transmitted over the network. Characteristically, data link protocols address things like the packet size, a means of addressing packets so that they are delivered to the intended recipients, and ensure two or more nodes do not transmit data on the network simultaneously. At layer 2, each network-connected device has a MAC address.
Using details from these two layers, Sonar can correlate a device's MAC address to a device type. That way, if the Sonar service always sees MAC AA:AA:AA:AA:AA:AA join as an Intel device, and we happen to see the same MAC join as a Google device, then Sonar service will let the customer know. Markedly, having two devices with the same MAC address causes problems with the popularly used DHCP protocol since both devices will get the same IP address. As a result, both devices will receive network traffic for the other, which can be risky if a hacker is cloning the MAC address of a target device. It is essential to note that hackers can target your wireless network through MAC spoofing – a technique for changing a factory-assigned MAC address of a network interface on a networked device. Fortunately, Sonar service can detect such incidents, allowing you to respond immediately to avoid an attack.
What's more, the Sonar service is automated, making it effective in a network with a huge volume of connected and disparate devices. In addition, Sonar offers continuous 24/7/364 monitoring, presenting an aggregated, unified view of your wireless network. If the service detects malicious threats such as MAC spoofing on your Wi-Fi network, it sends an alert, followed by the Pulsar Security team's support to fix the issue.
Sonar is included with Pulsar Cyber Shield: a comprehensive package of services designed to bring maximum security benefits at minimal cost without sacrificing quality. Learn more here.
Tim Connell
As Head of Enterprise Products for Pulsar Security, he guides the team in creating solutions which satisfy the needs of real-world customers, specializing in the areas of data management, storage network visibility, and enterprise security. Tim holds technical certifications as an Offensive Security Certified Professional (OSCP), CompTIA Network+, CompTIA Security+, GIAC Penetration Tester (GPEN), GIAC Web App Penetration Tester (GWAPT), and GIAC Python Coder (GPYC).