When a device successfully connects to a network, the only information the network needs is the Media Access Control (MAC) address, which can usually be found on the back of every piece of hardware:
This makes total sense, because the MAC address is unique to the device. Over time, manufacturers have been implementing creative ways to hide this address in order to make it harder to track an individual based on their device. This includes allowing a user to be able to manually change their device’s MAC address. While this is a noble effort to protect a user’s privacy, and sounds great in the marketing material, it also opens up other security holes that are difficult to fill.
On most devices it is possible to manually change the assigned MAC address for the device. With that said, do you know if the devices connecting to your network are the actual physical devices that have been approved to connect to your wireless network?
As an attacker, it is trivial to identify devices that are joining the wireless network, change the MAC address of the attacker’s device, and join as the device approved to connect to the network. The attacker would then be able to steal data, and/or upload ransomware, without their presence ever being known. The only way to solve this is to be able to correlate a device’s physical hardware to the device’s MAC address. By having this data, it would be possible to know that an Intel device connected when the usual device was actually a Google Device.
SONAR, a subscription service that identifies wireless network threats and vulnerabilities, has a unique feature set that helps solve this challenge.
