A colleague and I recently faced a perplexing problem, which led us to a startling discovery. It is possible to set the MAC address of almost any computer on your network! To think that all this time, we blindly believed that the hardware vendor controlled MAC addresses. This is not the case, and I believe that this presents a serious security problem.
Discovering the hole
It all started one morning when one of our servers was on the blink. My connectivity to it was flittering in and out for no apparent reason. My colleague was experiencing the same problem, and we both began pinging the server. The results were puzzling. Reply, Reply, Time Out, Reply. We tried several additional times and had the same result. We would get both Replies and Time Outs.
Our next step was to log on to the server directly in order to check the logs and so on. I logged on to the problem server and my partner to the server sitting next to it. Pinging anywhere resulted in some of the packets making it, and some of them meeting their demise in the Ethernet abyss. My partner moved to a third server and tried the tests again. The results were the same. Pinging the problem server or the server he had been working on resulted in dropped packets. However, when he pinged a different server, there were no problems.
We then looked at the ARP caches of the problem servers and compared them to each other. We suddenly discovered that the MAC addresses for both servers were identical! Go ahead and read that again: Both servers had the same MAC address! We didn’t know how or why this had happened, but we knew that somewhere, somehow, somebody had actually set the MAC address of these servers.
Setting the MAC address
Thinking quickly, I opened Regedit and searched for the offending address. I soon found a registry key used to set the MAC address of a computer. My partner checked several other computers to see if the key existed, and it didn’t. I deleted the key on one of the identity-impaired servers, and the problem was solved. But we still didn’t know how this had happened.
The offending computers were both DEC Alpha servers, so our first test was to see if we could duplicate the symptoms on another computer. We were able to set the MAC address of NT computers as well as Windows 9x computers. Realizing that you can set the MAC address of virtually any computer on your network is scary enough. But what if this was used as an attack against your network? What if a hacker set his MAC address to the MAC address of your Default Gateway? At the end of our investigation, we concluded that the problem was caused by a failed installation of DEC Pathworks. No nefarious intentions were involved, just a poorly written installation program.
We called Microsoft to report what we thought was a security problem with their OS. The answer we received was surprising. The ability to set your MAC address is part of the NDIS specification originally developed by 3Com and Microsoft. It is not considered a security problem, but a standard. In fact, under Windows 2000, the ability to modify your MAC address has been incorporated into the GUI.
My final thoughts
Because I still believe that this is a security issue, I will not give out the specific registry keys used to set your own MAC address. Permissions on the registry key (at least in Windows 2000) are limited to only allow Administrators and System write access. I believe that it is still a security issue because the address can be changed on Windows 95 and 98 computers, and those computers don’t have the ability to set permissions on registry keys.
If you’d like to share your feedback, please post a comment or send the editor an e-mail.