MAC spoofing is when an adversary changes their device's media access control (MAC) address to match a legitimate network device, letting them impersonate that device and intercept or redirect traffic. It's a building block of ARP poisoning and on-path (man-in-the-middle) attacks.
MAC spoofing is faking a MAC address. Every network interface has a MAC address, a hardware identifier that switches and gateways use to know which device is which on a local network. When an adversary changes their device's MAC address to match a legitimate device, that's MAC spoofing.
On its own, MAC spoofing is just impersonation. Where it gets dangerous is in an ARP poisoning attack. The address resolution protocol (ARP) lets a default gateway build a table pairing IP addresses with MAC addresses. An adversary sends falsified ARP packets so the gateway links the target's IP address to the adversary's MAC address. Now traffic meant for the target flows to the attacker instead. That's an on-path attack (also called a man-in-the-middle attack), and the MAC spoof is what makes it work.
This term lives in Unit 3: Securing Networks, topic 3.1 Network Vulnerabilities and Attacks. It directly supports AP Cybersecurity 3.1.A (identify common network attacks), since EK 3.1.A.1 names MAC spoofing as the act of faking a MAC address inside an ARP poisoning / on-path attack. It also ties into AP Cybersecurity 3.1.B, because spoofing a legitimate device is one of the ways adversaries send malicious traffic into a network. The bigger theme is the CIA triad: an on-path attack built on MAC spoofing threatens confidentiality (the attacker reads your traffic) and integrity (they can alter it in transit), which is exactly what AP Cybersecurity 3.1.C asks you to assess as risk.
Keep studying AP Cybersecurity Unit 3
Visual cheatsheet
view galleryARP poisoning and on-path attacks (Unit 3)
MAC spoofing is the engine; ARP poisoning is the car. Faking the MAC is what lets the poisoned ARP table reroute a target's traffic to the attacker, turning into a full man-in-the-middle attack.
MAC address (Unit 3)
You can't fake what you don't understand. A MAC address is the hardware ID switches use to route frames, and MAC spoofing simply lies about that ID to wear another device's identity.
MAC filtering and port security (Unit 3)
These are the defenses spoofing tries to beat. MAC filtering allows only approved MAC addresses, and port security (EK 3.1.B.3) locks down switch ports, but a spoofed MAC can mimic an allowed address, which is why MAC filtering alone is weak.
Network segmentation and VLANs (Unit 3)
Even if an attacker spoofs a MAC and gets on the LAN, segmenting the network or splitting it into VLANs limits how far they can move laterally (EK 3.1.B.2) to reach more sensitive systems.
Expect this as a straightforward MCQ identification. A stem will describe the action ("An adversary modifies their device's MAC address to match a legitimate network device") and ask you to name it, with MAC spoofing as the correct answer. Watch the wording closely: questions about impersonating a device's identity point to MAC spoofing, while questions about making packets look like they came from a trusted server lean toward IP spoofing, and intercepting traffic mid-stream points to an on-path / man-in-the-middle attack. No released FRQ uses the term verbatim, but it supports risk-analysis prompts where you explain how an adversary intercepts or alters data in transit and threatens confidentiality and integrity.
MAC spoofing fakes the hardware MAC address to impersonate a device on the local network, usually as part of ARP poisoning. IP spoofing fakes the source IP address so packets appear to come from a trusted source. One impersonates the device; the other impersonates the packet's origin. On the MCQ, 'matches a legitimate device's MAC' equals MAC spoofing, while 'packets appear to originate from a trusted server' equals IP spoofing.
MAC spoofing is changing your device's MAC address to match a legitimate device so you can impersonate it on the network.
It's the core trick behind ARP poisoning, which redirects a target's traffic to the attacker and creates an on-path (man-in-the-middle) attack.
On the AP exam, a stem describing an adversary matching a legitimate device's MAC address is asking for the term 'MAC spoofing.'
MAC spoofing threatens confidentiality and integrity because the attacker can read and alter intercepted traffic (ties to AP Cybersecurity 3.1.C).
MAC filtering alone is a weak defense, since an attacker can spoof an approved MAC to slip past it.
MAC spoofing is when an adversary changes their device's media access control (MAC) address to match a legitimate device on the network, letting them impersonate it. The CED (EK 3.1.A.1) ties it directly to ARP poisoning and on-path attacks in Unit 3.
MAC spoofing fakes the hardware MAC address to impersonate a device on the local network, while IP spoofing fakes the source IP so packets look like they came from a trusted source. If the question says 'matches a legitimate device's MAC,' it's MAC spoofing; if packets 'appear to originate from a trusted server,' it's IP spoofing.
No. MAC spoofing is faking a MAC address, and ARP poisoning is the attack that uses a spoofed MAC to corrupt the gateway's ARP table so traffic gets rerouted to the attacker. MAC spoofing is the technique; ARP poisoning is the attack it enables.
Not reliably. An attacker can spoof an approved MAC address to slip past MAC filtering, which is why it's considered a weak standalone defense. Pairing it with port security and network segmentation limits the damage.
Because it enables on-path attacks where the adversary can intercept data (breaking confidentiality) and alter it in transit (breaking integrity). That's exactly the kind of risk AP Cybersecurity 3.1.C asks you to assess and document.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.