---
title: "MAC Spoofing — AP Cybersecurity Definition & Exam Guide"
description: "MAC spoofing is faking a device's MAC address to impersonate a legitimate device on a network. Learn how it powers ARP poisoning and on-path attacks for AP Cybersecurity Unit 3."
canonical: "https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing"
type: "key-term"
subject: "AP Cybersecurity"
unit: "Unit 3"
---

# MAC Spoofing — AP Cybersecurity Definition & Exam Guide

## Definition

MAC spoofing is when an adversary changes their device's media access control (MAC) address to match a legitimate network device, letting them impersonate that device and intercept or redirect traffic. It's a building block of ARP poisoning and on-path (man-in-the-middle) attacks.

## What It Is

**MAC spoofing is faking a [MAC address](/ap-cybersecurity/key-terms/mac-address "fv-autolink").** Every network interface has a MAC address, a hardware identifier that switches and gateways use to know which device is which on a local network. When an adversary changes their device's MAC address to match a legitimate device, that's MAC spoofing.

On its own, MAC spoofing is just [impersonation](/ap-cybersecurity/unit-1/understanding-social-engineering/study-guide/TBmFY733Y9zYkD80i0py "fv-autolink"). Where it gets dangerous is in an **[ARP poisoning attack](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97 "fv-autolink")**. The address resolution protocol (ARP) lets a default gateway build a table pairing IP addresses with MAC addresses. An adversary sends falsified ARP packets so the gateway links the *target's* IP address to the *adversary's* MAC address. Now traffic meant for the target flows to the attacker instead. That's an **on-path attack** (also called a man-in-the-middle attack), and the MAC spoof is what makes it work.

## Why It Matters

This term lives in **[Unit 3](/ap-cybersecurity/unit-3 "fv-autolink"): Securing Networks**, topic 3.1 Network Vulnerabilities and Attacks. It directly supports **[AP Cybersecurity](/ap-cybersecurity "fv-autolink") 3.1.A** (identify common network attacks), since EK 3.1.A.1 names MAC spoofing as the act of faking a MAC address inside an ARP poisoning / on-path attack. It also ties into **AP Cybersecurity 3.1.B**, because spoofing a legitimate device is one of the ways adversaries send malicious traffic into a network. The bigger theme is the CIA triad: an on-path attack built on MAC spoofing threatens **confidentiality** (the attacker reads your traffic) and **integrity** (they can alter it in transit), which is exactly what AP Cybersecurity 3.1.C asks you to assess as risk.

## Connections

### ARP poisoning and on-path attacks (Unit 3)

MAC spoofing is the engine; [ARP poisoning](/ap-cybersecurity/key-terms/arp-poisoning "fv-autolink") is the car. Faking the MAC is what lets the poisoned ARP table reroute a target's traffic to the attacker, turning into a full man-in-the-middle attack.

### [MAC address (Unit 3)](/ap-cybersecurity/key-terms/mac-address)

You can't fake what you don't understand. A MAC address is the hardware ID switches use to route frames, and MAC spoofing simply lies about that ID to wear another device's identity.

### MAC filtering and port security (Unit 3)

These are the defenses spoofing tries to beat. [MAC filtering](/ap-cybersecurity/key-terms/mac-filtering "fv-autolink") allows only approved MAC addresses, and port security (EK 3.1.B.3) locks down switch ports, but a spoofed MAC can mimic an allowed address, which is why MAC filtering alone is weak.

### Network segmentation and VLANs (Unit 3)

Even if an attacker spoofs a MAC and gets on the LAN, segmenting the network or splitting it into VLANs limits how far they can move laterally (EK 3.1.B.2) to reach more sensitive systems.

## On the AP Exam

Expect this as a straightforward MCQ identification. A stem will describe the action ("An adversary modifies their device's MAC address to match a legitimate network device") and ask you to name it, with MAC spoofing as the correct answer. Watch the wording closely: questions about impersonating a *device's identity* point to MAC spoofing, while questions about making *packets* look like they came from a trusted server lean toward IP spoofing, and intercepting traffic mid-stream points to an on-path / man-in-the-middle attack. No released FRQ uses the term verbatim, but it supports risk-analysis prompts where you explain how an adversary intercepts or alters data in transit and threatens confidentiality and integrity.

## MAC spoofing vs IP spoofing

MAC spoofing fakes the hardware MAC address to impersonate a device on the local network, usually as part of ARP poisoning. IP spoofing fakes the source IP address so packets appear to come from a trusted source. One impersonates the device; the other impersonates the packet's origin. On the MCQ, 'matches a legitimate device's MAC' equals MAC spoofing, while 'packets appear to originate from a trusted server' equals IP spoofing.

## Key Takeaways

- MAC spoofing is changing your device's MAC address to match a legitimate device so you can impersonate it on the network.
- It's the core trick behind ARP poisoning, which redirects a target's traffic to the attacker and creates an on-path (man-in-the-middle) attack.
- On the AP exam, a stem describing an adversary matching a legitimate device's MAC address is asking for the term 'MAC spoofing.'
- MAC spoofing threatens confidentiality and integrity because the attacker can read and alter intercepted traffic (ties to AP Cybersecurity 3.1.C).
- MAC filtering alone is a weak defense, since an attacker can spoof an approved MAC to slip past it.

## FAQs

### What is MAC spoofing in AP Cybersecurity?

MAC spoofing is when an [adversary](/ap-cybersecurity/key-terms/adversary "fv-autolink") changes their device's media access control (MAC) address to match a legitimate device on the network, letting them impersonate it. The CED (EK 3.1.A.1) ties it directly to ARP poisoning and on-path attacks in Unit 3.

### How is MAC spoofing different from IP spoofing?

MAC spoofing fakes the hardware MAC address to impersonate a device on the local network, while IP spoofing fakes the source IP so packets look like they came from a trusted source. If the question says 'matches a legitimate device's MAC,' it's MAC spoofing; if packets 'appear to originate from a trusted server,' it's IP spoofing.

### Is MAC spoofing the same as ARP poisoning?

No. MAC spoofing is faking a MAC address, and ARP poisoning is the attack that uses a spoofed MAC to corrupt the gateway's ARP table so traffic gets rerouted to the attacker. MAC spoofing is the technique; ARP poisoning is the attack it enables.

### Does MAC filtering stop MAC spoofing?

Not reliably. An attacker can spoof an approved MAC address to slip past MAC filtering, which is why it's considered a weak standalone defense. Pairing it with port security and network segmentation limits the damage.

### Why does MAC spoofing matter for the CIA triad?

Because it enables on-path attacks where the adversary can intercept data (breaking confidentiality) and alter it in transit (breaking integrity). That's exactly the kind of risk AP Cybersecurity 3.1.C asks you to assess and document.

## Related Study Guides

- [3.1 Network Vulnerabilities and Attacks](/ap-cybersecurity/unit-3/network-vulnerabilities-and-attacks/study-guide/9lJpNM0eCHQ1M3XgFL97)

## Structured Data

```json
{"@context":"https://schema.org","@graph":[{"@type":"LearningResource","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing#resource","name":"MAC Spoofing — AP Cybersecurity Definition & Exam Guide","url":"https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing","learningResourceType":"Concept explainer","educationalLevel":"AP® / High School","about":{"@id":"https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing#term"},"audience":{"@type":"EducationalAudience","educationalRole":"student"},"dateModified":"2026-06-15T18:59:29.365Z","isPartOf":{"@type":"Collection","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"publisher":{"@type":"Organization","name":"Fiveable","url":"https://fiveable.me"}},{"@type":"DefinedTerm","@id":"https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing#term","name":"MAC spoofing","description":"MAC spoofing is when an adversary changes their device's media access control (MAC) address to match a legitimate network device, letting them impersonate that device and intercept or redirect traffic. It's a building block of ARP poisoning and on-path (man-in-the-middle) attacks.","url":"https://fiveable.me/ap-cybersecurity/key-terms/mac-spoofing","inDefinedTermSet":{"@type":"DefinedTermSet","name":"AP Cybersecurity Key Terms","url":"https://fiveable.me/ap-cybersecurity/key-terms"},"educationalAlignment":[{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.A"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.B"},{"@type":"AlignmentObject","alignmentType":"educationalSubject","educationalFramework":"AP® Course and Exam Description","targetName":"AP Cybersecurity Unit 3, Topic 3.1, LO 3.1.C"}]},{"@type":"FAQPage","mainEntity":[{"@type":"Question","name":"What is MAC spoofing in AP Cybersecurity?","acceptedAnswer":{"@type":"Answer","text":"MAC spoofing is when an [adversary](/ap-cybersecurity/key-terms/adversary \"fv-autolink\") changes their device's media access control (MAC) address to match a legitimate device on the network, letting them impersonate it. The CED (EK 3.1.A.1) ties it directly to ARP poisoning and on-path attacks in Unit 3."}},{"@type":"Question","name":"How is MAC spoofing different from IP spoofing?","acceptedAnswer":{"@type":"Answer","text":"MAC spoofing fakes the hardware MAC address to impersonate a device on the local network, while IP spoofing fakes the source IP so packets look like they came from a trusted source. If the question says 'matches a legitimate device's MAC,' it's MAC spoofing; if packets 'appear to originate from a trusted server,' it's IP spoofing."}},{"@type":"Question","name":"Is MAC spoofing the same as ARP poisoning?","acceptedAnswer":{"@type":"Answer","text":"No. MAC spoofing is faking a MAC address, and ARP poisoning is the attack that uses a spoofed MAC to corrupt the gateway's ARP table so traffic gets rerouted to the attacker. MAC spoofing is the technique; ARP poisoning is the attack it enables."}},{"@type":"Question","name":"Does MAC filtering stop MAC spoofing?","acceptedAnswer":{"@type":"Answer","text":"Not reliably. An attacker can spoof an approved MAC address to slip past MAC filtering, which is why it's considered a weak standalone defense. Pairing it with port security and network segmentation limits the damage."}},{"@type":"Question","name":"Why does MAC spoofing matter for the CIA triad?","acceptedAnswer":{"@type":"Answer","text":"Because it enables on-path attacks where the adversary can intercept data (breaking confidentiality) and alter it in transit (breaking integrity). That's exactly the kind of risk AP Cybersecurity 3.1.C asks you to assess and document."}}]},{"@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"name":"AP Cybersecurity","item":"https://fiveable.me/ap-cybersecurity"},{"@type":"ListItem","position":2,"name":"Key Terms","item":"https://fiveable.me/ap-cybersecurity/key-terms"},{"@type":"ListItem","position":3,"name":"Unit 3","item":"https://fiveable.me/ap-cybersecurity/unit-3"},{"@type":"ListItem","position":4,"name":"MAC spoofing"}]}]}
```
