If a hotspot provider uses a Web portal to charge customers for wireless access, is that service vulnerable to MAC address spoofing?
In a nutshell, the answer is sometimes. I have encountered many hotspots that allowed me to log in while associated with one wireless card, then continue using the hotspot after disconnecting that card and switching to another card that used the same (spoofed) MAC address. But this is not always so.
Before you log into a hotspot, Web requests from your browser are redirected to a captive portal login page. After you log in, traffic that originates from your MAC address is no longer held captive, so to speak, and is permitted to reach the Internet. In theory, it doesn't matter which device is using that MAC address, and it is not hard to change a device's MAC address to the MAC address used by someone else who has already logged in.
In practice, the logged-in client may be required to maintain its authenticated state -- for example, by sending traffic every so often or keeping a browser window open or Java applet running. Some hotspot access control filters check more than MAC address -- for example, allowing access from a MAC address that uses a LAN port in a specific hotel room or is associated to a specific AP/switch/subnet. In the few commercial hotspots that use WPA, Internet access requires the client to have the session key delivered during 802.1X authentication. In short, there are ways that hotspots can try to mitigate MAC spoofing -- but there are also many simple hotspots that don't protect themselves.
But note that if two wireless clients try to use the same MAC address simultaneously, through the same AP, they are likely to interfere with each other. For example, when one client disconnects from the AP, the other client will lose its associated state and have to reconnect to the AP, disrupting application sessions and eventually frustrating the user. This is precisely what happens during many Wi-Fi Denial of Service attacks. To gain Internet access, the legitimate client must go away before the spoofed MAC address can be productively used by another client without that kind of interference.
This was first published in May 2007