Is a device's MAC address permanent and globally unique?
Short answer
No. A MAC is assigned by the vendor (OUI plus device id) and is 'burned in,' but essentially every OS lets you override it in software (macchanger, ip link set address). So MAC addresses are spoofable and must not be relied on for authentication — MAC filtering is weak, and phones now randomize MACs for privacy. 'Permanent and unique' is the misconception.
This is a classic misconception because the phrase "burned-in address" sounds permanent. Interviewers ask it to see whether you treat a MAC as a trustworthy identity or as a freely-editable label.
Where the MAC comes from
A 48-bit MAC has two halves: the first 24 bits are the Organizationally Unique Identifier (OUI) assigned to the vendor by the IEEE, and the rest identifies the specific card. The vendor stores a default value in the NIC's firmware, which is the "burned-in address." Within the assigned ranges these defaults are intended to be globally unique — but that's a manufacturing convention, not a security guarantee.
Why it isn't permanent
The MAC used on the wire is whatever the network stack puts in the frame, and every mainstream OS lets you override it. On Linux it's ip link set dev eth0 address ... or the macchanger tool; Windows exposes it in the adapter's advanced properties; macOS uses ifconfig. The change is instant and reversible. So a MAC is spoofable, which is why MAC-based access control (MAC filtering on Wi-Fi, MAC "authentication") is weak — an attacker simply clones an allowed address they sniffed off the air.
The privacy twist
Because a stable MAC let venues and trackers follow a device across networks, modern phones and laptops now use MAC randomization: they present a different, randomly generated MAC per SSID (the locally-administered bit set to 1). So in practice the "globally unique" assumption fails for privacy reasons too.
Why the distractors are tempting
"Fused into the NIC" and "IEEE guarantees immutability" both restate the burned-in myth. The "only the OUI changes" answer inverts reality — you can override the whole address.
What interviewers want
A flat "no," the spoofing mechanism, and the security takeaway: never authenticate or trust solely on MAC. Bonus points for naming randomization.
Likely follow-ups
- Walk me through how you'd change a MAC on Linux, and why an attacker would.
- Why do modern phones randomize their MAC address per network?
- What is the locally-administered bit and how does it relate to spoofing?