It's not just a guess.

Any decent sniffer (e.g. airsnort) can immediately identify all associations between all WiFi/Bluetooth devices. DD-WRT (router firmware/OS) has this WiFi-associations detector built-in ("local WiFi map"). There is no need to attempt any sort of hack — associations are publicly-broadcast information.

Then, just pick any authorized MAC and duplicate as your own.

The MAC addresses of all the Wi-Fi clients are broadcasted in plain radio format all over the 2.4GHz. It is trivial.

It's in managmenet frames that you can sniff.