Discussion Got freaked out by iPhone Private MAC on my network.

[danielrg]

I recently got freaked out by a MAC address on my local wifi network. It wasn't one that I'd written down, I couldn't ping the IP address, and when I looked up the OUI it came back unknown. I was wondering if some rogue device was connected to my network.

So I blocked the MAC address for wifi access, and then a NEW MAC address also showed up not long after. I was like, this device reconfigures itself and reattaches! I'm being spied on ! Next thing I was going to do was change my wifi password and see if this rogue device still connected.

Luckily it finally clicked that my iPhone wasn't listed as connected to my wifi network - yet somehow it was on the network and working... what? So I looked up its IP address and lo and behold it was the rogue MAC address.

I learned a few more things:

• OUI lookup sites neglect to tell you when you've entered a "locally adminstered" OUI that can't be assigned to a manufacturer. At least the 2 that I tried. I learned that by searching a little more
• With some IOS update on my iPhone, it started using a Private MAC address for each wireless network. I hadn't checked my network client list in too long to notice that this happened.
• When I blocked the first MAC address (which was my 2.4G network SSID), my phone just went to the next auto-join SSID, which was my 5G wifi SSID. That's how it got back on the network and made me feel like complex government devices were spying on me...
• Our family iPad was turned off - or I would have noticed that it was doing it too

Anyone else been taken by surprise by this shift to private MAC addresses? I read that Android supports this too now.

Do people think it's a generally good thing? I read about the security reasons behind it and it makes sense. For the implementation on my iPhone, I think it stays static for each different wireless SSID. I read that some implementations randomize the private MAC every 24 hours. That would make it hard to do a quick scan of my client list on the router and make sure I recognize everything (I can "name" devices on my ASUS router by MAC address so I can quickly spot unnamed devices and investigate)

 

[dwd999]

I recently got freaked out by a MAC address on my local wifi network. It wasn't one that I'd written down, I couldn't ping the IP address, and when I looked up the OUI it came back unknown. I was wondering if some rogue device was connected to my network.

So I blocked the MAC address for wifi access, and then a NEW MAC address also showed up not long after. I was like, this device reconfigures itself and reattaches! I'm being spied on ! Next thing I was going to do was change my wifi password and see if this rogue device still connected.

Luckily it finally clicked that my iPhone wasn't listed as connected to my wifi network - yet somehow it was on the network and working... what? So I looked up its IP address and lo and behold it was the rogue MAC address.

I learned a few more things:

• OUI lookup sites neglect to tell you when you've entered a "locally adminstered" OUI that can't be assigned to a manufacturer. At least the 2 that I tried. I learned that by searching a little more
• With some IOS update on my iPhone, it started using a Private MAC address for each wireless network. I hadn't checked my network client list in too long to notice that this happened.
• When I blocked the first MAC address (which was my 2.4G network SSID), my phone just went to the next auto-join SSID, which was my 5G wifi SSID. That's how it got back on the network and made me feel like complex government devices were spying on me...
• Our family iPad was turned off - or I would have noticed that it was doing it too

Anyone else been taken by surprise by this shift to private MAC addresses? I read that Android supports this too now.

Do people think it's a generally good thing? I read about the security reasons behind it and it makes sense. For the implementation on my iPhone, I think it stays static for each different wireless SSID. I read that some implementations randomize the private MAC every 24 hours. That would make it hard to do a quick scan of my client list on the router and make sure I recognize everything (I can "name" devices on my ASUS router by MAC address so I can quickly spot unnamed devices and investigate)

Does your router not have a function whereby only a list of approved mac addresses can connect? I have a Netgear router and with Access Control turned on only my approved list of mac addresses can connect; everything else is rejected. It sounds like you are not setting your router properly for full security.

 

[gggplaya]

Does your router not have a function whereby only a list of approved mac addresses can connect? I have a Netgear router and with Access Control turned on only my approved list of mac addresses can connect; everything else is rejected. It sounds like you are not setting your router properly for full security.

Setting up a router like this is fine if you're a bachelor without other people living in the house. But a real pain when someone wants to connect to the wifi and you're not home to administer it.

I would use a MAC address whitelist filter only if you also have the ability to enable a guest network.

 

[danielrg]

Does your router not have a function whereby only a list of approved mac addresses can connect? I have a Netgear router and with Access Control turned on only my approved list of mac addresses can connect; everything else is rejected. It sounds like you are not setting your router properly for full security.

Good suggestions. I do have a family but it's just my wife and me. Our 3 year old isn't adding devices to the network (yet). I could probably administer with a whitelist just fine. We do have friends come over once in a while but really only when I'm around. If it happens more, I could add a guest network too.

If I'd been doing the whitelist thing then I would have noticed immediately when or IOS devices started using private MACs - I'd have had to figure out why they weren't connecting!

 

[gggplaya]

Some routers and access points also have WIFI ISOLATION, which you can enable now. If you don't need your wifi devices to talk to each other, this can also help security. It should certainly be enabled on guest networks, and optional on your main network.

MAC address whitelisting is not foolproof. Someone can set up a fake access point with the same wifi name as yours. One of your devices will try to connect to it, and the nefarious person could retrieve the MAC address easily. They can then change the mac address of their device to mimic your approved device. It's a few extra steps, but easy to do. I have a travel router that I use in hotel rooms which allows me to mimic the MAC address of my PC with just a few clicks so I can log into the hotel's internet. Then use the travel router for all my devices(firestick, ipad, phone etc...) and only have to log in once.