Private Mac addresses in IOS14

bcruze · Sep 18, 2020, 8:19 AM

Boy this will cause some headaches, devices I had assigned static addresses for certain reasons
Nope no longer working you have to turn it off... assuming it’s your devices to touch

https://support.apple.com/en-us/HT211227

JKnott · Sep 18, 2020, 1:30 AM

@bcruze

For the MAC address to be at risk, any interception would have to be no later than the first router, as that's as far as the MAC address will go. So, if you have a separate router, such as pfsense, no one beyond the local LAN will be able to see your MAC.

On the other hand, maybe I should dust off my tinfoil hat.

NollipfSense · Sep 18, 2020, 1:42 AM

@bcruze said in Private Mac addresses in ios14:

Boy this will cause some headaches, devices I had assigned static addresses for certain reasons
Nope no longer working you have to turn it off... assuming it’s your devices to touch

https://support.apple.com/en-us/HT211227

From the link you shared, it doesn't appear you'll have any issues with your static addresses.

NogBadTheBad · Sep 18, 2020, 6:25 AM

You can set don't use private MAC addresses for each SSID you join.

bcruze · Sep 18, 2020, 8:08 AM

I’ll explain what happened after I updated a few of my devices on my network.

I originally assigned a few devices by MAC address specific ip addresses. Created an alias, created a rule for those alias to go out a certain gateway. After updating my devices I didn’t realize this new feature was enabled so the original traffic path was not working. Since these are my devices I could turn that new feature off, and all was normal again

2nd observation because a new MAC address was generated a new dhcp leased address was taken.. on bigger networks with a limited pool that can cause an issue

Just sharing my experience after updating my devices

JKnott · Sep 18, 2020, 10:48 AM

@NogBadTheBad

Also, there's no such thing as a "private" MAC. You either use whatever the hardware came with or, with some equipment, use a locally assigned MAC. Either way, it doesn't make any difference once you pass through a router.

NogBadTheBad · Sep 18, 2020, 1:28 PM

@JKnott said in Private Mac addresses in IOS14:

@NogBadTheBad

Also, there's no such thing as a "private" MAC. You either use whatever the hardware came with or, with some equipment, use a locally assigned MAC. Either way, it doesn't make any difference once you pass through a router.

it’s generating a random MAC per SSID.

A2:F3:9B & 76:9E:2F from the same device with Private Addresses enabled.

JKnott · Sep 18, 2020, 1:28 PM

@NogBadTheBad

Again, the MAC address is completely irrelevant beyond the first router. So, if you're running your own router, not even your ISP will see your phone's MAC address. The snooping must be done no later than that first router. It's definitely tinfoil hat time!

johnpoz · Sep 18, 2020, 2:05 PM

While it is possible that use of a different mac (what apple is calling "private") could cause you issues on your local controls. Be it a captive portal, or dhcp reservations not working so you can filter or route specific IPs based upon that device always getting the same IP via its reservation.

The privacy aspect of this is really meant for when you bounce around using different wifi networks. So for example you use the same mac at Starbucks and you do at McDonalds - from this it would be possible for "someone" to know that hey the same device was both at starbucks and mcdonalds.. While this mac doesn't really tell them who is person was - from info given to say access the captive portal.. It could allow for tracking of billy across multiple networks - if the operator/owners of these networks share information about what mac addresses are accessing their network.

As mentioned a few times already - mac are only seen at the L2 you are directly connected to.

For control and routing of these devices on your own local network, would suggest you disable use of these so called "private" mac on your own local networks. So that your dhcp assignments still work, and captive portals and or policy routing function how you want them too.

NogBadTheBad · Sep 18, 2020, 2:40 PM

@JKnott said in Private Mac addresses in IOS14:

@NogBadTheBad

Again, the MAC address is completely irrelevant beyond the first router. So, if you're running your own router, not even your ISP will see your phone's MAC address. The snooping must be done no later than that first router. It's definitely tinfoil hat time!

Not sure why you keep saying this, what Apple term as private MAC addresses are really only designed to be used away from home.

It’s really only of use when you are using free wifi and don’t want your MAC address to be registered whenever you connect away from home

stephenw10 · Sep 18, 2020, 9:11 PM

Yeah, this could be painful initially when those devices send a different MAC but it's not random every time they connect back to the same SSID.

Android does this now too: https://source.android.com/devices/tech/connect/wifi-mac-randomization

Steve

JKnott · Sep 18, 2020, 9:46 PM

@stephenw10

I just checked my Pixel 2 with my guest SSID and see it does use a random MAC for new SSIDs. However, anything I had set up on previous phones uses device MAC. I hadn't even known about that setting.

stephenw10 · Sep 19, 2020, 1:06 AM

Ah that's good to know.

It was also unclear if it does this now by default on either OS but I think it does.

Steve

JKnott · Sep 19, 2020, 1:08 AM

@stephenw10

My Pixel 2 with Android 10 has it, but not my Asus tablet with Android 7. Random is default, except for previously configured connections. So, any that were inherited from my Nexus 5 use the device MAC.

Vollans · Sep 20, 2020, 7:14 PM

@stephenw10 said in Private Mac addresses in IOS14:

It was also unclear if it does this now by default on either OS but I think it does.

It certainly turned on by default on my iPad Pro and iPhone 11 Max.

NollipfSense · Sep 20, 2020, 7:14 PM

@Vollans said in Private Mac addresses in IOS14:

@stephenw10 said in Private Mac addresses in IOS14:

It was also unclear if it does this now by default on either OS but I think it does.

It certainly turned on by default on my iPad Pro and iPhone 11 Max.

I upgraded last night just to see what's about ... seems like much to do about nothing even if turned on by default.

johnpoz · Sep 21, 2020, 1:55 AM

Yeah not sure who it would cause headache for - other than someone that doesn't under how dhcp reservations work..

So it turned it on for networks your phone had already been connected too?

JKnott · Sep 21, 2020, 1:55 AM

@johnpoz said in Private Mac addresses in IOS14:

So it turned it on for networks your phone had already been connected too?

My understanding is it picks a new random MAC when connecting to a new SSID. It shouldn't change when you connect again.

Vollans · Sep 21, 2020, 2:01 AM

@johnpoz yes, my pre-existing learnt networks have it switched on automatically. For me, that's not a problem.

Derelict · Oct 3, 2020, 7:50 PM

Apple seems to have a pretty good POLA violation on their hands here, IMHO. Considering it uses the same MAC address every time it connects to the same network it shouldn't break things like Captive Portals or DHCP pools. But static mappings, etc will certainly break.

The user should have at least been asked if they want new MAC addresses for existing networks, while the blank stares at the screen from the majority would be funny to montage.