Private Mac addresses in IOS14



  • Boy this will cause some headaches, devices I had assigned static addresses for certain reasons
    Nope no longer working you have to turn it off... assuming it’s your devices to touch

    https://support.apple.com/en-us/HT211227



  • @bcruze

    For the MAC address to be at risk, any interception would have to be no later than the first router, as that's as far as the MAC address will go. So, if you have a separate router, such as pfsense, no one beyond the local LAN will be able to see your MAC.

    On the other hand, maybe I should dust off my tinfoil hat. 😉



  • @bcruze said in Private Mac addresses in ios14:

    Boy this will cause some headaches, devices I had assigned static addresses for certain reasons
    Nope no longer working you have to turn it off... assuming it’s your devices to touch

    https://support.apple.com/en-us/HT211227

    From the link you shared, it doesn't appear you'll have any issues with your static addresses.


  • Galactic Empire

    You can set don't use private MAC addresses for each SSID you join.



  • I’ll explain what happened after I updated a few of my devices on my network.

    I originally assigned a few devices by MAC address specific ip addresses. Created an alias, created a rule for those alias to go out a certain gateway. After updating my devices I didn’t realize this new feature was enabled so the original traffic path was not working. Since these are my devices I could turn that new feature off, and all was normal again

    2nd observation because a new MAC address was generated a new dhcp leased address was taken.. on bigger networks with a limited pool that can cause an issue

    Just sharing my experience after updating my devices 😁



  • @NogBadTheBad

    Also, there's no such thing as a "private" MAC. You either use whatever the hardware came with or, with some equipment, use a locally assigned MAC. Either way, it doesn't make any difference once you pass through a router.


  • Galactic Empire

    @JKnott said in Private Mac addresses in IOS14:

    @NogBadTheBad

    Also, there's no such thing as a "private" MAC. You either use whatever the hardware came with or, with some equipment, use a locally assigned MAC. Either way, it doesn't make any difference once you pass through a router.

    it’s generating a random MAC per SSID.

    A2:F3:9B & 76:9E:2F from the same device with Private Addresses enabled.



  • @NogBadTheBad

    Again, the MAC address is completely irrelevant beyond the first router. So, if you're running your own router, not even your ISP will see your phone's MAC address. The snooping must be done no later than that first router. It's definitely tinfoil hat time!


  • LAYER 8 Global Moderator

    While it is possible that use of a different mac (what apple is calling "private") could cause you issues on your local controls. Be it a captive portal, or dhcp reservations not working so you can filter or route specific IPs based upon that device always getting the same IP via its reservation.

    The privacy aspect of this is really meant for when you bounce around using different wifi networks. So for example you use the same mac at Starbucks and you do at McDonalds - from this it would be possible for "someone" to know that hey the same device was both at starbucks and mcdonalds.. While this mac doesn't really tell them who is person was - from info given to say access the captive portal.. It could allow for tracking of billy across multiple networks - if the operator/owners of these networks share information about what mac addresses are accessing their network.

    As mentioned a few times already - mac are only seen at the L2 you are directly connected to.

    For control and routing of these devices on your own local network, would suggest you disable use of these so called "private" mac on your own local networks. So that your dhcp assignments still work, and captive portals and or policy routing function how you want them too.


  • Galactic Empire

    @JKnott said in Private Mac addresses in IOS14:

    @NogBadTheBad

    Again, the MAC address is completely irrelevant beyond the first router. So, if you're running your own router, not even your ISP will see your phone's MAC address. The snooping must be done no later than that first router. It's definitely tinfoil hat time!

    Not sure why you keep saying this, what Apple term as private MAC addresses are really only designed to be used away from home.

    It’s really only of use when you are using free wifi and don’t want your MAC address to be registered whenever you connect away from home


  • Netgate Administrator

    Yeah, this could be painful initially when those devices send a different MAC but it's not random every time they connect back to the same SSID.

    Android does this now too: https://source.android.com/devices/tech/connect/wifi-mac-randomization

    Steve



  • @stephenw10

    I just checked my Pixel 2 with my guest SSID and see it does use a random MAC for new SSIDs. However, anything I had set up on previous phones uses device MAC. I hadn't even known about that setting.


  • Netgate Administrator

    Ah that's good to know.

    It was also unclear if it does this now by default on either OS but I think it does.

    Steve



  • @stephenw10

    My Pixel 2 with Android 10 has it, but not my Asus tablet with Android 7. Random is default, except for previously configured connections. So, any that were inherited from my Nexus 5 use the device MAC.



  • @stephenw10 said in Private Mac addresses in IOS14:

    It was also unclear if it does this now by default on either OS but I think it does.

    It certainly turned on by default on my iPad Pro and iPhone 11 Max.



  • @Vollans said in Private Mac addresses in IOS14:

    @stephenw10 said in Private Mac addresses in IOS14:

    It was also unclear if it does this now by default on either OS but I think it does.

    It certainly turned on by default on my iPad Pro and iPhone 11 Max.

    I upgraded last night just to see what's about ... seems like much to do about nothing even if turned on by default.


  • LAYER 8 Global Moderator

    Yeah not sure who it would cause headache for - other than someone that doesn't under how dhcp reservations work..

    So it turned it on for networks your phone had already been connected too?



  • @johnpoz said in Private Mac addresses in IOS14:

    So it turned it on for networks your phone had already been connected too?

    My understanding is it picks a new random MAC when connecting to a new SSID. It shouldn't change when you connect again.



  • @johnpoz yes, my pre-existing learnt networks have it switched on automatically. For me, that's not a problem.


  • LAYER 8 Netgate

    Apple seems to have a pretty good POLA violation on their hands here, IMHO. Considering it uses the same MAC address every time it connects to the same network it shouldn't break things like Captive Portals or DHCP pools. But static mappings, etc will certainly break.

    The user should have at least been asked if they want new MAC addresses for existing networks, while the blank stares at the screen from the majority would be funny to montage.


  • LAYER 8 Global Moderator

    @Derelict said in Private Mac addresses in IOS14:

    The user should have at least been asked

    Yeah no shit ;) First thing I had to go and turn off on my 3 apple devices as I updated them to 14 the other day.. Not a peep from the thing that it was doing this..

    Why do these OS makers continue to treat their users like idiots.. The last sort of thing that was pissing me off is windows with its update to 2004.. Just saying your machine is not ready -- well why and the F not?? Clearly you know why its not updating, because your not letting it... But what is the specific reason.. So possible it can be corrected.

    Finally had to just do a freaking clean install.. Works fine..


  • LAYER 8 Netgate

    @johnpoz said in Private Mac addresses in IOS14:

    Why do these OS makers continue to treat their users like idiots..

    🤔



  • @johnpoz said in Private Mac addresses in IOS14:

    Why do these OS makers continue to treat their users like idiots..

    Maybe because they bought iPhones. 😉 <ducking>

    With Android, it appears to generate a random MAC when first connected to an SSID and then use it for all future connections.


  • Galactic Empire

    @JKnott said in Private Mac addresses in IOS14:

    @johnpoz said in Private Mac addresses in IOS14:

    Why do these OS makers continue to treat their users like idiots..

    Maybe because they bought iPhones. 😉 <ducking>

    With Android, it appears to generate a random MAC when first connected to an SSID and then use it for all future connections.

    LOL no ****, it’s in the interest of Google to be able to track you by MAC address when ever you join a Wi-Fi network if the MAC stays consistent per SSID they are sorted.


  • Netgate Administrator

    Both Android and iOS appear to do the same for new networks; use a random MAC but that keep using that for re-connections to that same network.
    The only thing that seems unclear is their behaviour when connecting to already known networks.
    It seems iOS is using a random MAC there too potentially breaking stuff.
    Android seems to retain the real MAC for existing networks as reported above.

    Steve



  • @stephenw10

    Yes, when I got my Pixel 2 and synced it to my previous phone, it also received my WiFi connections. They use the hardware MAC. A connection I set up a couple of weeks ago uses the random number.



  • It is so funny to see some Netgate forum members always bring up TIN FOIL HAT every time someone asks or says about privacy & security.

    @bcruze, Mac Private address is just a layer of security. The same as T2 chip and read-only system volume in Catalina. Apple is aware that their previous devices were easy target for hacking. Not to mention the leaking on intel chip issue.



  • Security and Privacy are not the same thing. Just saying...



  • @jwj said in Private Mac addresses in IOS14:

    Security and Privacy are not the same thing. Just saying...

    Let me explain the differences between them;

    Security = Protection of a person, building, organization, or country against threats such as crime or attacks.

    Privacy = Someone's right to keep their personal matters and relationships secret.

    Everyone has the right for security and privacy.



  • @AKEGEC

    Interested in your thoughts about things like:

    Random MAC addresses may prevent you being identified across public WIFI networks (at the mall or airport, in whole foods) but that is small comfort when your cell service provider is handing over location data in bulk, with little or no legal process, to any interested party.

    Targeted exploits are rare. The bad actors don't care about you unless you are a celebrity or other notable individual. It's much more likely, however, that you will get caught up in an exploit of some widely used service or device. It's not personal ;)

    Risk vs Benefit. It shouldn't be as hard as it is to work that analysis through. It's understandable that a lot of people spend at least some amount of time in tin foil hat territory.

    I've been intentionally vague to facilitate conversation. Of course I would prefer to not have Amazon forcing preventing me from using my cell providers network while in Whole Foods AND my cell provider to not be coughing up my location data.

    I'm certain that I do regularly suffer from cognitive distortions and well informed conversation is the best way to mitigate that.


  • LAYER 8 Netgate

    @jwj said in Private Mac addresses in IOS14:

    Of course I would prefer to not have Amazon forcing me onto their network in Whole Foods

    Forcing?



  • @Derelict said in Private Mac addresses in IOS14:

    @jwj said in Private Mac addresses in IOS14:

    Of course I would prefer to not have Amazon forcing me onto their network in Whole Foods

    Forcing?

    Yup. They block cell signals. I've never been able to get a cell signal inside a Whole Foods. If you want to use your prime account you have no choice but to use their wifi network. So, point taken, I could just pay full price and not access their network.

    I'm not a RF engineer but it appears to be passive blocking (faraday cage). Step outside the building and I get a full strength signal.


  • LAYER 8 Global Moderator

    I don't really recall noticing this last time I was in a whole foods.. Last time was before covid.. Quite often stop at their in store taverns.. Tuesday's is 2$ bottle and can day at their instore bars.. And they normally have a decent selection..

    So stop there after work many a tuesday for couple of cold ones ;)

    But sure it behooves stores like this to control your internet access while your in the store, can prevent you from doing price compares, etc. Or atleast make it way more difficult - since hey odd how you can't get to store xyz site while on the whole foods wifi ;)

    Problem could also be cell coverage in the middle of a HUGE store might just be spotty? But do believe amazon a few years back had a patent on such thing as controlling people in their stores internet access..

    But force prob not the right word, more like direct you to their connection ;) Nothing saying you can't just leave your phone at home or in the car, or just turn it off, or put in airplane mode, etc.



  • @johnpoz said in Private Mac addresses in IOS14:

    I don't really recall noticing this last time I was in a whole foods.. Last time was before covid.. Quite often stop at their in store taverns.. Tuesday's is 2$ bottle and can day at their instore bars.. And they normally have a decent selection..

    So stop there after work many a tuesday for couple of cold ones ;)

    But sure it behooves stores like this to control your internet access while your in the store, can prevent you from doing price compares, etc. Or atleast make it way more difficult - since hey odd how you can't get to store xyz site while on the whole foods wifi ;)

    Problem could also be cell coverage in the middle of a HUGE store might just be spotty? But do believe amazon a few years back had a patent on such thing as controlling people in their stores internet access..

    As I remember Best Buy was doing that at some point in time. Blocking access to mitigate using Best Buy stores as an Amazon showroom. Haven't been in a Best Buy in a dogs age so I can't comment on the current situation.


  • LAYER 8 Global Moderator

    @jwj said in Private Mac addresses in IOS14:

    using Best Buy stores as an Amazon showroom

    hehehe - yeah this true.. Oh lets go see how the picture looks on tv xyz - then just order it on amazon for X $ cheaper ;)


  • LAYER 8 Netgate

    @jwj Force is still a strong word. If you don't like their policies don't shop there.



  • @Derelict said in Private Mac addresses in IOS14:

    @jwj Force is still a strong word. If you don't like their policies don't shop there.

    Maybe you missed the part where I said I got your point. I'll repeat it here: "So, point taken, I could just pay full price and not access their network."


  • LAYER 8 Global Moderator

    Yeah persuade or direct, nudge might be better terms vs force ;)

    I can still just use them as amazon showroom... Without any internet access there, just know before hand what I want to look at.. Go look at them, and then order or not when get home.

    Saving a nickel on the all natural peanut butter though - this really is heavy handed forcing if you ask me ;) hehehe



  • @johnpoz said in Private Mac addresses in IOS14:

    Yeah persuade or direct, nudge might be better terms vs force ;)

    I can still just use them as amazon showroom... Without any internet access there, just know before hand what I want to look at.. Go look at them, and then order or not when get home.

    Saving a nickel on the all natural peanut butter though - this really is heavy handed forcing if you ask me ;) hehehe

    Cost-Benefit. On a personal level: natural peanut butter? Yuck ;)


  • Netgate Administrator

    Security vs convenience, the eternal trade-off. 😉


Log in to reply