A new wrinkle from Apple

Not a request for support, rather an observation I made. I had not seen any mention of this situation so I’m posting my experience here in hopes it just might help someone.

I just upgraded my wife’s iPhone to 11 Pro. Had a problem connecting it to my home WIFI.

I use a white list on my router so that if the MAC address of a device is not in the list, you are not able to make a connection. Apple has added a piece of information to that available on the phone. They call it a WiFi Address rather than a MAC address. As it is in the same format as a MAC address, I just thought it was the MAC address and was typical of Apple to use their idea of what should be named what.

So, I shut down my white list and allowed the new phone to connect, looked at the network map and determined what the actual MAC address was, (it was not what the phone said it was) added it to my white list and that was that. I thought. I called Apple support and told them about the “Problem” and was told they were aware of it and that reports were closed.

When an update of IOS became available, it was installed on my iPhone 10s. The same problem occurred on my iPhone. So, I repeated the process I used on my wife’s phone and was able to connect again. I could not understand why the number shown on the phone and the number actually used were different but figured, as support seemed to be aware of the problem, they would fix it eventually.

Then, I added the MAC address of my phone to the access point in my garage and was confused when it was not allowed to make a connection. Shutting down the white list on that router showed that my phone was using a different MAC address on that router. It was then that I figured out something was going on that didn’t know about.

Turns out that Apple has added an anti-tracking addition to their phones that spoof the MAC address to show a unique address for each network. I applaud them for that addition even though it makes a little more work to dig out the needed information to access my network. That’s also why they call it a WiFi Address I suppose.

There is a switch in the settings that allow you to turn it off, and I guess that would force the phone to use the address shown for all networks, but I didn’t try it as I really like the idea of one more little step in defeating web site tracking.

So that’s my little story and I’m glad I figured out what’s going on as I just ordered an iPhone 12 Pro and will have to go over all this again when it gets here.

Bart

I can’t comment on apples. However, it is my understanding that MAC-randomization is supported by recent NetworkManager releases. So it probably isn’t restricted to apples.

I applaud some kind of MAC randomization,
Spoofing MAC addresses is one of the easier things to do if the WiFi WPA can be hacked which is why MAC address whitelisting has not been a recommended action for a long time now (although anything is usually better than nothing. Just don’t rely on it.)

TSU

Are you saying that even with a 16 character password my wifi system could be had?
and, if so, wouldn’t it take some time to discover a valid MAC address?

And, do I understand that using a whitelist is pretty much a waste of time?

Bart

So, what’s the worst case?

• Spoofing MAC addresses or,
• using password strength to limit access to the WLAN?

If anyone tries spoofing the MAC address then, they still have to crack the WLAN’s password …
[HR][/HR]Does this mean that, we should regularly change the WLAN password or, at least change the WLAN password when we notice that someone is attempting to access our WLANs without being invited to do so?

Actually, they’d have to crack the password first. With 16 random characters, they’d have to brute force it and that would take some time. Then, they’d have to come up with a MAC address that is in my list, which is fairly small. I think that would take a lot of time too. I really don’t think I’m a rich enough target to warrant the effort.

Bart