Firewalla mis-identifying devices with randomised MAC addresses
Both a minor bug report and an FYI for anyone else seeing this, I recently got a Firewalla alert saying that a Sonos device had joined the network when there definitely isn't anything Sonos around here. Specifically, there were two new devices:
- Sonos: EA:BE:A7:E3:AC:AB
- iPhone: 62:8F:5D:50:E6:41
The Firewalla correctly identified the second as an iPhone, but the first is another MAC-randomised iPhone. This problem is caused by the fact that some vendors have registered MAC addresses with the locally-administered bit in the OUI set (you can see this from the second hex digit in the OUI, if it's a 2, 6, A, or E then the bit is set). This is also used to signal MAC address randomisation, so when Sonos registered a non-globally-unique OUI, https://macaddress.io/macaddress/EA:BE:A7, they ended up being part of the randomised-MAC-address space.
For Firewalla users: If you see a device that shouldn't be on your network suddenly turn up, check the second hex digit to see if it's a vendor who has registered a non-public OUI as a public (globally unique) OUI.
For Firewalla devs: Unless you've got additional fingerprinting to definitely identify a device using a non-unique OUI, perhaps report it as "Randomised address, possibly Sonos" or something similar... although that makes it look like a randomised-address Sonos device, maybe there's a better way to say it.
Please sign in to leave a comment.
Comments
2 comments