Firewalla mis-identifying devices with randomised MAC addresses
Both a minor bug report and an FYI for anyone else seeing this, I recently got a Firewalla alert saying that a Sonos device had joined the network when there definitely isn't anything Sonos around here. Specifically, there were two new devices:
- Sonos: EA:BE:A7:E3:AC:AB
- iPhone: 62:8F:5D:50:E6:41
The Firewalla correctly identified the second as an iPhone, but the first is another MAC-randomised iPhone. This problem is caused by the fact that some vendors have registered MAC addresses with the locally-administered bit in the OUI set (you can see this from the second hex digit in the OUI, if it's a 2, 6, A, or E then the bit is set). This is also used to signal MAC address randomisation, so when Sonos registered a non-globally-unique OUI, https://macaddress.io/macaddress/EA:BE:A7, they ended up being part of the randomised-MAC-address space.
For Firewalla users: If you see a device that shouldn't be on your network suddenly turn up, check the second hex digit to see if it's a vendor who has registered a non-public OUI as a public (globally unique) OUI.
For Firewalla devs: Unless you've got additional fingerprinting to definitely identify a device using a non-unique OUI, perhaps report it as "Randomised address, possibly Sonos" or something similar... although that makes it look like a randomised-address Sonos device, maybe there's a better way to say it.
-
@Sergio It's normal to see some manufacturers using random MAC addresses, but it's not often that they would use any registered OUI. Did you hit the same issue with Dave? If it still happens, we would like to look inside. Please email help@firewalla.com.
Please sign in to leave a comment.
Comments
5 comments