iOS 14
-
Updated an ipad pro and iphone x to ios 14 today.
The ipad was the worst. Suddenly, an additional 2 ipads were added to FW with new lan addresses. Also, something lableled, "Intel corp". Also, Pinterest started begging to have it's password reset. Meanwhile, the WIFI connection was broke.
What the ....heck?
The issue is, thenew update is changing the MAC address to something completely different as a security measure. However, it also appears FW assigns lan addresses at least in part by MAC address. But, doesn't auto delete the device with the old address.
As figured out now, by going to ios settings/wifi then tapping the little "i", go find "Private Address", then slide to off seems to fix the problem.
Then delete the additional ghost devices from FW.
A rotating MAC address is a good thing. I think FW should be updated to accommodate this feature.
I am using FW beta including the PC interface feature.
-
@john this is working as I’d expect.
As you know, the “new” iPads are yours with private MAC addresses. iOS defaults to private random MAC addresses so your decide can’t be traced when you go from network to network. The random MAC address iOS creates may look like it belongs to some other manufacturer (like Intel) or may be “Generic” from what I’ve seen so far.
The MAC address is how firewalla identifies your device. When iOS gives a “private” MAC firewalla can’t tell it is the same device as the old MAC address and, indeed iOS will change the MAC every time you log on the network. Firewalla should not delete the old device in such a case because it looks like this is an entirely new device so there is no reason it should assume it is the same iPad. iOS doesn’t give any indicator that this is a spoofed MAC addresses.Pinterest? Maybe it was just time to renew the auth token?
Maybe the WiFi issue was because you have MAC filtering on?
As you said, you can solve this by going to iOS Settings > WiFi > click on the “I” to the left on your LAN WiFi and turn off “private address”. If you like, delete the phony devices in firewalla. This should be a one time issue per iOS device.
What would you want firewalla to do differently?
-
As of this morning, the spouse's iPad pro seems to be working fine, with private address turned off. (praise jesus!)
However, the iPhone x is still whacked and seems to be generating new MAC/lan addresses even with the private address feature off. Also, for some reason, when I put the phone on the charger, after being turned off with the buttons, it turns itself back on AUTOMATICALLY!!. Is that a feature or a bug? Then you must endure the process of seeing FW new device alerts, trying to figure out what is what, deleting ghosts and so on.
As for breaking wifi, that's actually been going on awhile. It seems when people with several devices visit, FW or the router gets overloaded and simply breaks wifi until you reboot the router. So is this FW, or the router? I haven't figured that out yet.
It's early, I am going to study this today.
It seems to me the fix is for FW to adjust to all of this seamlessly. With private addresses ON.
Maybe say something like, "new mac ID device found, transfer settings, delete ghost y/n?"
But, it's early yet I need to think about this awhile.
Thanks for the super fast response Michael.
-
It's still early, but I have already had to delete, I think, 4 ghost, iphones. Private address is turned off. (is their a ghost MAC ID?)
I am thinking FW needs a different way to assign lan addresses.
Maybe use the local name and some other factor, not MAC.
Serial #, model, imei, meid, a password, something.
-
There is no way to prevent changing MAC address (besides the quarantine new device feature). MAC address is the only thing that's unique to each device. This in fact is the same problems that enterprises faces as well, bring your own devices (byod) is likely messing up the system there.
-
Fair point.
Why must FW use the MAC address to assign the LAN address only , however?
Why not something else. Maybe 2 or even 3 identifiers?
So then, when the MAC changes FW goes to assign a LAN address, but also reads 2/3 other identifiers like assigned LAN name and serial number, and if they are already in the system, then give the user a choice to keep the already assigned LAN address or obtain a new address?
What identifiers can FW read, now?
I don't do networking, so if this sounds lame, I apologize.
-
After less than one day the alarms popping up with "new" devices, trying to figure out which of the several ios devices is actually active, seeing all my rules and settings for ios devices vanish....I am thinking:
This is NOT acceptable and not reasonable.
I am probably going to pull it later today for a little peace and quiet.
BTW, ios 14 is doing some new stuff too. Like if you push both button and slide to off, within 30 seconds it turns itself back on if you connect it to a charger. I am not kidding. Is it a'feature' or a 'bug' I am not sure. In my view it's a huge security risk. Why should any device turn itself on without input from the user??? There is more, too.
Honestly, this needs to be fixed and by that I mean handle rotating MAC seamlessly without requiring user intervention. It's you to you guys how to figure that out.
-
@john MAC addresses are supposed to unique identifiers set a manufacturer. Fake or “spoofed” ones are not new in general. This is often a feature modems have, for example usually for legitimate purposes.
Because they are typically not easily spoofed in mobile devices, advertisers and other bad actors have used them for tracking purposes. Facebook and others watch where you go, store by store sand can sell that information.
In response, Apple (and android I believe) have added privacy protection with the ability to automatically spoof MAC addresses so that once every day if you join a WiFi point it will be a new address. So if you go to Bed, Bath, & Beyond today it will look like one address and tomorrow a totally different device. From a privacy perspective, this is awesome.
On iOS if you turn off private address the real MAC address will be used and it should be like iOS 13. Firewalla will recognize your phone as expected. I have several devices set that way for several days and am not seeing any issues. Firewalla also looks up the manufacturer of the device from the MAC address. You can see what’s available https://maclookup.app
The idea is to turn off private address for any network that you really trust like your home. I would leave it on everywhere else. This should solve your issue. No more alarms or fake new devices at home. You only have to do this once for your home network on the iOS side.
In my opinion, firewalla shouldn’t do anything related to device names. That would undermine any security. Imagine they trusted device names. Someone knows where I live and my name they guess my phone is called, “Michael’s iPhone”. Not a hard guess. Now they can do what they want on my network. And if my kids want to break parental controls, just rename their device! This would provide no security at all and make firewalla complete trash. A combination of MAC address and device name wouldn’t help since that would give you the same problem you are complaining about.
The other feature I mentioned above is a request from several firewalla users that would allow any new unrecognized device to say, have internet access but no LAN access like a guest network. This would be nice for guests for example.
Hope that is of some help.
-
I’ve been on iOS 14 beta and general release and have not experienced any of this issues described here. In my FW Gold setup almost all my devices belong to a group. All my iOS and personal devices are in a group called ‘Personal Devices’ and have certain rules applied to those devices like blocking Porn, Safe Search.
For the people experiencing issues with the ‘new devices’ showing up do you have those devices in a group? If so, what if you did, would that make a difference?
-
Rolando, I can assure you multiple new devices are created all day. For example, if you turn the device off, then on, bingo, new device created, sometimes noted as "unknown" because the MAC is randomized. Maybe it's done on some time table I haven't deciphered yet. But,...IT happens.
With "Private Address" turned off, however, the device, it seems, to retain the original LAN address and rules, but a new ghost device is created in the app. I am not 100% on that, however.
I just put my iOs devices in a separate group, called "iOs". If that works to get around the problem you deserve a medal for finding it.
I have read this issue is creating problems with Cisco hardware and certain network monitor apps also. It's not just FW. Just about any app that needs MAC to work is a potential problem.
-
My experience,
With Private Address off, and the iPhone X in a group, rebooting yields the phone retaining the original LAN address, but creating a new device and alarm in the FW app.
With Private address ON, and the phone in a group, rebooting yields the phone being reassigned a new LAN address, new device on FW and retention of the original device listing on FW.
Is there a way FW could determine which are ghost devices and delete them automatically?
In general for your devices used at home you want to leave Private Address off and put them in a FW Group for any WIFI radio at home. Delete alarms and ghosts as they appear.
-
@Rolando I don't see what a group has to do with anything. If Firewalla sees a device with a MAC it doesn't recognize it is going to create a new device. It won't know that that device belongs in a group that you had set up with a different MAC address. I believe this is a red herring.
-
Out of my curiosity, if you have the privacy button on, and connected to your home network, did that MAC change in the past few days? ours didn't ... (in the beta phases we see changes, seems apple now stick one MAC to one SSID ... which is like android ... which means, the problem of the randomized MAC will only happen once.
-
According to Apple’s support document, the mac will not change once configured for that network, just the mac will not identify the device manufacturer and can change if you reset network setting.
-
So I thought the private addresses were generated once/24 hours. This suggests not.
“To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.”
https://support.apple.com/en-us/HT211227
that would suggest that once the device is on the network it will keep the private address, I personally don’t think that goes far enough, but it does match what some of you are seeing. Once I tried the private address I turned it off and things have been working as I wanted them to.I don’t see why anyone should want the private address setting on at home.
-
According to fing, it isn’t stable and it isn’t 1/24 hours, but random. https://www.fing.com/news/private-mac-address-on-ios-14
Please sign in to leave a comment.
Comments
43 comments