iOS 14

Comments

43 comments

  • Avatar
    Rolando Nispiros

    Thanks I'll keep an eye out on that.  So far I haven't experienced this and I've been on iOS 14 since the public betas.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @andy, are you using the GM or the beta version?  we are testing and see if the final version got rid of this behavior .... or NOT ... 

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    I had the beta iPadOS and i didn’t have a problem. But downloaded the iOS and iPadOS in general release, that’s when it started.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Happened to us too.   We are waiting and see if the MAC changes again ...  Kids must love this feature :)

    2
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Ugh! @andy did the iOS/iPadOS UI show that Private Address wasn't staying deselected? 

    0
    Comment actions Permalink
  • Avatar
    John

    Updated an ipad pro and iphone x to ios 14 today.

    The ipad was the worst. Suddenly, an additional 2 ipads were added to FW with new lan addresses. Also, something lableled, "Intel corp". Also, Pinterest started begging to have it's password reset. Meanwhile, the WIFI connection was broke.

    What the ....heck?

    The issue is, thenew update is changing the MAC address to something completely different as a security measure. However, it also appears FW assigns lan addresses at least in part by MAC address. But, doesn't auto delete the device with the old address.

    As figured out now, by going to ios settings/wifi then tapping the little "i", go find "Private Address", then slide to off seems to fix the problem.

    Then delete the additional ghost devices from FW. 

    A rotating MAC address is a good thing. I think FW should be updated to accommodate this feature.

    I am using FW beta including the PC interface feature. 

     

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @john this is working as I’d expect.

    As you know, the “new” iPads are yours with private MAC addresses. iOS defaults to private random MAC addresses so your decide can’t be traced when you go from network to network. The random MAC address iOS creates may look like it belongs to some other manufacturer (like Intel) or may be “Generic” from what I’ve seen so far.

    The MAC address is how firewalla identifies your device. When iOS gives a “private” MAC firewalla can’t tell it is the same device as the old MAC address and, indeed iOS will change the MAC every time you log on the network. Firewalla should not delete the old device in such a case because it looks like this is an entirely new device so there is no reason it should assume it is the same iPad. iOS doesn’t give any indicator that this is a spoofed MAC addresses.

    Pinterest? Maybe it was just time to renew the auth token?

    Maybe the WiFi issue was because you have MAC filtering on? 

    As you said,  you can solve this by going to iOS Settings > WiFi > click on the “I” to the left on your LAN WiFi and turn off “private address”. If you like, delete the phony devices in firewalla. This should be a one time issue per iOS device.

    What would you want firewalla to do differently?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @firewalla obviously this does make the “new device purgatory” really important. I don’t know yet if I can stop the kids from using private Mac addresses. If I can’t, then firewalla parental controls are worthless.

    1
    Comment actions Permalink
  • Avatar
    John

    As of this morning, the spouse's iPad pro seems to be working fine, with private address turned off. (praise jesus!)

    However, the iPhone x is still whacked and seems to be generating new MAC/lan addresses even with the private address feature off. Also, for some reason, when I put the phone on the charger, after being turned off with the buttons, it turns itself back on AUTOMATICALLY!!. Is that a feature or a bug? Then you must endure the process of seeing FW new device alerts, trying to figure out what is what, deleting ghosts and so on.

    As for breaking wifi, that's actually been going on awhile. It seems when people with several devices visit, FW or the router gets overloaded and simply breaks wifi until you reboot the router. So is this FW, or the router? I haven't figured that out yet.

    It's early, I am going to study this today.

    It seems to me the fix is for FW to adjust to all of this seamlessly. With private addresses ON.

    Maybe say something like, "new mac ID device found, transfer settings, delete ghost y/n?"

    But, it's early yet I need to think about this awhile.

    Thanks for the super fast response Michael.

    0
    Comment actions Permalink
  • Avatar
    John

    It's still early, but I have already had to delete, I think, 4 ghost, iphones.  Private address is turned off. (is their a ghost MAC ID?)

    I am thinking FW needs a different way to assign lan addresses.

    Maybe use the local name and some other factor, not MAC.

    Serial #, model, imei, meid, a password, something.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is no way to prevent changing MAC address (besides the quarantine new device feature).  MAC address is the only thing that's unique to each device.  This in fact is the same problems that enterprises faces as well, bring your own devices (byod) is likely messing up the system there.  

    0
    Comment actions Permalink
  • Avatar
    John

    Fair point. 

    Why must FW use the MAC address to assign the LAN address only , however?

    Why not something else. Maybe 2 or even 3 identifiers?

    So then, when the MAC changes FW goes to assign a LAN address, but also reads 2/3 other identifiers like assigned LAN name and serial number, and if they are already in the system, then give the user a choice to keep the already assigned LAN address or obtain a new address?

    What identifiers can FW read, now?

    I don't do networking, so if this sounds lame, I apologize.

    0
    Comment actions Permalink
  • Avatar
    John

    After less than one day the alarms popping up with "new" devices, trying to figure out which of the several ios devices is actually active, seeing all my rules and settings for ios devices vanish....I am thinking:

     

    This is NOT acceptable and not reasonable.

     

    I am probably going to pull it later today for a little peace and quiet.

     

    BTW, ios 14 is doing some new stuff too. Like if you push both button and slide to off, within 30 seconds it turns itself back on if you connect it to a charger. I am not kidding. Is it a'feature' or a 'bug' I am not sure. In my view it's a huge security risk. Why should any device turn itself on without input from the user???  There is more, too.

     

    Honestly, this needs to be fixed and by that I mean handle rotating MAC seamlessly without requiring user intervention. It's you to you guys how to figure that out.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @john MAC addresses are supposed to unique identifiers set a manufacturer. Fake or “spoofed” ones are not new in general. This is often a feature modems have, for example usually for legitimate purposes.

    Because they are typically not easily spoofed in mobile devices, advertisers and other bad actors have used them for tracking purposes. Facebook and others watch where you go, store by store sand can sell that information.

    In response, Apple (and android I believe) have added privacy protection with the ability to automatically spoof MAC addresses so that once every day if you join a WiFi point it will be a new address. So if you go to Bed, Bath, & Beyond today it will look like one address and tomorrow a totally different device. From a privacy perspective, this is awesome.

    On iOS if you turn off private address the real MAC address will be used and it should be like iOS 13. Firewalla will recognize your phone as expected. I have several devices set that way for several days and am not seeing any issues. Firewalla also looks up the manufacturer of the device from the MAC address. You can see what’s available https://maclookup.app

    The idea is to turn off private address for any network that you really trust like your home. I would leave it on everywhere else. This should solve your issue. No more alarms or fake new devices at home. You only have to do this once for your home network on the iOS side.

    In my opinion, firewalla shouldn’t do anything related to device names. That would undermine any security. Imagine they trusted device names. Someone knows where I live and my name  they guess my phone is called, “Michael’s iPhone”. Not a hard guess. Now they can do what they want on my network. And if my kids want to break parental controls, just rename their device! This would provide no security at all and make firewalla complete trash. A combination of MAC address and device name wouldn’t help since that would give you the same problem you are complaining about.  

    The other feature I mentioned above is a request from several firewalla users that would allow any new unrecognized device to say, have internet access but no LAN access like a guest network. This would be nice for guests for example.

    Hope that is of some help.

    0
    Comment actions Permalink
  • Avatar
    John

    Very helpful. 

    I will try it for awhile with Private Address OFF at home, but ON when traveling, especially shopping, etc.

    Yet, every time the MAC changes all local device rules will be lost. Again. 

     

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    I’ve been on iOS 14 beta and general release and have not experienced any of this issues described here. In my FW Gold setup almost all my devices belong to a group.  All my iOS and personal devices are in a group called ‘Personal Devices’ and have certain rules applied to those devices like blocking Porn, Safe Search.  

    For the people experiencing issues with the ‘new devices’ showing up do you have those devices in a group?  If so, what if you did, would that make a difference? 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    No, they won’t be lost. That setting is saved along with that particular access point so every time you get on your home network it will be set the same. The setting is per access point.

    0
    Comment actions Permalink
  • Avatar
    John

    Rolando, I can assure you multiple new devices are created all day. For example, if you turn the device off, then on, bingo, new device created, sometimes noted as "unknown" because the MAC is randomized. Maybe it's done on some time table I haven't deciphered yet. But,...IT happens.

    With "Private Address" turned off, however, the device, it seems, to retain the original LAN address and rules, but a new ghost device is created in the app. I am not 100% on that, however.

    I just put my iOs devices in a separate group, called "iOs". If that works to get around the problem you deserve a medal for finding it.

    I have read this issue is creating problems with Cisco hardware and certain network monitor apps also. It's not just FW. Just about any app that needs MAC to work is a potential problem.

     

     

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Leaving Private Address on and rebooting phone, I did not get any new devices on the FW. I also tried with the Private Address off and didn't get any new device. Maybe because the FW has it cache on.

    0
    Comment actions Permalink
  • Avatar
    John

    My experience,

    With Private Address off, and the iPhone X in a group, rebooting yields the phone retaining the original LAN address, but creating a new device and alarm in the FW app.

    With Private address ON, and the phone in a group, rebooting yields  the phone being reassigned a new LAN address, new device on FW and retention of the original device listing on FW.

    Is there a way FW could determine which are ghost devices and delete them automatically?

    In general for your devices used at home you want to leave Private Address off  and put them in a FW Group for any WIFI radio at home. Delete alarms and ghosts as they appear.

     

     

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @John again, once you set Private and delete the ghost device from Firewalla you are fine. I don't understand what the issue is. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Rolando I don't see what a group has to do with anything. If Firewalla sees a device with a MAC it doesn't recognize it is going to create a new device. It won't know that that device belongs in a group that you had set up with a different MAC address. I believe this is a red herring. 

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    @Michael, sorry just throwing out ideas since I'm not experiencing any issues.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Out of my curiosity, if you have the privacy button on, and connected to your home network, did that MAC change in the past few days?  ours didn't ...  (in the beta phases we see changes, seems apple now stick one MAC to one SSID ... which is like android ... which means, the problem of the randomized MAC will only happen once.

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    My privacy button is on and I have not had the issue in the past few days and I have at least 6 iOS devices on iOS 14.

    0
    Comment actions Permalink
  • Avatar
    Andy

    According to Apple’s support document, the mac will not change once configured for that network, just the mac will not identify the device manufacturer and can change if you reset network setting.

    https://support.apple.com/en-us/HT211227

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    So I thought the private addresses were generated once/24 hours. This suggests not.

    “To reduce this privacy risk, iOS 14, iPadOS 14, and watchOS 7 use a different MAC address for each Wi-Fi network. This unique, static MAC address is your device's private Wi-Fi address for that network only.”

    https://support.apple.com/en-us/HT211227
    that would suggest that once the device is on the network it will keep the private address, I personally don’t think that goes far enough, but it does match what some of you are seeing. Once I tried the private address I turned it off and things have been working as I wanted them to. 

    I don’t see why anyone should want the private address setting on at home. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    According to fing, it isn’t stable and it isn’t 1/24 hours, but random. https://www.fing.com/news/private-mac-address-on-ios-14

    0
    Comment actions Permalink
  • Avatar
    Andy

    I think something like a mesh network, where each nodes bssid in the mesh will be different, this will cause an issue, but with a single access point the mac on the device will not change.

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    That makes sense @andy since apparently the randomization is based in part on the BSSID.

    0
    Comment actions Permalink

Please sign in to leave a comment.