iOS 14

Comments

43 comments

  • Avatar
    Firewalla

    Happened to us too.   We are waiting and see if the MAC changes again ...  Kids must love this feature :)

    2
    Comment actions Permalink
  • Avatar
    Firewalla

    The quarantine feature should block traffic if kids are using random MAC's.  It is there in 1.971 already. 

    Controlling phone + device access also can be done via EMM or MDM services ... those require a lot more than just installing a router.   Which means, taking away their phones is likely the quickest and easiest solution

    2
    Comment actions Permalink
  • Avatar
    Andy brown

    I had the beta iPadOS and i didn’t have a problem. But downloaded the iOS and iPadOS in general release, that’s when it started.

    1
    Comment actions Permalink
  • Avatar
    John

    Updated an ipad pro and iphone x to ios 14 today.

    The ipad was the worst. Suddenly, an additional 2 ipads were added to FW with new lan addresses. Also, something lableled, "Intel corp". Also, Pinterest started begging to have it's password reset. Meanwhile, the WIFI connection was broke.

    What the ....heck?

    The issue is, thenew update is changing the MAC address to something completely different as a security measure. However, it also appears FW assigns lan addresses at least in part by MAC address. But, doesn't auto delete the device with the old address.

    As figured out now, by going to ios settings/wifi then tapping the little "i", go find "Private Address", then slide to off seems to fix the problem.

    Then delete the additional ghost devices from FW. 

    A rotating MAC address is a good thing. I think FW should be updated to accommodate this feature.

    I am using FW beta including the PC interface feature. 

     

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @firewalla obviously this does make the “new device purgatory” really important. I don’t know yet if I can stop the kids from using private Mac addresses. If I can’t, then firewalla parental controls are worthless.

    1
    Comment actions Permalink
  • Avatar
    Andy

    I think something like a mesh network, where each nodes bssid in the mesh will be different, this will cause an issue, but with a single access point the mac on the device will not change.

    1
    Comment actions Permalink
  • Avatar
    John

    Update:

    Since putting the iPad in a group and turning OFF Private address for the wifi radio it's associated with, there have been no problems, no alarms, no LAN address changes. Cool.

    The iPhone suddenly has become stable also with no problems, alarms, or LAN address changes with the same settings.

    The FING link is VERY helpful explaining what's going on. In particular it seems the LAN address may change at random times, possibly even with Private Address OFF. We will see.

    My impression is the changes are related not only to MAC but also the specific radio, so for example, if you change from a 2.4  to 5 hz, at a given location, the address will change.

    All in all the devices, (or maybe me too), have settled down to the new iOs system. I will trying it out on the road, today.

    Good discussion here.

     

    1
    Comment actions Permalink
  • Avatar
    Andy brown

    To be honest, Ive read so much on this feature, cant remember where I read or heard it.  Ive actually turned it back on for one device today to see if there is going to be a change and when.  We have 4 iOS/iPadOS devices, so I will see what the difference is if any.

    1
    Comment actions Permalink
  • Avatar
    Andy

    @Adam, the private address is more for places that try to track you as you move with your device, like in a mall when you are on their wifi, so the changing MAC helps to hide who you are as you move around.

    Using private address does nothing for you at home, except give you a headache with changing devices.

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    Think of this analogy, when you are outside and order coffee from Starbucks, you can tell them you are Joe or Donald or Jason ...  (in case you are paranoid people knowing your true name) ... 

    Then you are at home, you start telling your wife and kids, you are Joe the first day, the next day Donald ... then Jason the third day.  First, your wife and kids will be worried and tried hard to figure out what you are doing ...  then they will either ignore you or take you to the doctors :)

    not sure if this is funny ... happy Thursday!

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    On your network if you use the quarantine feature, you can block unknown or private MAC addresses from having access to LAN, WAN, or both. So for WiFi devices that is sufficient.

    For known devices, you can limit what they can access (web sites, etc.)

    iOS allows parents to limit WiFi to specific access points, but it is a pain to set up.

    1
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Thanks I'll keep an eye out on that.  So far I haven't experienced this and I've been on iOS 14 since the public betas.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @andy, are you using the GM or the beta version?  we are testing and see if the final version got rid of this behavior .... or NOT ... 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Ugh! @andy did the iOS/iPadOS UI show that Private Address wasn't staying deselected? 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @john this is working as I’d expect.

    As you know, the “new” iPads are yours with private MAC addresses. iOS defaults to private random MAC addresses so your decide can’t be traced when you go from network to network. The random MAC address iOS creates may look like it belongs to some other manufacturer (like Intel) or may be “Generic” from what I’ve seen so far.

    The MAC address is how firewalla identifies your device. When iOS gives a “private” MAC firewalla can’t tell it is the same device as the old MAC address and, indeed iOS will change the MAC every time you log on the network. Firewalla should not delete the old device in such a case because it looks like this is an entirely new device so there is no reason it should assume it is the same iPad. iOS doesn’t give any indicator that this is a spoofed MAC addresses.

    Pinterest? Maybe it was just time to renew the auth token?

    Maybe the WiFi issue was because you have MAC filtering on? 

    As you said,  you can solve this by going to iOS Settings > WiFi > click on the “I” to the left on your LAN WiFi and turn off “private address”. If you like, delete the phony devices in firewalla. This should be a one time issue per iOS device.

    What would you want firewalla to do differently?

    0
    Comment actions Permalink
  • Avatar
    John

    As of this morning, the spouse's iPad pro seems to be working fine, with private address turned off. (praise jesus!)

    However, the iPhone x is still whacked and seems to be generating new MAC/lan addresses even with the private address feature off. Also, for some reason, when I put the phone on the charger, after being turned off with the buttons, it turns itself back on AUTOMATICALLY!!. Is that a feature or a bug? Then you must endure the process of seeing FW new device alerts, trying to figure out what is what, deleting ghosts and so on.

    As for breaking wifi, that's actually been going on awhile. It seems when people with several devices visit, FW or the router gets overloaded and simply breaks wifi until you reboot the router. So is this FW, or the router? I haven't figured that out yet.

    It's early, I am going to study this today.

    It seems to me the fix is for FW to adjust to all of this seamlessly. With private addresses ON.

    Maybe say something like, "new mac ID device found, transfer settings, delete ghost y/n?"

    But, it's early yet I need to think about this awhile.

    Thanks for the super fast response Michael.

    0
    Comment actions Permalink
  • Avatar
    John

    It's still early, but I have already had to delete, I think, 4 ghost, iphones.  Private address is turned off. (is their a ghost MAC ID?)

    I am thinking FW needs a different way to assign lan addresses.

    Maybe use the local name and some other factor, not MAC.

    Serial #, model, imei, meid, a password, something.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There is no way to prevent changing MAC address (besides the quarantine new device feature).  MAC address is the only thing that's unique to each device.  This in fact is the same problems that enterprises faces as well, bring your own devices (byod) is likely messing up the system there.  

    0
    Comment actions Permalink
  • Avatar
    John

    Fair point. 

    Why must FW use the MAC address to assign the LAN address only , however?

    Why not something else. Maybe 2 or even 3 identifiers?

    So then, when the MAC changes FW goes to assign a LAN address, but also reads 2/3 other identifiers like assigned LAN name and serial number, and if they are already in the system, then give the user a choice to keep the already assigned LAN address or obtain a new address?

    What identifiers can FW read, now?

    I don't do networking, so if this sounds lame, I apologize.

    0
    Comment actions Permalink
  • Avatar
    John

    After less than one day the alarms popping up with "new" devices, trying to figure out which of the several ios devices is actually active, seeing all my rules and settings for ios devices vanish....I am thinking:

     

    This is NOT acceptable and not reasonable.

     

    I am probably going to pull it later today for a little peace and quiet.

     

    BTW, ios 14 is doing some new stuff too. Like if you push both button and slide to off, within 30 seconds it turns itself back on if you connect it to a charger. I am not kidding. Is it a'feature' or a 'bug' I am not sure. In my view it's a huge security risk. Why should any device turn itself on without input from the user???  There is more, too.

     

    Honestly, this needs to be fixed and by that I mean handle rotating MAC seamlessly without requiring user intervention. It's you to you guys how to figure that out.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @john MAC addresses are supposed to unique identifiers set a manufacturer. Fake or “spoofed” ones are not new in general. This is often a feature modems have, for example usually for legitimate purposes.

    Because they are typically not easily spoofed in mobile devices, advertisers and other bad actors have used them for tracking purposes. Facebook and others watch where you go, store by store sand can sell that information.

    In response, Apple (and android I believe) have added privacy protection with the ability to automatically spoof MAC addresses so that once every day if you join a WiFi point it will be a new address. So if you go to Bed, Bath, & Beyond today it will look like one address and tomorrow a totally different device. From a privacy perspective, this is awesome.

    On iOS if you turn off private address the real MAC address will be used and it should be like iOS 13. Firewalla will recognize your phone as expected. I have several devices set that way for several days and am not seeing any issues. Firewalla also looks up the manufacturer of the device from the MAC address. You can see what’s available https://maclookup.app

    The idea is to turn off private address for any network that you really trust like your home. I would leave it on everywhere else. This should solve your issue. No more alarms or fake new devices at home. You only have to do this once for your home network on the iOS side.

    In my opinion, firewalla shouldn’t do anything related to device names. That would undermine any security. Imagine they trusted device names. Someone knows where I live and my name  they guess my phone is called, “Michael’s iPhone”. Not a hard guess. Now they can do what they want on my network. And if my kids want to break parental controls, just rename their device! This would provide no security at all and make firewalla complete trash. A combination of MAC address and device name wouldn’t help since that would give you the same problem you are complaining about.  

    The other feature I mentioned above is a request from several firewalla users that would allow any new unrecognized device to say, have internet access but no LAN access like a guest network. This would be nice for guests for example.

    Hope that is of some help.

    0
    Comment actions Permalink
  • Avatar
    John

    Very helpful. 

    I will try it for awhile with Private Address OFF at home, but ON when traveling, especially shopping, etc.

    Yet, every time the MAC changes all local device rules will be lost. Again. 

     

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    I’ve been on iOS 14 beta and general release and have not experienced any of this issues described here. In my FW Gold setup almost all my devices belong to a group.  All my iOS and personal devices are in a group called ‘Personal Devices’ and have certain rules applied to those devices like blocking Porn, Safe Search.  

    For the people experiencing issues with the ‘new devices’ showing up do you have those devices in a group?  If so, what if you did, would that make a difference? 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    No, they won’t be lost. That setting is saved along with that particular access point so every time you get on your home network it will be set the same. The setting is per access point.

    0
    Comment actions Permalink
  • Avatar
    John

    Rolando, I can assure you multiple new devices are created all day. For example, if you turn the device off, then on, bingo, new device created, sometimes noted as "unknown" because the MAC is randomized. Maybe it's done on some time table I haven't deciphered yet. But,...IT happens.

    With "Private Address" turned off, however, the device, it seems, to retain the original LAN address and rules, but a new ghost device is created in the app. I am not 100% on that, however.

    I just put my iOs devices in a separate group, called "iOs". If that works to get around the problem you deserve a medal for finding it.

    I have read this issue is creating problems with Cisco hardware and certain network monitor apps also. It's not just FW. Just about any app that needs MAC to work is a potential problem.

     

     

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    Leaving Private Address on and rebooting phone, I did not get any new devices on the FW. I also tried with the Private Address off and didn't get any new device. Maybe because the FW has it cache on.

    0
    Comment actions Permalink
  • Avatar
    John

    My experience,

    With Private Address off, and the iPhone X in a group, rebooting yields the phone retaining the original LAN address, but creating a new device and alarm in the FW app.

    With Private address ON, and the phone in a group, rebooting yields  the phone being reassigned a new LAN address, new device on FW and retention of the original device listing on FW.

    Is there a way FW could determine which are ghost devices and delete them automatically?

    In general for your devices used at home you want to leave Private Address off  and put them in a FW Group for any WIFI radio at home. Delete alarms and ghosts as they appear.

     

     

     

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @John again, once you set Private and delete the ghost device from Firewalla you are fine. I don't understand what the issue is. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @Rolando I don't see what a group has to do with anything. If Firewalla sees a device with a MAC it doesn't recognize it is going to create a new device. It won't know that that device belongs in a group that you had set up with a different MAC address. I believe this is a red herring. 

    0
    Comment actions Permalink
  • Avatar
    Rolando Nispiros

    @Michael, sorry just throwing out ideas since I'm not experiencing any issues.

    0
    Comment actions Permalink

Please sign in to leave a comment.