Info Apple iOS/PadOS 14 private Wi-Fi addresses and features that rely on MAC address

Currently reading
Info Apple iOS/PadOS 14 private Wi-Fi addresses and features that rely on MAC address

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
To further protect your privacy, your iPhone, iPad, iPod touch or Apple Watch can use a different MAC address with each Wi-Fi network.

The motives are good and if you use public wifi hotspots then having different MAC per connection makes sense to stop tracking. But, and there is a but, what happens if you use MAC addresses to determine access or profiles on your home network?

As is apparent, MAC addresses can't be relied on as an infallible method to distinguish one device from another but for [young] kids devices it's a viable option. It also helps if you know this change has happened and you don't spend ages trying to figure out why you can no longer access Media Server from your iPhone.

The three impacted services that occur to me are:
  1. DHCP services: client IP reservations are done on MAC address. Either...
    • In each iPhone/iPad switch off the Private Address option for your home WiFi connection.
    • Update DHCP client reservations with each iPhone/iPad's new private MAC address (brief testing on/off seems to retain the same private MAC).
  2. DSM's Media Server: in DMA Compatibility is the ability to filter access to selected devices, based on MAC address. Useful to stop access to shared media if it's not appropriate for everyone (there's Video Station/Plex that can keep kids away from your horror collection!).
  3. SRM's Safe Access: to assign devices to non-default profiles is based on their MAC addresses as an identifier. If you want different profiles to set permit Internet times and content access then you have to know the MAC addresses, or make the default profiles very restrictive and then manage devices that can access less restricted profiles.
I haven't monitored the iOS 14 news but even reading about the new features (mostly unused by me) I din't see this. I found out when using the iOS HEOS app and couldn't connect to Media Server, even after restarting the package (which has been occasionally needed in the past). It still worked on my old iPhone 6, iOS 12, but nothing would get it to show up on the XR. I thought to check the WiFi connection and saw that the reserver IP address wasn't correct and then noticed this new Private Address option. Et voila!
 
249
25
NAS
DS1019+
Mobile operating system
  1. Android
Apple trying to be the good guy (or making it look that way) when it comes to protecting your privacy, meanwhile pretty much forcing everyone to use Apple ID to sign in to and/or use services. Sounds like Apple get your data but won't let anyone else get it.
 

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Not sure about Apple forcing use of Apple ID; I use per service logins with unique email addresses and passwords/2FA ... never used Google, Facebook, Apple, a.n.other as authentication for a different service.

Also not looked into the mechanism these are using but they could be based on SAML and Apple et al are operating as Identity Providers. Obviously they would get an idea of the different services you are using by tracking the SAML Service Providers. At least this would mean you don't share credentials with the third party service.

I'm not 100% sure if Private Address will prevent all tracking. It could prevent building detailed information based on activity across various hotspots but it wouldn't stop tracking of fingerprinted, unconnected transmissions as you pass by access points (unless there's a randomly rotating id used until you connect).
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
  1. DHCP services: client IP reservations are done on MAC address. Either...
    • In each iPhone/iPad switch off the Private Address option for your home WiFi connection.
    • Update DHCP client reservations with each iPhone/iPad's new private MAC address (brief testing on/off seems to retain the same private MAC).
  2. DSM's Media Server: in DMA Compatibility is the ability to filter access to selected devices, based on MAC address. Useful to stop access to shared media if it's not appropriate for everyone (there's Video Station/Plex that can keep kids away from your horror collection!).
  3. SRM's Safe Access: to assign devices to non-default profiles is based on their MAC addresses as an identifier. If you want different profiles to set permit Internet times and content access then you have to know the MAC addresses, or make the default profiles very restrictive and then manage devices that can access less restricted profiles.

I don't think any of these pose a real issue. Each IOS device will use the same (static) MAC address every time it connects to any particular wireless network. So, for example, every time your iPhone connects to FredbertWifi, it will use MAC address #1. Every time it connects to AkahanWifi it will use MAC address #2. So it seems to me that it's just a once-per-device-per-network process of assigning whatever IP address and rights you want to assign to the new private MAC address. And, if you are concerned about someone getting different rights by using a "fresh" private MAC address, or their native, non-private address, you'd just block all unknown MAC addresses.

But I admit that all I know about this is what's in the post you linked to; if you think I'm missing something, I'd love to hear about it!
 

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
But I admit that all I know about this is what's in the post you linked to; if you think I'm missing something, I'd love to hear about it!
That's the reason I posted this: I didn't know this had been added to iOS 14 and I do use the MAC address control in Media Server plus reserve client IP in DHCP. I was going to listen to some music before watching the final stage of the Tour de France ... didn't get to listen to music as I was trying to figure out why Media Server wasn't showing up.

And as you say, it just means to reconfigure things that rely on MAC addresses. That's ok but it is another job to do and will be a rolling one as upgrades happen by different people. But I thought it would be nice to pass this on to save others wasting their free time.
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
Oh, ABSOLUTELY - we are 100% aligned. I wasn't suggesting that you shouldn't have posted, or that the post wasn't useful...it was tremendously useful, at least to me. I was anticipating (perhaps nonexistent) panic about how this was going to make, e.g., MAC address assignments to IP addresses impossible or something.
 

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
:) Yeah, it's just going to be a bit of a PITA one or the other.
 
249
25
NAS
DS1019+
Mobile operating system
  1. Android
the virgin media support forum is already full of people asking why their devices are saying their WIFI is insecure (virgin hubs come with WPA/WPA2 as default), so no doubt we'll get another surge of people wondering why their child settings on the hub aren't working any more due to the MAC addresses being changed.
 

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
the virgin media support forum is already full of people asking why their devices are saying their WIFI is insecure (virgin hubs come with WPA/WPA2 as default)
Erm, because it is?

OK it's not WEP, but really should've had a walkthrough explaining this and advising what options to use. The last thing I had that only support WPA was a Palm TX in the early/mid-2000.

My VM Hub 3 (think it's that) has only ever been set in modem mode so I can't say what features it claims to have.
 
249
25
NAS
DS1019+
Mobile operating system
  1. Android
Yes I know WPA is deemed insecure, but the device isn't connecting using WPA, so it's a little spurious to suggest the WiFi connection is insecure when the device is connected via WPA2.

Mine is also in modem mode, but the hub can be set to WPA2 mode only, but because of Apple the support forums are now flooded with non-tech minded people thinking they are being hacked.

Typical Apple though
 
321
122
NAS
DS212J, DS214play, DS216, DS216play, DS414, DS918+, RS816
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. Windows
Mobile operating system
  1. iOS
I'm going to have to correct my previous post, it turns out. The Apple mobile devices do not assign a stable MAC address on a per SSID basis. Rather, they assign the MAC address on a per BSSID (ACCESS POINT) basis, so if you have several wireless access points in your network, any particular iPhone will change MAC addresses as you roam from room to room connecting to different access points. Moreover, the randomised MAC addresses may change, even for the same access point, several times/day. AND, it will change each time the Apple device "forgets" the network, and is thereafter reconnected. So the only way to achieve stability is to insist that users turn off the randomised MAC address facility when connecting to your network. Crikey.
 

fredbert

Moderator
NAS Support
Subscriber
1,590
666
NAS
DS1520+, DS218+, DS215j
Router
  1. RT2600ac
  2. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
I read it as the random MAC per SSID which stays the same until forget/reconnect. So I was under the same impression as you.

If you do use profile-based MAC filtering at home (e.g. Safe Access) then making the default profile a very restrictive set of access rules (time per day, URL categories) could be a way to persuade people to switch off Private Address. Also set FW/NAS access rules to only allow DHCP reserved IPs. Which is still a pain to manage.
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Similar threads

Similar threads

Trending threads

Top