Security feature or network headache?
Making devices harder to track and identify has to be a good thing, right? Well, not necessarily… Geoff Meads looks at MAC Randomisation and how it will impact daily life, at work and at home.
You may not have noticed but, in iOS v14, Apple snuck in a new networking feature called ‘Private Address’. It’s right there in settings under Settings > Wi-Fi > Network name. If you haven’t spotted it yet, then you’re not alone. Many colleagues that I’ve spoken to recently didn’t know it was there either and I only discovered it when it started to cause problems.
It’s not just Apple devices, other operating systems have added a similar feature. Android added it under version 10 and, on either platform, it can cause some major heartaches for network technicians. As soon as I discovered it my mind started racing with the ramifications this change would introduce and so it became the subject of this, my latest networking article.
What is it?
The new feature that Apple calls ‘Private Address’ is a system for randomising the MAC address that a device uses. This is a pretty neat idea as, up until this new development, a MAC address solidly identifies the actual piece of hardware that’s in use. Identification that’s not just ‘it’s AN iPhone’ but ‘it’s THIS iPhone’.
It’s because we use the MAC address for specific hardware identification, that we are able to use ten, otherwise identical, IP cameras in a network but still be able to tell them apart in data terms. This could also apply to ten smartphones, iPads or TVs for that matter.
The end of MAC address filtering?
In the corporate world, MAC address filtering is (or at least was) a common way for IT managers to restrict access to a company network to just those devices it has authorised.
This is achieved by setting up strict rules in the router that will only give out an IP address to devices with MAC addresses from an approved list that was added by an IT professional. It’s a bit of a draconian system and, if you know what you’re doing, easy to get around with MAC ‘spoofing’ but it is an extra line of defence against corporate hacking.
Needless to say, if access to a network is based on devices having a pre-known MAC address, but devices start to change their MAC address thanks to MAC Randomisation, then access will be denied no matter if the device is legitimate or not. Oh dear.
The end of DHCP reservations?
There are some devices on a network that we want to have a permanent IP address. These are usually ‘server’ type devices such as NAS drives, printers and control equipment.
There’s two ways to achieve this, either by entering the menu of the server device and setting its IP address to one that is outside the DHCP pool of the network – ‘Static Addressing’’, or by fixing the IP address / MAC address combination together in the router’s menu – ‘Reserved Dynamic Addressing’.
There are pros and cons to each approach, but the secondary method is usually quicker to set up in the field and offers the network administrator a good overview of current IP assignments in the router’s menu.
Again, this will all fail if the device itself has a variable MAC address. Any reservation setup in the router when the device first joins the network will fail once the device gains a new MAC address thanks to MAC randomisation. This leads to a multitude of usability issues where devices seem to just ‘fall off’ the network and stop working.
What about MAC binding? Well, as you might have already guessed, the same problem applies.
Surely this is bad for security?
Being able to pin a specific (bad) action to a specific device is highly useful in law enforcement, not to mention rouge actors within residential and/or corporate networks. It also may give issues with network any time and content filtering you might have setup within more advanced routers.
For example, if you set up an access time allowance for a child within a network then that restriction maybe controlled by the device’s MAC address. If the MAC address changes then the filters will no longer work.
Is It All Bad News?
Well, yes and no. The good folks at Apple and Android didn’t just do this for fun. The aim here (or so I believe) is to reduce the amount of tracking that goes on of users and their online behaviour. This tracking is most often used by advertisers and the platforms they advertise on to deliver more specific adds to you at the precise time you might be persuaded to buy more stuff.
In some ways MAC Randomisation is a move related to Apple’s recent introduction of Add Tracking Transparency (‘ATT’) – also added to iOS14 – which has severely diminished the effectiveness of advertising on platforms like Facebook. If you are an iOS user, you’ll be familiar with the ATT ‘Ask App not to track’ option when you open a new app on your device…
Is There A Way Out Of This?
The good news is yes. However, it will take some education of your customers and settings within their devices.
In both iOS and Android, MAC Randomisation is now on by default. However, you can turn it off on a network-by-network basis. So, in the case of a family client, with each member of the family having a smartphone and tablet they use in and out of the house, they will need to turn off MAC randomisation for the home network.
Before you rush off and change everything though, there is one other consideration. In the case of devices like smartphones and tablets (that largely operate as ‘client’ devices) then there may be no need to change anything as they are rarely, if at all, used in server mode.
However, if you are currently using MAC address filtering, IP reservations or content/time control filters then you may need to turn this feature off for them to continue working.
It’s worth considering too that, with children and teens especially, it won’t be long before the knowledge that turning on MAC randomisation gets around content and time restraints, becomes common knowledge.
Looking forward, it’s clear to me that this kind of feature will end up in Windows, OSX and Chrome OS too and that’s when the real fun will start!