Hello,
The random mac address feature used in your products poses a security problem in many companies. Please encourage this feature to be removed and other manufacturers to remove this feature as well.
I wish you success in your work.
Regards,
Zafer.
iPhone 14
This is a user-to-user forum. You are not addressing Apple here.
This feature helps users not being tracked through their MAC address across various Wi-Fi networks. That’s all. Not a network security concern by itself. I would argue that neither the device user, nor the network have diminished network security because of this. And I’m happy that it is available to me. Devices would still use a single address for each network (unless more than 6 weeks ago). Re-connecting to a previous network would then use the same old remembered MAC address again.
Other non-Apple devices also have this ability, in some shape or form, so networks will have to deal with this regardless of Apple’s policy.
The feature can be turned off, so it is 100% optional.
Learn more about it here:
Use private Wi-Fi addresses on iPhone, iPad, iPod touch, and Apple Watch - Apple Support
You’re not doing network access authentication by MAC address, are you? That would be a security concern. It is relatively easy for someone to capture/discover and clone/mask/spoof MAC addresses, which is why they shouldn't be used for security.
This is a user-to-user forum. You are not addressing Apple here.
This feature helps users not being tracked through their MAC address across various Wi-Fi networks. That’s all. Not a network security concern by itself. I would argue that neither the device user, nor the network have diminished network security because of this. And I’m happy that it is available to me. Devices would still use a single address for each network (unless more than 6 weeks ago). Re-connecting to a previous network would then use the same old remembered MAC address again.
Other non-Apple devices also have this ability, in some shape or form, so networks will have to deal with this regardless of Apple’s policy.
The feature can be turned off, so it is 100% optional.
Learn more about it here:
Use private Wi-Fi addresses on iPhone, iPad, iPod touch, and Apple Watch - Apple Support
You’re not doing network access authentication by MAC address, are you? That would be a security concern. It is relatively easy for someone to capture/discover and clone/mask/spoof MAC addresses, which is why they shouldn't be used for security.
MAC randomization picks a fixed (random, different) MAC address for each network, and will maintain that same address with that same Wi-Fi network, and will work just fine with MAC security. (This absent a device reset.)
It is also possible to shut off MAC randomization for each particular network, and use the hardware MAC. This either manually, or via MDM provisioning.
And more generally, MAC-based security is problematic at best, and sites using that are operating at some risk. In general, migrating to (for instance) 802.1X (RADIUS) is preferable.
Per Apple: iOS 14 introduces a new Wi-Fi privacy feature. When an iPhone connects to a Wi-Fi network, it identifies itself with a randomized MAC address. The MAC address randomization behavior only generates a new MAC address once for each WiFi network a device joins. A new random address will only be generated for a known network following “Reset Network Settings”, “Erase All Content and Settings”, or “Reset All Settings” actions. For networks defined by a Wi-Fi MDM settings, this can be disabled with the DisableAssociationMACRandomization option.
p_ward wrote:
If the laptop is company owned, then yes. The end user has no expectation of privacy on a company device on a company network.
The randomized hardware address isn't a security issue per se. However if the company is using the hardware address in an allow list to permit devices to connect to the corporate internal network, randomizing the hardware (MAC) address causes the device to be denied access to the network. That's why corporate IT usually wants to disable this "feature".
Also tracking devices by hardware address is often desirable inside corporate networks for a variety of reasons.
If you want to enable it on your personal devices, knock yourself out. Enabled on company hardware, it's a pain in the butt.
The issue has already been posted. Companies should not be using the MAC address to identify devices, because it is very easy to fake a MAC address for anyone who wants to access the corporate network. Not by amateurs, perhaps, but by the sort of cybercriminals who delight in hacking into corporate networks. Using MAC address as a security parameter thus gives companies a false sense of how secure they actually are.
Zafer_Kara wrote:
Hello,
The random mac address feature used in your products poses a security problem in many companies. Please encourage this feature to be removed and other manufacturers to remove this feature as well.
I wish you success in your work.
Regards,
Zafer.
It occurred to me as I was going to sleep that you don’t understand Private Wi-Fi Address. It is NOT a global setting; it is turned on or off for each WI-FI connection. So just tell your users that they have to turn it off for your network to connect to your Wi-Fi network. If they don’t they won’t be able to connect.
if you actually mean the random address feature for devices not connected to a network that is also irrelevant, because it is only active when not connected. Once a device connects it sends its real MAC address when Private Address Is disabled.
None of this changes the fact that MAC address filtering is a useless and dangerous feature to depend on, because it is trivially easy to hack.
KYNETENGINEER wrote:
URquhart1244,
I would argue that your not a network security professional or you would understand exactly what the OP meant.
It does indeed make the network less secure because it effectively prevents company Network Security from blocking devices that have been compromised or are attempting to use the company network to access things that are against the company policy due to use of bandwidth resources or deemed NSFW.
MAC-based access security was well and truly busted well before Apple started using it for privacy.
And for your particular case, your MAC security works as well as it did before, as Apple keeps the MAC addresses consistent on the same Wi-Fi network, absent a low-level network reset. Which is analogous to replacing a device.
Or load or tweak an existing profile and shut the feature off. You are undoubtedly already using MDM with your company’s associated devices, of course.
It was (and is) routine to spoof MAC addresses on Wi-Fi and wired links.
For some background information on distributed security, you’ll want to look at (for instance) BeyondCorp and “the long tail of zero trust”, and at some variations of that strategy. Not at fixing MAC-based authentication.
However if the company is using the hardware address in an allow list to permit devices to connect to the corporate internal network …
Then their IT staff doesn’t understand that this isn’t a safe practice at all. I would say: even advertising the weakness. Imposer A can remotely discover the MAC address of user B, then clone that to their own device, posing as B.
If an organization needs to enforce an allow-list for network access, then true authentication is needed.
If the laptop is company owned, then yes. The end user has no expectation of privacy on a company device on a company network.
The randomized hardware address isn't a security issue per se. However if the company is using the hardware address in an allow list to permit devices to connect to the corporate internal network, randomizing the hardware (MAC) address causes the device to be denied access to the network. That's why corporate IT usually wants to disable this "feature".
Also tracking devices by hardware address is often desirable inside corporate networks for a variety of reasons.
If you want to enable it on your personal devices, knock yourself out. Enabled on company hardware, it's a pain in the butt.
synthetase wrote:
Yeaaaaaahhhh. That's not gonna happen. Must is a strong word to use here. It's like you're commanding it happen. You'll just have to disable it on employee devices or not allow devices with it enabled to connect.
Now the problem I'm dealing with as I type is that someone's account is constantly locking out because a device with a randomized address keeps attempting to log in with an old password. So that's fun.
Apple devices shouldn’t shuffle MAC addresses on the same network, short of a reset. (See image below.)
Password lockouts are entirely independent of the MAC address randomization.
If using traditional credentials, the server should be getting a user identification in addition to the password error.
Zafer_Kara wrote:
Hi,
Thank you for your response. I couldn't find a support page to explain this issue.
Yes, it can be a safe feature considering as a user. However, in many institutions and organizations, it becomes an important security problem because it is difficult to control. For this reason, all manufacturers must remove this feature globally.
So, you want to give business more control over their security than individuals have over their own privacy? You want to give corporations more ability to track and control people? I suspect Apple will continue to disagree with you on that. However, you can let them know your thoughts on the matter here:
Yeaaaaaahhhh. That's not gonna happen. Must is a strong word to use here. It's like you're commanding it happen. You'll just have to disable it on employee devices or not allow devices with it enabled to connect.
Now the problem I'm dealing with as I type is that someone's account is constantly locking out because a device with a randomized address keeps attempting to log in with an old password. So that's fun.
We are authenticating via active directory credentials. It tends to happen after people change their password. Sometimes there's a random device that keeps connecting after the user swears they've forgotten all networks on their devices. A static hardware MAC can help us help the user identify the device. I have read the article you're referring to. My situation is not Apple's fault. I'm just complaining.
URquhart1244,
I would argue that your not a network security professional or you would understand exactly what the OP meant.
It does indeed make the network less secure because it effectively prevents company Network Security from blocking devices that have been compromised or are attempting to use the company network to access things that are against the company policy due to use of bandwidth resources or deemed NSFW.
It is a constant battle. Something meant to help protect the end user allows those same users to abuse and potentially harm the companies they work for, and in the end themselves if the company is attacked and they lose their jobs because the company falls.
Map your switches and APs of course, so you will at least know the locality of the access, and existing previous MAC access will identify the device. Or that randomization can be disabled via profile.
Password changes due to established lifetimes—without disclosure or such—are alsoagainst current US NIST password security guidelines. (800-63B § 5.1.1.2.)
p_ward wrote:
If the laptop is company owned, then yes. The end user has no expectation of privacy on a company device on a company network.
Tell Apple:
Hi,
Thank you for your response. I couldn't find a support page to explain this issue.
Yes, it can be a safe feature considering as a user. However, in many institutions and organizations, it becomes an important security problem because it is difficult to control. For this reason, all manufacturers must remove this feature globally.
Regards,
Zafer
Randomized MAC Address
