'Mysterious' Airplay traffic to BSSID 00:25:00:FF:94:73

Question

Level 1

8 points

'Mysterious' Airplay traffic to BSSID 00:25:00:FF:94:73

We regularly scan for rogue APs and most recently we've found iPhone, iPad and iPod devices being used inside our building are sending Airplay traffic to BSSID 00:25:00:FF:94:73. A packet capture revealed the traffic was Airplay traffic and revealed the names of the devices broadcasting to it. I knew who one of the owners was and she said she did not (knowingly) have Airplay turned on on her device, and did not have an Apple TV.

A web search for the BSSID id returned enough results that it seems like a common MAC address (mostly returned packet captures, or a few forum posts), but there don't seem to be any definitive answers. I'm trying to figure out what this is, and what it is used for. Thanks in advance for any help!

Posted on Oct 1, 2014 10:36 AM

Reply

Answer 1

iToaster

Level 3

739 points

Oct 1, 2014 5:40 PM in response to throw_away

Your users could also be using software like airserver, reflector etc that mimics appletv

Or https://annotate.net which can mirror to ios devices

I guess it's possible an app the user has installed is doing something with AirPlay

Reply

Answer 2

throw_away Author

Level 1

8 points

Oct 2, 2014 12:15 PM in response to iToaster

After looking at this a bit more, I think this traffic is related to either Peer-to-Peer AirPlay (half-way down: Use AirPlay to wirelessly stream content from your iPhone, iPad, or iPod touch), or an Apple device 'probing' for an Airplay receiver.

Here's why:

We only see traffic from the devices to 00:25:00:FF:94:73 -- nothing coming from 00:25:00:FF:94:73 to any device (presumably b/c its not in use).
The traffic is unencrypted and contains an Apple device name
Based on search results the MAC address (00:25:00:FF:94:73) is not unique, so I'm thinking it is somehow defined in software
This iPhone 5 boot crash shows the phone setting its BSSID to 00:25:00:FF:94:73 (http://pastebin.com/4Wa4xVbr, line 428)
The traffic is on 2.4 GHz on channel 6 (http://chambersdaily.com/bradleychambers/2014/9/19/technical-details-of-peer-to- peer-airplay)
There are IPv6 multicast packets that contain "_airplay._tcp.local._raop" or "_raop._tcp.local._airplay" (http://community.arubanetworks.com/t5/Unified-Wired-Wireless-Access/AirPlay-mirr oring/m-p/28950/highlight/true#M9923)

Can anyone confirm or deny this?

Reply

Answer 3

Oct 21, 2017 6:00 PM in response to throw_away

If anyone else is still wonder, it's anything over AWDL, or Apple Wireless Direct Link, which is used for AirDrop, AirPlay peer-to-peer, and a huge amount of other local peering.

Reply