MAC Bypass and iPhone6

Started by deanwebb, June 01, 2015, 09:39:30 AM

Previous topic - Next topic

deanwebb

iPhone 6 on iOS 8.0.2 and later will randomize MAC addresses, which is a cool idea to keep from being tracked as your phone sends out wifi probes. Although there were some initial glitches, the latest and greatest version of iOS seems to be doing that MAC randomization thing pretty well.

Which means trouble when connecting to an 802.1X wireless guest network that places the MAC address of a device with a successful user login into a MAC bypass list... guy logs in with iPhone, gets on the network. Walks out, walks back in, iPhone is not on wifi, so it randomizes MAC address and user has to register... but then the device connects and the MAC goes back to what it was, so the user doesn't have to register. Except he never logged back on, either, so... hrmmm... looks like we need to re-write that 802.1X policy to account for those iDevices having random fun.

:tmyk:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

Is this still bugged? I remember that the MAC randomization did not work if the device had either Location Services enabled, or had a cellular data connection. So I would say 99% or more of the devices out there would not be using the randomization. I don't do wireless so didn't really bother me much.

-Otanx

deanwebb

Just saw two cases of it on our test network. We're none too pleased, I assure you.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

killabee

Thanks for sharing!  This is going to suck for MAB authentication (based on identity store) on ISE.  Do you have reference material for this?

deanwebb

There's some info on the MAC address thing with iPhones in a few tech mag articles, but it deals mostly with end-user inconvenience. I don't have any docs on its impact on NAC: we're just now starting to see it.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

SimonV

Is it a complete MAC randomization, or does the OUI stay the same?

deanwebb

Quote from: SimonV on June 02, 2015, 04:24:42 PM
Is it a complete MAC randomization, or does the OUI stay the same?
Good question. I need to see more of the MACs from these phones to get an idea.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

I guess this is finally going to get everyone off their butts re: the longstanding de-facto assumption that (easily spoofed) MAC = identity.
Ironically its 'good' that its the fruit phone, since its going to be so high profile nobody can afford to just ignore it as a niche case.
Keep us posted on best 802.1x practice in this scenario

deanwebb

For the corporate-managed phones, it'll be MDM and certificates. For the guest network... perhaps permission from the guest to install a dissolvable client prior to accessing the network?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

wintermute000

Guest will be the killer. Pki has been standard for dot1x for a while now