Protecting your home network from iOS 14's Private Address feature
Written by Prof. Rom Feria
Apple will be releasing iOS 14 and iPadOS 14 in less than two months, and one of the privacy features that is baked in is the Private Address toggle, which is turned on by default. What Private Address does is to randomize your device’s MAC address to prevent malicious players from fingerprinting you like TikTok. Overall, this is great for privacy, but not for home networks that has network-wide controls to protect users from trackers.
Currently, I have Firewalla, Circle with Disney and Pi-Hole on my home network to protect everyone against adtech and surveillance capitalists. All devices at home are registered, with set IP addresses assigned via their MAC addresses through Pi-Hole acting as DHCP server.
When I installed iOS 14 beta on my iPhone 11, I got alerts from Circle about an unknown device joining the network. iOS 14 Private Address was turned on, and what it does is generate MAC addresses every 24 hours — so the next day, another unknown device joined my network. Argh! This is a nightmare considering that I get alerts even if authorized users are connecting, which makes it difficult to know if my home network has been compromised.
I thought of several ways of solving this issue before iOS 14 and iPadOS 14 get officially released. The most obvious way is to turn off Private Address on all devices, but it is easier said than done, specially if you have teenagers! There has to be a better way.
I considered restricting MAC addresses on the WiFi Access Point/Router — to prevent devices from connecting to your wireless network. Perfect solution, but there has to be a better way since adding a new MAC address requires rebooting the access point/router.
One possible solution that I have explored is going the Pi-Hole route, considering that I have configured it to be the DHCP server to map IP address for every registered MAC address. However, with Private Address turned on, a new MAC address will still get an IP address, albeit not within the known addresses.
Fortunately, Pi-Hole’s can be configured to ignore unknown MAC addresses via a simple text-based configuration. Tweaking the configuration file does not even need a reboot (no router or Pi-Hole reboot). The configuration can be found at /etc/dnsmasq.d. If you don’t have the file 04-pihole-static-dhcp.conf, you can create it using your favorite Linux editor, I prefer vi. The content format is simple:
dhcp-host=
Example:
dhcp-host=AA:AA:AA:AA:AA:AA,10,0.0.1,iPhone11,4h
Which assigns the IP address 10.0.0.1 to a device named iPhone 11 and with MAC address AA:AA:AA:AA:AA:AA, and valid for 4 hours.
I listed all the known and authorized devices at home. However, this still does not solve the original issue, those unauthorized MAC addresses. At the end of the configuration, after listing all authorized MAC address, you add a catch-all rule:
dhcp-host=*:*:*:*:*:*,ignore
This matches all MAC addresses that are not listed above this rule and IGNORES it, i.e., does not give it an IP address to use on the network.
Lo and behold, it works! Adding a new MAC address requires editing the same file (do not use the Pi-Hole web interface as it adds any new entry at the bottom, after the ignore line) and reloading it. Nothing to reboot!
For the meantime, this solution gets the job done, until maybe I get a network firewall appliance that allows me to better control the network.