In reply to a post by MHC:

Even if that is the case, it is NOT permissible.

Apparently Apple disagree.

I remember reading and signing an application for a block of MAC addresses - they are managed by IEEE. There are conditions in that which govern usage and state that a device/interface should have a single MA allocated. And what if Apple randomisation uses MAs allocated to another manufacturer? Or one belonging to a device already using/logged on to a WiFi hot spot.

More info

I think we can assume it means random within Apple-allocated blocks. However I thought the whole point of MAC addresses was that they were unique to the device. (I know about spoofing them).

In reply to a post by RobertoS:

I think we can assume it means random within Apple-allocated blocks. However I thought the whole point of MAC addresses was that they were unique to the device. (I know about spoofing them).

Even within an allocated block, it should not be done. And yes they are supposed to be device unique.

Even if Apple kept a block of their own MAs for random use, they would still be breaking/bending the rules. They cannot start using a new block until their previously allocated block has been fully (over a specified threshold) utilised.

Maybe they have a different agreement with IEEE that allows it? It could be a relatively small block of addresses as uniqueness becomes less important in this scenario (plus the temp address will only be visible in a very small geographic area).

Yes it is, as long as the LAA bit is set.

MAC whitelisting is fairly pointless and provide a false sens of security - it may stop casual connections, but cloning a device which does have access isn't hard as it is trivial to set the MAC on any Windows or Linux laptop to anything the user desires.

In reply to a post by tdw42:

MAC whitelisting is fairly pointless and provide a false sens of security - it may stop casual connections, but cloning a device which does have access isn't hard as it is trivial to set the MAC on any Windows or Linux laptop to anything the user desires.

Of course, the attacker must know the MAC address they are cloning. Where they have no physical access to an authorized device or the wired and wireless networks, things become a little bit harder. So it's not pointless.

I did say 'fairly pointless' rather than 'completely pointless', IMHO MAC whitelisting provides a false sense of security. Even on encrypted wireless networks the MAC is sent in the clear so sniffing or using a fake AP will reveal the target MACs.

MAC filtering is more about deterring the casual snooper rather than the determined hacker but that doesn't mean it's not useful. It's the same with disabling SSID broadcast.

To deal with the more determined threat, I've put other measures in place

I'm fairly sure my sense of security isn't false.