Spoofed Gateway Mac address in 10.2?

App & System Services Core OS
44t OP
Created Nov ’16
Replies 6
Boosts 0
Views 4k
Participants 7

Hello all -- Just downloaded the iOS 10.2 beta to test and found a function that is no longer working. In the code below, I've look through the ARP Table to get the Gateway IP. From that, I reverse lookup and get the Gateway's MAC Address. In iOS 10.1, the function below will return a proper MAC Addressin the following style @"08112200FFAA"


Running this same piece of code on 10.2 succeeds but returns a spoofed Mac address, 02:00:00:00:00:00... Seems this maybe a security improvment over 10.1?


Is anyone (@Apple???) able to confirm that 10.2 has infact made a change to block getting a macaddress?



+ (NSString*)ipToMac:(NSString*)ipAddress
{
    if (!ipAddress || ipAddress.length == 0)
        return nil;
   
    NSString* res = nil;
   
    in_addr_t addr = inet_addr([ipAddress UTF8String]);
   
    size_t needed;
    char *buf, *next;
   
    struct rt_msghdr *rtm;
    struct sockaddr_inarp *sin;
    struct sockaddr_dl *sdl;
   
    int mib[] = {CTL_NET, PF_ROUTE, 0, AF_INET, NET_RT_FLAGS, RTF_LLINFO};
   
    if (sysctl(mib, sizeof(mib) / sizeof(mib[0]), NULL, &needed, NULL, 0) < 0)
    {
        ErrLog(@"Exception in route-sysctl-estimate");
        return nil;
    }
   
    if ((buf = (char*)malloc(needed)) == NULL)
    {
        ErrLog(@"Exception in malloc");
        return nil;
    }
   
    if (sysctl(mib, sizeof(mib) / sizeof(mib[0]), buf, &needed, NULL, 0) < 0)
    {
        if (buf)
        {
            free(buf);
            buf = NULL;
        }
        FrameworkLog(@"retrieval of routing table");
        return nil;
    }
   
    for (next = buf; next < buf + needed; next += rtm->rtm_msglen)
    {
        rtm = (struct rt_msghdr *)next;
        sin = (struct sockaddr_inarp *)(rtm + 1);
        sdl = (struct sockaddr_dl *)(sin + 1);
       
        if (addr != sin->sin_addr.s_addr || sdl->sdl_alen < 6)
            continue;
       
        u_char *cp = (u_char*)LLADDR(sdl);
       
        res = [NSString stringWithFormat:@"%02X%02X%02X%02X%02X%02X",
               cp[0], cp[1], cp[2], cp[3], cp[4], cp[5]];
       
        break;
    }
   
    free(buf);
   
    return res;
}
Replies  6
Boosts  0
Views  4k
Participants  7
ulide4 OP
Nov ’16

I can report the same issue.

Any insight about this change would be appreciated as this breaks my App.

Thank you

0
dreamop233 OP
Dec ’16

I see Fing has supportted 10.2 and works well. But they said they have use some proprietary technology. Does anyone know this?

0
linnart OP
Dec ’16

Appears that "Network Analyzer" can resolve MAC Addresses as well.

0
blackm OP
Dec ’16

I have the same problem. Did anybody find a work around or have any tips how to get the MAC Address? Seems like Fing, and iNet did that already.

0
AllanPham OP
Dec ’16

I have the same issue too, did anyone find the solution? I am using the same code to get the Mac address from IP but it returned "02:00:00:00:00:00" for every IP

0
dave_t OP
Mar ’17

Same issue here. 02:00:00:00:00:00 appears every time. in my app when I read out of the arp table that I generated using sysctl.

Additional info:

  • The problem occurs on 10.2 hardware with freshly compiled app
  • The problem does not occur on 10.1 simulator.
  • The problem occurs on a really old version of my app running on 10.2 hardware.
  • I viewed the memory of the arp table and searched for the known mac address was looking for. The expected address wasn't there anywhere, so not a formatting problem.

Very much looks like the sysctl approach gives you a faked out mac address in 10.2.

If this is intentional, please could someone from apple confirm? If not, will it be fixed in new ios versions?

0
Spoofed Gateway Mac address in 10.2?
First post date Last post date
 
 
Q