Back to Help and Support
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
1

Ask

2

Reply

3

Solution

Secure Net for Broadband cannot recognise devices

runciblehat
2: Seeker
2: Seeker

‎05-11-2024 10:25 PM

I've just joined Vodafone Broadband and one of the key selling points was the Secure Net service. However, I'm struggling with the service as it seems to rely on the MAC address of the connected device to assign it to profiles - but this address is getting very unreliable for a couple of reasons:

1. Windows 11 has an option "Random Hardware Addresses" which create random MAC addresses. It even has an option "change daily" to keep changing it.

2. iPhones have, for a while now, had an option called 'Private Wi-Fi Address' which creates a random address in any wifi network it joins. In IOS18 a new "rotating" feature means it also will keep changing. I think Android also has this feature.

The upshot of both these new features means that any parental control will simply "drop out" whenever the address changes. It means you will believe your children are being kept safe when they are not - making Secure Net useless.

This issue is compounded with another problem - Secure Net makes it really difficult to work out what the device is when trying to assign to a profile. There is an arbitary name created but it is not clear where this comes from and it seems really unreliable. I've attached a couple of screenshots of my App - as you can see... it's really difficult to know what device is what (what is "PC" for example!!). It would help if the MAC and IP were also shown, but they are not. When logging into the router locally, you can see a little better which device is on which network, and also set the name (as you can check the assigned IP with what the device IP is showing). However, this name does not get sent to the Secure Net, so it is pointless doing this as it doesn't help in any way.

To make Secure Net for Broadband usable I believe needs these changes:

1. A toggle option to reject any private MAC address on the router DHCP server - this should force devices to fallback to their hardware MAC which is "burnt into" the network card on the device and will not change. It is easy to block private MACs... if the second character in a MAC address is a 2, 6, A, or E it is a randomized address.

2. Get a better method of identifying devices in the Secure Net app so it is easy to tell which device is which. It would even be worth having some kind of "captive portal" function to be available in the router which would allow you to get more device info before you allow the device to connect (although this would maybe need to be on guest wifi only as IOT devices in the home would not be able to respond).

3. A toggle option with a default 'deny' to any new MAC address requesting to connect. Then in the App there would be a 'needs a profile' option where you can review new MAC addresses and assign them to a profile (or assign as no profile needed for IOT devices, and parent devices). This would mean if your kids have set the "change daily" option on their device you would keep getting new requests - but eventually they would switch it off when they realise it isn't letting them bypass Secure Net!!

I would be interested to know if the Secure Net team are looking into these issues and whether there are going to be improvements to the service to combat this whole private MAC issue. Otherwise, the service is untrustworthy - which for parents is worse than having nothing at all.

0 Thanks
8 REPLIES 8

Cynric
16: Advanced member
16: Advanced member

‎05-11-2024 10:34 PM

@runciblehat In Android you can turn off the random MAC address feature, isn't that an option in iOS?

0 Thanks

runciblehat
2: Seeker
2: Seeker
In response to Cynric

‎05-11-2024 11:26 PM

Hi @Cynric yes it is but it's just on the wifi settings so the kids can just toggle it back on again - there is no way to restrict that setting. I think the only way would be to deploy some MDM solution - but's that's a bit over the top. If the router did have the ability to block private addresses though, it would just mean that the feature would fail to work and, from what I have tested, the device 'falls back' to it's burnt in address.

I forgot to mention as well another massive and serious flaw in the security of Secure Net - but tbh I almost don't want to reveal this at the moment as kids may be reading my posts and have not found it out yet!!

0 Thanks

runciblehat
2: Seeker
2: Seeker

‎05-11-2024 11:44 PM

...forgot to add the screenshots!

runciblehat_0-1730849328834.png

- above you see it says "Apple Apple (macOS)" - but we have no Apple computers in the house so I have no idea what this is, it's certainly not a mac !

runciblehat_1-1730849492486.png

- here we can see loads of iphones in the list, the bottom two have my name and my wife's name (I've redacted) so I know what these are - but have no idea what the top 3 are. And why does it show our names for our devices (which it must be getting from the name being broadcast by Bonjour I guess?) - but no name for the others. I've also already got my kids devices assigned against profiles, multiple time so no idea what these are unless they are just recreated devices as the private MAC changes. As for "9B0C-C494-2" - again no idea what this is. Only my PC is on at the moment on the network and it's not that.

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to runciblehat

‎06-11-2024 01:03 PM

@runciblehat Could you put the kids on the guest WiFi and shut that down when you wish?

0 Thanks

Cynric
16: Advanced member
16: Advanced member
In response to Cynric

‎06-11-2024 01:12 PM

@runciblehat You could, if you are happy to do a bit of Unix/Linux scripting, setup a PiHole and let that manage both DCHP and DNS on behalf of your router. You could then add a blacklist to the DNS settings to help prevent unsuitable web sites being reached and setup one (or more) scripts to boot devices off the LAN and not allow them to reconnect. Rather than go into all the details here, a quick web search will find the specifics.

0 Thanks

runciblehat
2: Seeker
2: Seeker

‎06-11-2024 04:31 PM

Thanks for the suggestions @Cynric -  Yes I could do both these things and have looked at PiHole but to be honest I'm a little disappointed as the whole idea of Secure Net was that it was a service which I was happy to pay for if it worked effectively. I'm fed up having to hack around with home networking to give me a solution - esp. as the kids get older and cleverer and keep finding ways to bypass - it's like having 2 hackers in the house lol !

I have already got a 'second tier' of protection now... I found the voda hub allowed me to set downstream DNS servers so I have changed these to OpenDNS and this gives additional protection.

But still a bit frustrated as if Secure Net worked properly it would be a really nice product. Anyone from Vodafone care to comment on this thread?

0 Thanks

Cynric
16: Advanced member
16: Advanced member

‎06-11-2024 04:44 PM - edited ‎06-11-2024 04:45 PM

@runciblehat There are also levels of safeness with the Cloudflare DNS addresses, so you could have the primary one on OpenDNS and the secondary on Cloudflare just in case of the unexpected.

PS. You junior hackers may well be growing their skills, but the PiHole can be anywhere in the house just as long as it is connected to the LAN 😉 

0 Thanks

runciblehat
2: Seeker
2: Seeker
In response to Cynric

‎17-11-2024 09:49 AM

It would have to be in a locked steel cage surrounded by a pit of lava I think 🤣

0 Thanks