My Wi-Fi app notified me last night about an unknown device that joined the network. I’ve looked up the MAC address at a couple of websites and they both said it was unknown. How do I go about figuring out what is connected?
The MAC address of a Wifi device will depend on which WiFi chipset it uses - and many devices are able to change their MAC address, so it’s not a certain guide to the identity of the device that’s connected to your network.
Do you have the IP address of the device in question? You could check your devices and see if corresponds to any of them.
The first and easiest step would be to determine the manufacturer associated with the OUI (the first 6 digits of the MAC address). Go here and type in OUI (normally in the form “XX:XX:XX”) and it will tell you the device manufacturer.
Did you mean to link a website?
Is the IP address stamped on devices?
The IP address would (typically) be assigned to the device when it first connects to your network. You can usually get it from a network settings screen on the device itself.
There should be some status screen in your WiFi router/base station that can display the mappings from MAC address to IP address. it might be something like “DHCP settings” (DHCP, Dynamic Host Configuration Protocol, is what assigns the IP ↔ MAC mapping).
Really? I thought the MAC address was permanently hard-wired into all devices.
Maybe here?
MAC Address Vendor Lookup | MAC Address Lookup (maclookup.app)
Whoops, sorry, I meant to link to the Wireshark tool here, but there are many of them that work the same way.
Most routers support MAC address filtering. Generally it works in terms of “allow only the MAC addresses in this table”, but that could take a while to set up if you have a lot of devices on the network. However, some routers also support explicit MAC address blocking, and if you can do that, it would be easy to block that particular address and see what happens – did it block a legitimate device?
Any of my equipment that has a display screen has already been identified. There’s no type of display on my WiFi router, but the MAC address on the label isn’t close to the unidentified one. I also haven’t purchased or turned on anything new that is WiFi enabled.
Interesting, this is the only website so far to return anything at all. This is what it says: " Info
No assignment is found for this MAC: 96:78:9b.
MAC Address more info
Locally administered addresses (LAA): the address is assigned to a device by a network administrator, overriding the burned-in address.
Note
It’s also be a randomized MAC. Media Access Control (MAC) address randomization is a privacy technique whereby mobile devices rotate through random hardware addresses in order to prevent observers from singling out their traffic or physical location from other nearby devices.
Type of transmission: Unicast"
So what does that mean?
If you suspect (like I do) that it could be a tv or receiver or Roku or other ‘entertainment’ type device, turn off power to those and see if the mystery mac disappears. In other words, turn off the power switch to the entertainment cabinet(s) first.
Means what it says. Iphones, ipads, Android phones, and sometimes even PCs and Macs will generate a random MAC address for each network they join.[1] They will reuse that same MAC address when reconnecting to the same WiFi network. This is a privacy thing, because it prevents tracking across networks.[2]
If your experience is anything at all like mine, almost definitely what you have is an existing Iphone (or etc.) that has for some reason re-randomized its MAC address for your network. It is showing up as a new device on the network, but the physical thing has been there before.
So the first things you should check for are the active MAC addresses of phones and tablets. Usually the best way to find the device is to wait for your family to all be streaming their own shows, and then ban the suspicious MAC address, and see who starts screaming.
Another option is that Apple devices in particular will share WiFi passwords between devices owned by the same iCloud account. So you might see someone’s iPad that they never brought before, because their iPhone is already authorized to your network.
Interesting. Ignorance fought, again.
Question: would this device then also be assigned a new IP address via DHCP from the router?
It is trivially easy to spoof a MAC address. I haven’t bothered for years, but in my prime nerd period (early 20s) I spoofed everything I could spoof.
I was also that guy with four monitors running three different operating systems with a software KVM so I could use a single keyboard and mouse across them all.
I am not such a show off now, but I do still like Synergy for communication between different OSs.
I had the free version back then, but now it seems to be paid only. Still, I paid for a license, it was worth it.
Sorry, quite off topic above.
This is the best advice. Block the new MAC and see what breaks.
Yes, because all the DHPC server knows is that a new MAC address is asking for an IP address. The server can’t know[1] if it is an existing device with a new MAC address, or a completely new device. Depending on the DHCP server, at some point it will reuse the old IP address, so it is always possible that just by chance the new MAC will get the same IP the old MAC had.
outside of very tricky spy/hacker stuff of fingerprinting individual devices based on packet timing and other things. ↩︎
If a device connects to a network with a new MAC, it will get a new IP Address. The MAC is supposed to be the UNIQUE identifier of a piece of hardware on the network. So a router will know nothing else about the device, just the MAC and it will serve up a new IP address. Or I should say, the DHCP server will give it a new IP address. Most times the DHCP server is in the router, but that is not always the case. However, for the networking, the MAC address is really the unique identifier. Most routers will also identify the device by a name. And if if does not, many routers will let you tag the device with a name one you know what it is. So after shutting everything down and finding the device, try logging into the router and adding a name to it.
I had no idea that was even possible! I am wondering if that is what is happening - is there any way to find out?
I can definitively say it isn’t my phone, TV, laptop, Ring alarm, or car (and I live alone). No Alexa, etc. in the house. The only thing I can possibly think of is the washer or dryer. I think they are WiFi capable but I don’t recall ever setting it up.
Edit - I am wrong about the washer or dryer, apparently I did set one of them up but it has identified itself.
And stupid question - if I shut the router off, how am I supposed to log into it/see what’s currently on the WiFi?
Probably not, because it really could be anything within wifi range.
Go into the wifi settings for your phone, and double check what MAC address it is using. Same for your laptop. Merely turning them off might not clear the mystery MAC address from the router. It might require waiting for the DHCP lease to expire, or even longer if it just likes to show everything that connected in the past 72 hours or something.
I think the idea is shut off all devices you know are using wifi, and see what happens. I’d do it a bit different, but possibly more annoying. Go into the “about” or whatever page on every device and check their MAC address.
I totally understand your issue. I have all the devices on my network labeled in the router, so I know if anything new shows up. Last mystery device was my wife’s phone that had re-randomized it’s MAC address for some reason.
In my system I can do a “block” for any device, so if I have something really suspicious I can kick it, and see what happens. Trouble is, if it’s something like your dryer that all of the sudden decided to get back on the network, you might not notice any change in behavior if you block it.
I think what was suggested (and what might work) would be to shut off all your internet-connected devices, then turn the router back on. Leave it for a a few minutes, and then log in (ETA: preferrably via a hard-wired connection) and see if any device has established a DHCP lease, meaning it has connected to your WiFi. ETA: You should see one DHCP lease, corresponding to the computer you’re using to access your router. If you see more than one lease, and you see that MAC address that you saw before, you’ll have your perpetrator (and probably will need to change your WiFi password).
If not, then turn your internet devices on, one at a time, and keep an eye on your router’s DHCP status to see them connect to your router, one by one. At some point, you should see that MAC address again. Try your mobile devices (phone/tablet/laptop) first, as they are more likely to use MAC randomization.
My IP knowledge may be a little dated but:
When a device first fires up and connects, it asks for an IP address.
(Broadcast, since it does not have one - then is offered one, accepts it and begins using it.)
An IP comes with a lease time - it reserves that IP for the length of the lease. It is tied to the MAC address.
(That way, if device is momentarily turned off, or the wifi reboots, everyone still has the same address)
Every time the device reboots, reconnects, etc. it renews its lease. Leases may vary from very short - 1 hour, or a few minutes - to a year. When the lease expires, it goes back into the pool.
Is the device still active? Can you ping it? Or was it momentarily connected and now gone? (Visitor? Guy next door?)
Everything has wifi today - my Blu-Ray player, Audio Amp, multiple TV’s, my Nest thermostat, Peloton bike, even my Tesla; some digital cameras do. (Basically, I have too much junk.)
Microsoft oriinally would configure Windows Server DHCP server with 1-week leases. I have seen them set to 1 hour or less for ublic wifi where nobody really needs to keep the same IP, to 1 year for static home networks. If your printer is turned off for a year, then you probably need to set it back up again anyway. You also want a long lease if there might be a problem with enough leases. That way, someone doesn’t lose their PC lease over the long weekend, and their computer won’t connect because too many people have come to work with an iPhone and iPad before they did.
I saw one installation with default 1-week DHCP and the public wifi would assign a lease even if the device did not login, just from proximity. Everyone walking through the building, their cellphone got a lease. They ran out of leases in short order. (Typically public Wifi will not give a longer-term lease to devices unless they connect - password or whatever)
Digital Equipment (VAX) DecNet would change the MAC address back in the days before TCP/IP as a means of identifying workstations.