"Private" MAC Address
I'm not new to home networking and I've been running DD-WRT routers for years. I'm a software developer, so "technologically" curious by nature but admittedly have never really researched in-depth low level technical details of networking.
I'm probably being paranoid and plan on doing further research and learning on my own, but I've been seeing strange things on my home network lately. The one I wanted to ask about here was regarding private MAC Addresses. By that I mean when I look up the MAC Address through the DD-WRT OUI Lookup, it's designated as private.
Google knows all, but I can't really find anything in plain English about typical use or scenarios where they would be used. I have a private MAC address showing up on my LAN with a DHCP assigned IP address that I haven't been able to identify.
I've used NMap pointed at the IP associated with the "private" MAC address but it can't identify anything about it either. It cannot identify the vendor/manufacturer, the O/S, or anything else. I'm looking for any information that may be useful in helping me understand where and what this device may be.
Other info: I've recently updated the WPA2 password from pretty secure to 13+ character length after seeing a "ghost" (aka evil twin) access point/SSID that I also can't identify. Additionally, for now (even though I know it's not a secure solution) I've filtered the offending "private" MAC address from accessing my home networks.
Solution 1:
Private registrations are either MA-L, MA-M, or MA-S assignments from the IEEE to an entity that has paid an additional initial fee and/or an annual recurring fees to the IEEE to prevent their name and address from showing up in the public listing. More details of MA-L listings as an example can be found at the IEEE site.
There is no way to determine the manufacturer of this device from the OUI unless you have access to the private list. You will need to locate and/or identify this device by other means.
Just to be clear, this is in no way related to locally administered MAC addresses which is indicated by the second bit transmitted, specifically the second least significant bit for Ethernet.
Solution 2:
Private MAC addresses are often found in embedded systems that do not have an official address. Many cheap "credit card computers" such as the Raspberry Pi must generate their own address to operate without an official, manufacturer-assigned address.
For you interest: Private MAC addresses can be identified by having the second-least-significant bit of the most significant byte set. (And as unicast addresses, they must not have the least significant bit set.) That means any addres matching any pattern below is private.
x2:xx:xx:xx:xx:xx
x6:xx:xx:xx:xx:xx
xA:xx:xx:xx:xx:xx
xE:xx:xx:xx:xx:xx
To find what and where your ghost device actually is, I suggest looking for small computers and embedded electronics. A less likely possibility is an intruder in your network with a spoofed MAC address.
And lastly, what actually is your question? ;)
Solution 3:
I had the same issue, a "private" MAC suddenly showed up in my router table. I discovered that this appeared whenever my Kindle device was turned on and signed onto my network talking to Amazon. It's apparently something Amazon is doing related to the Kindle.since this appears to be normal behavior when using the Kindle, I am no longer concerned by its' appearance. My secret spy concern is gone.