What makes Apple devices so smart?
What is ARP:
To send data to someone, you need both their IP and MAC addresses. But what if you only have the IP address and not the MAC? That’s where ARP (Address Resolution Protocol) comes in.
The iPhone client broadcasts an ARP request: “Hey, who’s using 192.168.1.3?” This request goes to all devices on the network. The Android device with that IP responds: “Hey buddy, that’s my IP, and here’s my MAC:33:33:33:33:33:33”.
The client then stores this IP-MAC mapping in its ARP table for future communication.
Let’s walk through the methods I used while testing ARP spoofing attacks on multiple devices:
ARP Reply:
I sent continuous ARP reply packets with a spoofed MAC address (my MAC), pretending to be the attacker. Essentially, I told the access point (192.168.1.1): “Hey, 192.168.1.3 (Android) and 192.168.1.4 (iPhone) are now at 22:22:22:22:22:22 (my MAC).” At the same time, I informed the Android and iPhone: “The AP is now at 22:22:22:22:22:22 (my MAC).”
These ARP replies were sent without any prior ARP request frames. As a result, both the Android device and the AP immediately updated their ARP tables and began routing traffic to the attacker’s machine.
But Apple devices didn’t fall for it. They detected that the ARP replies were unsolicited and refused to update their ARP tables. It was like the Apple devices were saying, “I didn’t ask for this ARP reply, so I know you’re trying to trick me!”
领英推荐
Broadcast Gratuitous ARP Reply:
Gratuitous ARP is a special type of ARP message. Essentially, it’s when a device sends out its own ARP mapping to the entire network without being asked. For example, if a device updates its MAC or IP address, it can broadcast a gratuitous ARP to notify the network about the change. As a result, all the devices on the network will update their ARP tables with the new information.
So, I decided to use this method for ARP spoofing. I began sending broadcast gratuitous ARP reply packets across the network, announcing: “Hello, everyone! 192.168.1.1, 192.168.1.3, and 192.168.1.4 are now at 22:22:22:22:22:22.” As expected, the AP and Android devices updated their ARP tables with my MAC address.
But to my surprise, the iPhone disconnected from the network and reconnected with new IP address. This completely caught me off guard—how did they manage to detect the spoofing attempt and react so smartly?
Why iPhone Device Disconnected:
Since these packets were broadcast across the entire network, all devices received them. When the iPhone received gratuitous ARP replies for the AP and Android devices with a new MAC, it updated its ARP table without issue. However, when it received a gratuitous ARP reply for its own IP address with a different MAC, it assumed someone else was trying to use the same IP, potentially causing an IP conflict. As a result, the iPhone decided: "Let's disconnect and reconnect with a new IP address to avoid any trouble.
Unicast Gratuitous ARP Reply:
Once I understood the issue, I decided to follow networking best practices. Instead of broadcasting the spoofed packets, I sent unicast gratuitous ARP packets. I sent:
This time, the iPhone updated its ARP tables and started sending traffic to the attacker’s machine without disconnecting.
Conclusion: Apple devices adhere to network protocols more strictly than others, making them more secure. However, with the right manipulation of these protocols, they can still be compromised. To prevent such attacks, it's best to have a robust firewall in place that can detect and block these threats proactively.