"Anonymous" device name and log entries. Being hacked?

[neil0311]

I noticed in the Asus app that there's an offline device named "Anonymous" in the devices list. There's no IP info and the MAC address doesn't match any known devices. The following shows up in the router log and shows the device is authenticating successfully but then dropping after 24 seconds.

Is this an actual attack or something else?

May 29 19:28:04 wlceventd: wlceventd_proc_event(527): eth7: Auth CA:46:E0:0E:38:B1, status: Successful (0), rssi:0
May 29 19:28:04 hostapd: eth7: STA ca:46:e0:0e:38:b1 IEEE 802.11: associated
May 29 19:28:04 wlceventd: wlceventd_proc_event(556): eth7: Assoc CA:46:E0:0E:38:B1, status: Successful (0), rssi:-85
May 29 19:28:04 hostapd: eth7: STA ca:46:e0:0e:38:b1 RADIUS: starting accounting session 0306B3C4B2B2B645
May 29 19:28:04 hostapd: eth7: STA ca:46:e0:0e:38:b1 WPA: pairwise key handshake completed (RSN)
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPDISCOVER(br0) ca:46:e0:0e:38:b1
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPOFFER(br0) 192.168.50.15 ca:46:e0:0e:38:b1
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPDISCOVER(br0) ca:46:e0:0e:38:b1
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPOFFER(br0) 192.168.50.15 ca:46:e0:0e:38:b1
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPDISCOVER(br0) ca:46:e0:0e:38:b1
May 29 19:28:09 dnsmasq-dhcp[1462]: DHCPOFFER(br0) 192.168.50.15 ca:46:e0:0e:38:b1
May 29 19:28:10 dnsmasq-dhcp[1462]: DHCPREQUEST(br0) 192.168.50.15 ca:46:e0:0e:38:b1
May 29 19:28:10 dnsmasq-dhcp[1462]: DHCPACK(br0) 192.168.50.15 ca:46:e0:0e:38:b1
May 29 19:28:28 wlceventd: wlceventd_proc_event(508): eth7: Disassoc CA:46:E0:0E:38:B1, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
May 29 19:28:28 hostapd: eth7: STA ca:46:e0:0e:38:b1 IEEE 802.11: disassociated
May 29 19:28:28 wlceventd: wlceventd_proc_event(508): eth7: Disassoc CA:46:E0:0E:38:B1, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
May 29 19:28:28 hostapd: eth7: STA ca:46:e0:0e:38:b1 IEEE 802.11: disassociated

 

[neil0311]

I'm also seeing these entries repeatedly, and what's weird is the time is 4 hours ahead of the rest of the log entries. It's as if these entries are using UTC time rather than local time.

May 29 22:22:19 kernel: wl0: random key value: 69AE3AFA8B04D2C76B6202D45572F8CB6A75C182D7AC0C5CB54D1B68A35989CE

 

[Paliv]

This is a randomized private MAC address. Do you have any apple devices with Private WiFi Adress turned on?

 

[neil0311]

This is a randomized private MAC address. Do you have any apple devices with Private WiFi Adress turned on?

Yes. And I thought (maybe incorrectly) that the device will use the same private MAC for a network, until the device is removed from the network. I have my iPhone, my wife's iphone, and her watch identified and the device named in the router. This new "anonymous" device just showed up and on a the 5GHz network, when the phones and watch are all connected to the 2.4GHz network.

Would a private address associate and drop like that in less than 30 sec?

 

[Paliv]

That’s a good question, all I noted was the private MAC address as the first time I saw that on my network it drove me nuts. We have Apple and Amazon devices that use it. Interestingly the device had a weak signal to begin with. Did anyone you shared your WiFi with stop by? This happens when my dad will drop things off at our front door sometimes. Otherwise I can see how this could be an unsettling discovery.

 

[Dd852]

In our case it was our Apple Watches- check the “private” MAC address showing on the watch (settings>general>about) against the anonymous entries

 

[BobD]

This sort of thing happens periodically on my network. We have several Apple and Android devices and after updates I often find a "new" address shows up on the network. I then have to check all of these devices to find the current rogue. It seems that some updates change the MACaddr back to randomised settings.