Laptop Reads WiFi Password from Phone?

My wife’s MacBookPro can swipe the password for my WiFi Network and log itself on automatically? I’ve never typed the WiFi password into the Laptop, but it seems that it can connect by itself. I changed the password, turned off the phones and the MacBook’s wifi message is,

“The wifi network xxxx requires a WPA2/WPA3 password. You can access this wifi network by bringing your laptop near any iphone, ipad or other Mac which has already connected to this network and has you in their contacts”.

Actually, my wife’s phone is a Samsung Galaxy 10, but that’s beside the point. The laptop, after it has logged in, has correctly been given a unique address that is within my wifi network VLAN 3 ip range. The 2 phones are also in the same VLAN (3) also with unique ip addresses. Neither phone can “see” the other phone, but apparently the laptop and the Galaxy 10 can exchange information even before the laptop has logged into the wifi network. Information exchange does not take place using my older Samsung Galaxy 6.

I wonder if someone has an explanation for this type of password swiping? Did I make a mistake in my router setup? It seems that anyone walking by with my wife’s name in their contact list can log on to my wifi network…? Will the MacBookPro constantly be trying to swipe passwords from other phones and laptops?

Some specifics:
SOHO Mk3 firmware v.8.0.2
Band: 5G “force”
VLAN 3 set up for wifi clients
inter VLAN routing “unchecked”
Security WPA2/WPA3
Galaxy 10 phone has WPA3

Thank You!
Sparky5

1 Like

If you have keychain sync enabled on the Apple account it synchronizes WiFi network passwords too. It can also exchange this information over Bluetooth between devices.

I had the same experience with my new MacBook as well. Transferring my Apple account to an Apple TV (just with proximity and code verification) seemed a bit suss to me as well.

2 Likes

Hi @Sparky5
What you are referring to is a Apple function which occurs between Apple devices and happens regardless of the wifi/network vendor.

It uses AirDrop/Bluetooth so doesn’t need to be connected to the wifi SSID to swipe the wifi SSID passwords.

Peplink has no way of allowing or blocking this functionality.

2 Likes

Thank you! I wondered how this trick was done. This apple feature seems to invite trouble, but at least the traffic can be contained inside one VLAN.

-S5

My nephew was over with his cheap Android phone and connected to my guest network with a QR code I generated.

He showed me his QR code app which had my wifi password stored in plain text. :rage:

Nothing really secure about a QR code, it just never occurred to me an app could store it in plain text.

Granted it’s a unique password and only valid to access my guest. But still.

Thanks to all for the MAC/Smart Phone password swiping. I’d like to include one more potentially insecure “feature” of the MacBook Pro. I looked into the SOHO client list and see that this laptop is actively logged into the router’s (VLAN isolated) WiFi. Apple has made sure that all WiFi network devices stay active whether they are “sleeping” or not. In this case, I would like the WiFi to logout when the laptop lid is closed. The Power Saving screen has an option to turn on/off the “Wake on Network Access” This thing is getting annoying, now. I’m not amused by these insecure features. Anyone dealing with this one?
-Sparky5

You probably want to disable the “Power Nap” feature described here:

For what it’s worth I believe that very few apps or fucntions are allowed under Power Nap (some packet capture of the actual traffic would be needed to confirm that though) and it is essentially doing no more than your phone, tablet etc. probably does when its display is off in terms of background activity. Or do you also turn off WiFi on your phone and disable cellular data when you are not actively using it?

As for the password sharing feature, yes it is somehwat annoying and potentially concerning but the only workaround is moving your network to 802.1X security and using per-device certificates.

Frankly though is it not any different or less secure than you giving someone the PSK to your network, that popup does not click itself, you have to explicitly allow them to be sent the password using that feature.

And even if you manually typed the PSK into my iPhone for example thinking “you dont know it” as I have keychain enabled to sync across all my devices linked to my iCloud account I could simply go home, open my keychain on my laptop and retreive the password from there.