This is by design[1]. The first 3 bytes are the same for the same manufacturer. The last 3 bytes can be assigned as they wish. Apple probably assign the 4th byte as a product identifier, so would be consistent across iPhones. I wonder what the 4th byte is for other iOS devices, or if it's the same?
That's very unlikely: an address space of just 65K numbers would be left, which is orders of magnitude less than the number of iPhones produced.
Considering that each phone has at least two MACs (wifi and bluetooth), even the 16 millions that would be given by using the full 3 bytes look scarce.
I think that Apple has several OUIs. In fact, my iPhone's MAC doesn't have a single byte in common with the parent's.
Yes I know, but given that of the three bytes reserved for Apple, a specific device type like 4s, 4, 5, or alike, happens to have a subset of the fourth bytes combination, the space is reduced to a bit more than 16 bit, making the brute force attack absolutely feasible.
p.s. I've verified that other 4s have a different (but numerical very "near") fourth byte. It seems in the range 20-24 or alike.
Example:
F0:AB:C7:11:xx:yy
So you can easily crack this by brute force without sniffing the device address at all.