Three years ago, Apple introduced a privacy feature to hide Wi-Fi addresses on iPhones and iPads when connecting to networks. However, recent revelations suggest that the feature hasn’t lived up to its promises. Instead of concealing the unchanging Wi-Fi address, Apple devices continued to display it, potentially exposing users to tracking on various networks.
The issue stems from the use of Wi-Fi media access control addresses (MACs), which can be exploited to track individuals across different networks, much like a license plate tracks a vehicle. This vulnerability was demonstrated in 2013 when a researcher developed a device to log MAC addresses of nearby devices, creating profiles of iPhone users based on their online activities and locations.
While HTTPS encryption has become standard, making it difficult to monitor network traffic, a permanent MAC address remains a privacy concern. Apple attempted to address this by introducing a feature in iOS 14, which concealed Wi-Fi MACs and displayed unique “private Wi-Fi addresses” for each SSID. However, it was discovered that this feature was not functioning as intended.
Apple released iOS 17.1, including a fix for the vulnerability (CVE-2023-42846), which had rendered the privacy feature ineffective. The flaw, dating back to iOS 14 in September 2020, was discovered and reported by security researchers Tommy Mysk and Talal Haj Bakry.
“From the get-go, this feature was useless because of this bug,” he said. “We couldn’t stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode.”
When an iPhone or any device links to a network, it initiates a multicast message broadcast to all network-connected devices, which includes the MAC address. Starting with iOS 14, Apple implemented a default feature in which the MAC address was unique for each SSID, providing the appearance of enhanced privacy.
At first glance, this feature seemed to function as intended, with the “source” in the request displaying the private Wi-Fi address. However, upon closer examination, it became evident that the genuine permanent MAC address was still transmitted to all other devices connected to the network, albeit in a different request field.
To illustrate this, Mysk released a brief video demonstrating the use of the Wireshark packet sniffer on a Mac to monitor local network traffic. In cases where an iPhone running an iOS version earlier than 17.1 joined the network, it would reveal its actual Wi-Fi MAC address on port 5353/UDP.
The oversight of not concealing the genuine MAC address on port 5353/UDP meant that any network-connected individual could easily access this unique identifier.
For most iPhone and iPad users, the impact of this revelation is likely to be negligible. However, individuals with stringent privacy concerns may find the failure of these devices to conceal real MAC addresses over three years to be a significant issue. This is especially concerning given Apple’s explicit assurance that the feature would “reduce tracking of your iPhone across different Wi-Fi networks.”
Apple has not provided an explanation for how such a fundamental flaw managed to evade detection for an extended period. The company’s advisory, issued on Wednesday, simply stated that the issue was addressed by “removing the vulnerable code.”