Three years ago, Apple added a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they connected to a network.
On Wednesday, the whole world learned that the feature never worked as advertised.
Despite the company's promises that this never-changing address would remain hidden and be replaced with a private one that would be unique to each SSID, Apple devices continued to display the real address to every connected device on the network.
In 2020, Apple released iOS 14 with a feature that, by default, hid the Wi-Fi address when devices connected to a network. The device displayed what Apple called a “private Wi-Fi address” that was different for each SSID. Over time, Apple has improved the feature, for example by allowing users to assign a new private Wi-Fi address for a given SSID.
On Wednesday, Apple released iOS 17.1. Among the various fixes was one information for vulnerability CVE-2023-42846, which prevented this particular privacy feature. Tommy Mysk, one of two security researchers who discovered and reported the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent versions of iOS and found that the flaw dates back to version 14, which was released in September 2020.
When an iPhone or any other device connects to a network, it triggers a multicast message that is sent to all other devices on the network.
This message must include a MAC address. Starting with iOS 14, this address was by default different for each SSID.
To a casual observer, the feature seemed to work as advertised.
The "source" referenced in the request was a private Wi-Fi address. Looking a little further, it appeared that the actual MAC was still being broadcast, to all other connected devices. Mysk posted a short video showing the packet sniffer Wireshark monitor traffic on the local network. When an iPhone enters an iPhone with functional iOS before 17.1 shares its real Wi-Fi MAC on port 5353/UDP.