Three years ago, Apple added a privacy-enhancing feature that hid their Wi-Fi address iPhone and iPad when connected to a network.
On Wednesday, the whole world learned that the feature never worked as advertised.
Despite her promises companys that this never-changing address will remain hidden and replaced with a private one that will be unique for each SSID, the Appliances Apple continued to show the real address to every connected device on the network.
In 2020, Apple released iOS 14 with a feature that, by default, hid the Wi-Fi address when devices connected to a network. The device displayed what Apple called a “private Wi-Fi address” that was different for each SSID. Over time, Apple has improved the feature, for example by allowing users to assign a new private Wi-Fi address for a given SSID.
On Wednesday, Apple released iOS 17.1. Among the various fixes was one information for vulnerability CVE-2023-42846, which prevented this particular privacy feature. Tommy Mysk, one of two security researchers who discovered and reported the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent versions of iOS and found that the flaw dates back to version 14, released in September 2020.
When an iPhone or any other device connects to a network, it triggers a multicast message that is sent to all other devices on the network.
This message must include a MAC address. Starting with iOS 14, this address was by default different for each SSID.
To a casual observer, the feature seemed to work as advertised.
The "source" referenced in the request was a private Wi-Fi address. Looking a little further, it appeared that the actual MAC was still being broadcast, to all other connected devices. Mysk posted a short video showing the Wireshark packet sniffer monitoring local network traffic. When an iPhone enters an iPhone running iOS before version 17.1, it shares its real Wi-Fi MAC on port 5353/UDP.