Vulnerability: Private MAC addresses on iOS were previously useless

With iOS 14, Apple introduced a seemingly useful privacy feature that was meant to let users hide their MAC addresses in WiFi networks. But this doesn’t seem to have worked reliably so far. Only with the latest updates has Apple fulfilled its promise regarding this feature.

The MAC addresses were hidden – or not hidden – for three years

Since iOS 14 in 2020, Apple has allowed users to exchange their MAC address when connecting to a new WLAN. Instead of the real address associated with the device, by which the network device can usually be clearly identified, the system then uses a private address generated by software to communicate with other network participants. The purpose of this function was to prevent individual iPhone and iPad users from being tracked across different WiFi networks by assigning a new MAC address to each network.

One Report from Ars Technica However, this feature was previously leaked, which means attackers can still determine the real MAC address. There was someone responsible for this CVE-2023-42846 The registered vulnerability was discovered by Apple only with the latest updates to iOS and iPadOS versions 17.1 And 16.7.2 And also on WatchOS 10.1 And TVOS 17.1 Pinned. Only users using these system versions are actually protected from tracking via their Apple devices’ MAC address.

“The device can be passively tracked via its WiFi MAC address“Apple warns of the vulnerability. The company has resolved the issue by “Remove weak codeApple cites iOS developers and security researchers Talal Hajj Bakri and Tommy Miske as discoverers.

The mDNS request contains both MAC addresses

Reverse Ars Technica Misk confirmed that the privacy feature was useless from the beginning. He tested all versions of iOS since version 14, which was released in September 2020, and in each of them he was able to read the real MAC address of the respective target devices. Even using lock mode or VPN can’t help hide the address.

However, the problem may not be due to the data fields normally available for MAC addresses in the data packets exchanged. In fact, it only shows the private address, which can be configured since iOS 14. However, when an Apple device connects to a WiFi network, a multicast request occurs (Domain Name System) on port 5353, which is used to resolve hostnames to IP addresses.

In one The video is posted on YouTube Mysk explains that Apple included a set of private, real MAC addresses of the affected devices in a data field for this mDNS packet. Since this data packet is typically received by all participants connected to the network, an attacker could specifically track iPhones across different WiFi networks – which is exactly what Apple wanted to prevent with this feature.