Remember the release of iOS 14, all the way back in 2020? Apple introduced a new feature called “private Wi-Fi address” that promised to replace the fixed MAC address. (Think of the MAC address as physical address, but rather than being used to find your home, it’s used to find your device on networks and the internet.) Beginning with iOS 14, this private Wi-Fi address was, by default, a randomly generated one for every Wi-Fi network to which a device was connected.
The feature promised iPhone users protection from tracking, which in turn offered greater anonymity.
The feature was broken and useless right from the start.
Last week Apple pushed out iOS 17.1 for the iPhone, a long-awaited update that patches a raft of bugs and headaches. One of the bugs patched related to how “a device may be passively tracked by its Wi-Fi MAC address.”
The bug was discovered and reported to Apple by security researchers Tommy Mysk and Talal Haj Bakry, and Mysk released a video showing how to extract the real MAC address of a device using a tool called Wireshark, and how this security feature was broken right from the start.
Speaking to Ars Technica, Mysk said that “[f]rom the get-go, this feature was useless because of this bug. We couldn’t stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode.”
And it’s not just the iPhone that was affected. This bug also impacted the iPad, Apple Watch, and AppleTV.
For those devices that are stuck on iOS 16, Apple has released iOS and iPadOS 16.7.2 to address this and the other issues.
ZDNET has confirmed that this issue was present in iOS 17 and earlier, and that iOS 17.1 fixes this vulnerability.
Need to update your iPhone? Tap Settings and then General and Software Update. Then, follow the prompts to get your device up to date.
OK, reality check time. Is this a big deal?
Yes and no. For the majority of iPhone users, this has little to no effect. However, for those who want maximum anonymity, this is a big failure and has potentially made vulnerable to tracking those who believed themselves to be safe.
It’s also a problem because it erodes confidence in Apple’s coding. If a bug like this can go undetected for three years, how many other data-leaking bugs are present in the company’s code?
As for Android, this platform has a similar feature since Android 8 was released in 2017. Based on testing carrried out by both Mysk and ZDNET, this platform does not seem to be affected.