New information has emerged revealing that a privacy feature Apple introduced three years ago has failed to function as promised, reports ArsTechnica.
Initially launched with iOS 14, the feature was designed to conceal the unique Media Access Control (MAC) addresses of iPhones and iPads when they connected to a network. Despite Apple’s assurances, the feature did not hide the real MAC address, which continued to be displayed and broadcast to all other devices on the network.
“From the get-go, this feature was useless because of this bug,” said Tommy Mysk, one of the security researchers credited with discovering the flaw.
The MAC address serves as a unique identifier that can be used to track individuals as they move from one network to another, much like a vehicle’s license plate number can be used to track its movements.
The flaw in Apple’s privacy feature dates back to its introduction in iOS 14, released in September 2020. It was only recently patched in iOS 17.1, which was released on Wednesday.
When an iPhone or iPad joins a network, it triggers a multicast message that is sent to all other devices on that network. While the “source” listed in the request was supposed to be the private Wi-Fi address, the actual permanent MAC address was still broadcast in a different field of the request. This technical oversight effectively rendered the privacy feature useless for its intended purpose.
While the impact of this flaw is likely to be minimal for the average user, it could pose significant risks for those with strict privacy concerns. This is especially troubling given Apple’s explicit promise that the feature would “help reduce tracking of your iPhone across different Wi-Fi networks.”
Apple has yet to provide an explanation for how such a basic failure remained unnoticed for such an extended period. The company’s advisory simply stated that the issue was resolved by “removing the vulnerable code.”
Despite the feature’s ability to block some types of unauthorized data collection, it did not fully hide the unique MAC address as promised. This made it easy for anyone on the same network to identify the device. Apple has fixed this issue in its latest iOS 17.1 update, where it is identified as CVE-2023-42846.
