Image: Apple/ZDNet.
When iOS 14 was released in 2020, Apple introduced a new feature called “Private Wi-Fi Address”. His goal ? Replace fixed MAC address to ensure iPhone users’ privacy by protecting them from tracking and profiling.
The MAC address is like a street address, except instead of being used to find your home, it is used to find your device on networks and the internet.
Starting with iOS 14, this private Wi-Fi address was, by default, randomly generated for each Wi-Fi network a device was connected to.
But upon its release, this feature proved to be ineffective and useless. Till today.
Security breach
Last week, Apple released iOS 17.1. This highly anticipated update fixes a host of bugs and issues with the iPhone, including a flaw regarding how “a device can be passively tracked by its Wi-Fi MAC address.”
The flaw was discovered and reported to Apple by security researchers Tommy Mysk and Talal Haj Bakry. Tommy Mysk published a video on this subject showing how to extract the real MAC address of a device using a tool called “Wireshark”, where he also specifies that Apple’s security functionality has been faulty since its launch.
Speaking to Ars Technica, Tommy Mysk said that “from the start, this feature was useless because of this flaw. It was impossible to prevent devices from sending these discovery requests, even with a VPN. Even in lockdown mode.”
Fixes for all devices
The iPhone is not the only one to have been affected by this security flaw: the iPad, the Apple Watch and the Apple TV are also affected.
For devices that cannot go beyond iOS 16 and iPadOS 16 in terms of updating, Apple has released iOS 16.7.2 and iPadOS 16.7.2 to address this and other issues.
ZDNET confirms that this issue was still present in iOS 17 – as in previous versions of iOS – and that iOS 17.1 fixes this vulnerability.
To update your iPhone, go to Settings > General > Software Updatethen click Install.
Trust problem
You may be wondering if this flaw was actually a problem. Well… yes and no. For the majority of iPhone owners, this had little effect. But for those who wanted to guarantee their anonymity, and who thought they were protected, this is a critical failure of Apple’s strategy.
We come to the second problem: this situation erodes trust in the brand. If such a vulnerability can go unnoticed for three years, how many other data-disclosing flaws are present in its code?
As for Android devices, they have had a similar functionality since the release of Android 8 in 2017. Based on testing by Tommy Mysk and ZDNET, this platform does not appear to be affected.
Source: ZDNet.com