Apple Fixes Three-Year Bug That Compromised iOS Wi-Fi Privacy Feature

Apple's "Private Wi-Fi Address" feature meant to hide user MAC addresses and hinder tracking remained faulty for 3 years due to bug in AirPlay discovery requests, which exposed real MAC addresses; repaired with the iOS 17.1, iPadOS 17.1 and watchOS 10.1 updates.

• Apple's Private Wi-Fi Address, a feature designed to prevent tracking by generating a unique MAC address for each Wi-Fi network, has been dysfunctional since its launch in September 2020 due to a bug in the mDNSResponder process related to Apple's Bonjour networking protocol.
• Researchers Tommy Mysk and Talal Haj Bakry of Mysk Inc identified that when an iPhone joined a network, real MAC addresses were exposed during AirPlay discovery requests alongside the fake MAC address, even when connected through a VPN.
• The failure of this privacy feature became apparent when users discovered their original MAC addresses being broadcasted to all devices on the network, thereby making the feature, intended to anonymize users' connections to WiFi, entirely useless.
• This longstanding vulnerability was finally addressed with Apple's iOS 17.1, iPadOS 17.1 and watchOS 10.1 updates on October 27, 2023, but the patch isn't available for those still using iOS 15.
• The highlighting of this security flaw has called into question the effectiveness of Apple's privacy features as the vulnerability was present for three years before being fixed, despite Apple's marketing itself as a champion of user privacy.

3 Articles

The Register Gizmodo TechCrunch