Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Privacy Desktops (Apple) Iphone Apple

iPhones Have Been Exposing Your Unique MAC Despite Apple's Promises Otherwise (arstechnica.com) 69

Dan Goodin reports via Ars Technica: Three years ago, Apple introduced a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they joined a network. On Wednesday, the world learned that the feature has never worked as advertised. Despite promises that this never-changing address would be hidden and replaced with a private one that was unique to each SSID, Apple devices have continued to display the real one, which in turn got broadcast to every other connected device on the network. [...]

In 2020, Apple released iOS 14 with a feature that, by default, hid Wi-Fi MACs when devices connected to a network. Instead, the device displayed what Apple called a "private Wi-Fi address" that was different for each SSID. Over time, Apple has enhanced the feature, for instance, by allowing users to assign a new private Wi-Fi address for a given SSID. On Wednesday, Apple released iOS 17.1. Among the various fixes was a patch for a vulnerability, tracked as CVE-2023-42846, which prevented the privacy feature from working. Tommy Mysk, one of the two security researchers Apple credited with discovering and reporting the vulnerability (Talal Haj Bakry was the other), told Ars that he tested all recent iOS releases and found the flaw dates back to version 14, released in September 2020. "From the get-go, this feature was useless because of this bug," he said. "We couldn't stop the devices from sending these discovery requests, even with a VPN. Even in the Lockdown Mode."

When an iPhone or any other device joins a network, it triggers a multicast message that is sent to all other devices on the network. By necessity, this message must include a MAC. Beginning with iOS 14, this value was, by default, different for each SSID. To the casual observer, the feature appeared to work as advertised. The "source" listed in the request was the private Wi-Fi address. Digging in a little further, however, it became clear that the real, permanent MAC was still broadcast to all other connected devices, just in a different field of the request. Mysk published a short video showing a Mac using the Wireshark packet sniffer to monitor traffic on the local network the Mac is connected to. When an iPhone running iOS prior to version 17.1 joins, it shares its real Wi-Fi MAC on port 5353/UDP.

This discussion has been archived. No new comments can be posted.

iPhones Have Been Exposing Your Unique MAC Despite Apple's Promises Otherwise

Comments Filter:
  • "A bug" (Score:4, Insightful)

    by RitchCraft ( 6454710 ) on Thursday October 26, 2023 @08:44PM (#63957237)

    "this feature was useless because of this bug" .. a bug, yeah, it was a bug .. wink .. wink

    • Re:"A bug" (Score:4, Informative)

      by NoMoreACs ( 6161580 ) on Friday October 27, 2023 @12:25AM (#63957463)

      "this feature was useless because of this bug" .. a bug, yeah, it was a bug .. wink .. wink

      Actually, TFS is misleading. It isn't just iOS 17 that was Patched.

      Apple actually patched this Vulnerability in all of it's current iOS, iPadOS, macOS tvOS and watchOS versions, as well as several prior Version-levels on October 25, 2023.

      See:

      https://support.apple.com/en-u... [apple.com]

  • if its malevolence or incompetence. They are masters of both.
    • by MacMann ( 7518492 ) on Thursday October 26, 2023 @10:46PM (#63957383)

      if its malevolence or incompetence. They are masters of both.

      How does the saying go? Something like one should not attribute actions to malevolence when incompetence will suffice.

      To show Apple, or any corporation, is acting out of evil intent would require considerable evidence to show this. For one thing any large corporation will have lawyers, accountants, and so on, all watching out for something that could get the company in trouble with the government. That's not saying what is legal is also moral but given that people tend to write laws based on what they views as moral and ethical there's at least a moderate correlation between the two. For a corporation to do something evil would require a lot of people colluding on the evil practice, and keep the evil acts within the law or somehow out of sight of any government entities that are motivated to stop any evil acts. The government is motivated to stop malevolent corporations because they get rewarded for this by voters and taxpayers to do so.

      Then come public relations to put an end to any malevolence. It is not good business to be known as malevolent so a corporation will want to keep good public relations by not doing things that could get them a bad reputation. Since we have a culture with a mistrust of large corporations we reward people that point out malevolent acts from corporations in various ways, and punish those that participate in such malevolence. We discourage incompetence too but in ways different than malevolence. People found to be incompetent would be treated far less harshly than the malevolent, and if the incompetence comes from ignorance or some kind of handicap (and I use a very wide definition for "handicap") then the response may be to educate or some other correction that is hardly a real punishment.

      Apple could have said or done nothing about hiding MAC addresses if they were trying to maliciously track iPhone users. By claiming they had a feature to hide MAC addresses from tracking they put themselves under scrutiny if it didn't work as advertised. Maybe this is incompetence stacked on malevolence by getting caught but that gets back to my earlier points that they'd have to know that if they got caught then they could face bad PR and potentially some kind of punishment from government regulators.

      Apple has a history of respecting privacy, to a point that it makes some of their products of lower quality than the competition. Google Maps will track people to gather information on traffic and such so it can build better maps. Apple Maps doesn't do this, and so it doesn't have the same level of optimizations on finding the most efficient path. That's not saying Google is acting with malice by tracking people, they just have a different idea on what it means to do the best for their customers. To Google the most good comes from tracking how people move so it can offer the best maps to others. Some people are willing to trade some privacy to get the better maps, others are not.

      By advertising they offer a feature to hide the WiFi MAC address of their iProducts it looks to me that at least Apple is trying to protect the privacy of their customers, which is better than what many of their competitors are offering.

      • Comment removed based on user account deletion
      • by AmiMoJo ( 196126 )

        You have to wonder how it wasn't picked up in testing. They must not have had sufficient automated tests in place to catch it.

        Reminds me of the years and years of alarm clock bugs that caused iPhones to fail to wake users on certain dates. If I were one of the developers I'd have written a test script that tried out every second of every day for the next 100 years at least. I'd have run it on a real iPhone too.

  • by NoMoreACs ( 6161580 ) on Thursday October 26, 2023 @09:21PM (#63957281)

    It took three years for this vulnerability to be discovered; so I doubt an exploit exists in the wild.

    It does seem potentially quite serious, though.

    Did the recently-released iOS 16.7.2 Update also fix this? I assume so; since Apple just updated every iOS version back to iOS 15, as well as macOS, tvOS and watchOS on 25-Oct-2023:

    https://support.apple.com/en-u... [apple.com]

    • It took 2 years for Heartbleed to be discovered in 2014. Most serious security flaws are not "obvious" and require focused effort to discover. That's what makes them so dangerous.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • by AmiMoJo ( 196126 )

      I noticed this happening a few years ago when looking at my WiFi AP's logs. I figured it was just supposed to work that way, maybe something about it using the same MAC for the same network or something. I should have looked more closely and reported it!

      I thought it was crap at the time, because my Android devices rotated MAC addresses regularly and thus were incompatible with any kind of MAC address filtering/pinning.

      • I noticed this happening a few years ago when looking at my WiFi AP's logs. I figured it was just supposed to work that way, maybe something about it using the same MAC for the same network or something. I should have looked more closely and reported it!

        I thought it was crap at the time, because my Android devices rotated MAC addresses regularly and thus were incompatible with any kind of MAC address filtering/pinning.

        From what I read, iOS is supposed to generate a one-time random, but persistent, MAC address per network. That way, you actually can use MAC triggering/filtering on a particular network; while still thwarting attempts to track your Device as you roam from network to network while "out and about".

        Apple's scheme is actually more nuanced than Android's, in that it doesn't break desirable local network MAC Triggering/Filtering schemes; but someone at Apple simply forgot to expose the "fake MAC" to the mdns Bonj

        • by AmiMoJo ( 196126 )

          On Android the behaviour depends on the network type since Android 12. For open networks they get a random MAC address every time. For networks that take a key, the random MAC address is persistent, unless an app told the OS to use a non-persistent one.

          To me that's non optimal, but better than what iOS was doing.

  • by itsme1234 ( 199680 ) on Thursday October 26, 2023 @10:29PM (#63957355)

    The MACs were never secret on that layer, just the opposite, for decades. Color me surprised if one developer put it in some place without a care in the world and another one who had the job to remove it never knew it's there.

    • Of course your MAC address is visible, that's required for the network to function. The problem is that the MAC is unique to the device, and by being unique it allows tracking of that device over multiple networks and therefore the movement of the user of that device over multiple locations.

      MAC addresses must be universally unique (as opposed to locally unique like IP addresses used behind NAT) in order to assure there's no improper routing of packets on any network. That's great to keep a large network f

      • The problem is that the MAC is unique to the device, and by being unique it allows tracking of that device over multiple networks and therefore the movement of the user of that device over multiple locations.
        Not really.
        As the MAC is only relevant inside of your network. Outside of the LAN, aka behind the router, no one even sees it. The only way would be a malicious router, recording MAC addresses and sending them "elsewhere".

        I guess one could set up "spoof" routers at airports for example, which show up on

        • by jonadab ( 583620 )
          > As the MAC is only relevant inside of your network.

          Yes, but data-link-layer protocols don't usually have an equivalent for DHCP. So if you want any device to be able to connect to any network (without the network administrator having to tell the user what IP address to use in their settings), the address has to be unique enough that the odds of an address collision (each time a new device is added to the network) are low enough to not be a problem in practice. The original intended solution to this w
        • by tlhIngan ( 30335 )

          As the MAC is only relevant inside of your network. Outside of the LAN, aka behind the router, no one even sees it. The only way would be a malicious router, recording MAC addresses and sending them "elsewhere".

          I guess one could set up "spoof" routers at airports for example, which show up on "search wifi" and while your phone is searching for them, it sends its MAC address ... but I do not think that is how it works.

          Except that's what IS happening.

          There are companies that buy up this MAC data because it's

          • That basically only happens if you are either in the network or are at least having Wifi and Bluetooth on.

            I for my part do not do that, unless I need it.The original post was that the MAC address is somehow posted via IP protocols, which is hardly possible or plausible.

      • by cshamis ( 854596 )
        In another PII news, people leave fingerprints on everything they touch. Privacy implications abound! Elevators, doorhandles, stair railings are all collecting biometric information and available to ANYONE.
  • FYI, Android core generates random MAC addresses making this kind of tracking impossible.
    • FYI, Android core generates random MAC addresses making this kind of tracking impossible.

      But does it use them on UDP Port 5353?

      Please provide a Citation.

      • MAC addresses have nothing to do with ports.
        Media Access Controll.
        What ever is behind what ever port: never sees your MAC.

        • Re: (Score:2, Interesting)

          by NoMoreACs ( 6161580 )

          MAC addresses have nothing to do with ports.
          Media Access Controll.
          What ever is behind what ever port: never sees your MAC.

          You are an idiot.

          Part of the Bonjour Protocol Discovery Packet structure is the MAC Address. That traffic goes over UDP Port 5353.

          See RFC 3927.

          • @angel'o'sphere is correct!

            MAC addresses are part of level 2 ethernet protocol, which does not have ports.

            Level 3 IP protocol, which defines ports, does not use MAC addresses.

            The confusion comes about from an application using level 3 IP protocol sending data over UDP Port 5353 that contains the MAC address. In this instance it's simply data on a port. In principle it could have been anything but the developers chose to use the value of the MAC as the data to be sent.
            • @angel'o'sphere is correct!

              MAC addresses are part of level 2 ethernet protocol, which does not have ports.

              Level 3 IP protocol, which defines ports, does not use MAC addresses.

              The confusion comes about from an application using level 3 IP protocol sending data over UDP Port 5353 that contains the MAC address. In this instance it's simply data on a port. In principle it could have been anything but the developers chose to use the value of the MAC as the data to be sent.

              Ok; we're both correct.

              You are generally correct that Ports, per se have nothing to do with MAC Addresses; but I am correct in stating that the mdns Discovery Protocol", which, yes, is but Data, is nonetheless kind of inextricably-linked to UDP Port 5353, to carry out the mdns "Hail". And that Negotiation ended-up Exposing the Device's *real* Hardware MAC Address, instead of the per-network random address generated by the OS.

              Everybody up to speed, now?

  • Whenever your phone goes on the phone network, the base-station gets your IMEI. It also gets the ID of your SIM card, and it has to because otherwise billing does not work. So the second thing that happens is that your wireless provider knows exactly where you are, because they get the ID of that base-station at the same time. And you people are concerned about MAC addresses? Seriously?

  • Remember those Apple commercials touting how it had better security than Android? It was clearly a lie. The inability to add an antivirus app to the iPhone is the primary reason why I would never depend on one for daily use.

If all else fails, lower your standards.

Working...