Apple's private MAC addresses didn't work until iOS 17.1

Apple introduced a feature that would hide a user's permanent MAC address in 2020, but it's been virtually useless until iOS 17.1 thanks to a now patched vulnerability.

When a device connects to a network, it performs a necessary handshake, sharing its unique MAC address. If an entity can access the MAC addresses accessing networks at a large enough scale, they could track users as they move between networks.

According to a report from Ars Technica, Apple implemented a feature that would prevent MAC address tracking, but a vulnerability has rendered it virtually useless since it debuted in iOS 14. The Private Wi-Fi Address feature is enabled by default and promises to assign a different MAC address to every unique SSID, which it did in practice.

The problem is the permanent MAC address that was supposedly being obfuscated by this feature was still being shared through port 5353/UDP. Basic MAC address sniffing was curtailed, but anyone looking could easily find the real MAC address, which presents a problem for those expecting this feature to work.

The report suggests that this would have been a simple fix, and it isn't clear why Apple took three years to implement it. General users don't need to worry about this vulnerability, but anyone who needed to hide their MAC address and expected the feature to work could have had their MAC address compromised.

Apple reports that the vulnerability has been patched in iOS 17.1. It was tracked as CVE02923-42846 and credited to Talal Haj Bakry and Tommy Mysk.

11 Comments

mknelson 1146 comments · 9 Years

About 1 year ago

The actual MAC was only available if an "attacker" thought "hmm, maybe this is a Mac MAC" and to look for it by poking port 5353/UDP…

I'm glad it's fixed, but it looks like it wasn't general knowledge until CVE02923-42846 was published on the 25th.

appleinsideruser 653 comments · 5 Years

rendered it virtually useless, somewhat overstated!

dewme 5737 comments · 10 Years

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes.

Honkers 156 comments · 1 Year

Was the vulnerability known to those who might exploit it? If not, then it wasn't "virtually useless" at all. Describing things as "theatre" somewhat ironically seems to be its own kind of buzzword theatre.

chris-net 24 comments · 4 Years

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes.

Security theatre is when someone makes a big deal out of something which proves to be ineffective, this is a classic example.

Apple told us it’s safer to have it enabled, turns out a miscreant could get the actual Mac by probing a port on the device.

I’m a network engineer, have been for 23 years, when the manual says something specific you need to be able to trust it. Apple would have known about this “feature” I’m sure others that needed to know knew about this feature too.

the truth is you can’t trust anyone.

if available, it’s time to install a 3rd party firewall on your devices.

Reason is Apple have proven to be deliberately dishonest and misleading about their products capabilities and features.