Apple has fixed a years-old vulnerability in its iPhone and iPad software that undermined a privacy feature since it first debuted.
Back in 2020, Apple announced a new feature in iOS 14 that would prevent nearby wireless routers and access points from gathering an Apple device’s unique MAC address.
Tracking MAC addresses can have legitimate uses, like allowing administrators to identify every device connected to their networks, such as unauthorized devices. But knowing a device’s MAC addresses can be used for tracking that device across different networks.
Rather than sharing the device’s unique MAC address, the iOS feature would use a different “private address” for each network.
But it turns out that this feature hasn’t worked as intended since it was first introduced, according to security researchers Tommy Mysk and Talal Haj Bakry, who discovered a flaw that prevented the privacy feature from properly working.
In a video published this week, Mysk explained that while iOS has replaced the device’s real MAC address with a randomly generated address for each network, the device’s software also included the real MAC address in the AirPlay discovery requests that an iPhone sends when it joins a network. These real MAC addresses were then broadcast to every other connected device on the network.
“There is no way to prevent iPhones and iPads from sending AirPlay discovery requests, even when connected to a VPN,” Mysk said. “Apple’s devices do this to discover AirPlay-capable devices in the network.”
Mysk confirmed to TechCrunch that iPhones and iPads kept sending these requests even when the user enabled Lockdown Mode, an opt-in feature designed to protect against highly targeted cyberattacks.
Mysk said he first discovered this issue in July, and submitted a security report to Apple on July 25. Mysk told TechCrunch that communication with Apple provided a “major obstacle,” saying that the tech giant was unable to replicate the “straightforward” issue until October 3, when he was notified that a fix was available to be tested.
Apple this week fixed the vulnerability, tracked as CVE-2023-42846, with the release of iOS 17.1 and iOS 16.7.2 for older devices that can run iOS 16. As Mysk noted, devices running iOS 14 or iOS 15 remain vulnerable.
Apple has not disclosed the severity of the bug, but Mysk notes that the vulnerability rating score system classifies the vulnerability as “high.”
Apple spokesperson Scott Radcliffe declined to answer TechCrunch’s questions.
Apple this week fixed several other vulnerabilities with iOS 17.1, including a flaw that may have allowed an attacker to access passkeys without authentication, and a Siri bug that could have exposed sensitive data to a hacker with physical access to a device.