Three years after Apple introduced a menu setting called Private Wi-Fi Address, a way to spoof network identifiers called MAC addresses, the privacy protection may finally work as advertised, thanks to a software fix.
“To communicate with a Wi-Fi network, a device must identify itself to the network using a unique network address called a Media Access Control (MAC) address,” Apple explains in its documentation.
“If the device always uses the same Wi-Fi MAC address across all networks, network operators and other network observers can more easily relate that address to the device’s network activity and location over time. This allows a kind of user tracking or profiling, and it applies to all devices on all Wi-Fi networks.”
Private Wi-Fi Address aims to avoid such tracking by generating a different MAC address for each different Wi-Fi network.
But Apple’s identifier spoofing feature hasn’t functioned properly since it was introduced for iOS 14, iPadOS 14, and watchOS 7 in September 2020 due a bug in mDNSResponder, a process associated with Apple’s Bonjour networking protocol.
The bug, CVE-2023-42846, was identified by flaw finders Tommy Mysk and Talal Haj Bakry of Mysk Inc, which also makes various iOS and macOS apps.
“Private Wi-Fi addresses have been useless ever since they were introduced in iOS 14,” they said in a Mastodon post on Thursday. “When an iPhone joins a network, it sends multicast requests to discover AirPlay devices in the network. In these requests, iOS sends the device’s real Wi-Fi MAC address.”
The duo explain that Apple’s software replaces the device’s actual MAC address in the data link layer with a generated MAC address. But until Apple repaired its code, the software also passed the real MAC address with the decoy in AirPlay discovery requests, even when connected to a VPN.
Bakry and Mysk determined this by using the Wireshark network protocol analyzer, which revealed that the real MAC address was being sent in the Option Data: field, concatenated with the generated MAC address, as shown in this video.
Ironically, back in 2015, Apple resumed using mDNSResponder after its intended replacement, a daemon written in C++ called discoveryd that was added a year earlier as part of OS X Yosemite, proved to be more trouble than its C-based predecessor.
Apple did not respond to a request for comment. The company patched the mDNSResponder bug on Wednesday with the release of iOS 17.1, iPadOS 17.1 and watchOS 10.1.
Users of iOS 16 and iPadOS 16 also received a fix, but those still clinging to iOS 15 did not. ®