Apple has successfully addressed a long-standing security flaw in the operating systems of its iPhone and iPad devices. This vulnerability had posed a threat to user privacy since its inception.
In 2020, Apple introduced a new feature in the iOS 14 operating system aimed at preventing the collection of unique MAC addresses by wireless routers and nearby access points.
The use of MAC addresses for tracking can be beneficial for legitimate purposes, such as identifying devices connected to a network. However, it can also be exploited for unauthorized tracking across different networks.
To mitigate this issue, the iOS system now generates a unique MAC address for each network instead of sharing the device's unique address. However, it was discovered that this feature did not function as expected. Security researchers Tommi Mäkitalo and Talal Haj Bakry identified a loophole that hindered the proper operation of the privacy feature.
Mäkitalo explained that the system generates a random MAC address for each network. Nevertheless, it still includes the real address in AirPlay discovery requests sent by the iPhone when joining the network. This allows the broadcasting of real MAC addresses to other devices on the network.
Despite users' attempts to activate the Lockdown Mode, designed to protect the device from severe hacking attacks, iPhones and iPads continued to send these requests.
Mäkitalo submitted a security report to Apple in July, and the company was informed in October of a fix that could be tested. Apple addressed the flaw in versions 17.1 and 16.7.2 of the iOS system.
While Apple did not disclose the severity of the vulnerability, it is classified by the vulnerability severity rating system as "high risk." Several other security flaws were also fixed through iOS 17.1, including a bug that could allow attackers to access passwords without authentication, and a Siri assistant error that could expose sensitive information to intruders.
