Apple's private Wi-Fi MAC addresses were security theater until iOS 17.1

AppleInsider

Apple introduced a feature that would hide a user's permanent MAC address in 2020, but it's been virtually useless until iOS 17.1 thanks to a now patched vulnerability.

Private Wi-Fi address

When a device connects to a network, it performs a necessary handshake, sharing its unique MAC address. If an entity can access the MAC addresses accessing networks at a large enough scale, they could track users as they move between networks.

According to a report from Ars Technica, Apple implemented a feature that would prevent MAC address tracking, but a vulnerability has rendered it virtually useless since it debuted in iOS 14. The Private Wi-Fi Address feature is enabled by default and promises to assign a different MAC address to every unique SSID, which it did in practice.

The problem is the permanent MAC address that was supposedly being obfuscated by this feature was still being shared through port 5353/UDP. Basic MAC address sniffing was curtailed, but anyone looking could easily find the real MAC address, which presents a problem for those expecting this feature to work.

The report suggests that this would have been a simple fix, and it isn't clear why Apple took three years to implement it. General users don't need to worry about this vulnerability, but anyone who needed to hide their MAC address and expected the feature to work could have had their MAC address compromised.

Apple reports that the vulnerability has been patched in iOS 17.1. It was tracked as CVE02923-42846 and credited to Talal Haj Bakry and Tommy Mysk.

Read on AppleInsider

mknelson

The actual MAC was only available if an "attacker" thought "hmm, maybe this is a Mac MAC" and to look for it by poking port 5353/UDP…

I'm glad it's fixed, but it looks like it wasn't general knowledge until CVE02923-42846 was published on the 25th.

appleinsideruser

rendered it virtually useless, somewhat overstated! 

dewme

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

Honkers

Was the vulnerability known to those who might exploit it?  If not, then it wasn't "virtually useless" at all.  Describing things as "theatre" somewhat ironically seems to be its own kind of buzzword theatre.

chris-net

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

Security theatre is when someone makes a big deal out of something which proves to be ineffective, this is a classic example.

Apple told us it’s safer to have it enabled, turns out a miscreant could get the actual Mac by probing a port on the device.

I’m a network engineer, have been for 23 years, when the manual says something specific you need to be able to trust it. Apple would have known about this “feature” I’m sure others that needed to know knew about this feature too.

the truth is you can’t trust anyone.

if available, it’s time to install a 3rd party firewall on your devices. 

Reason is Apple have proven to be deliberately dishonest and misleading about their products capabilities and features. 

Honkers

chris-net said:

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

Security theatre is when someone makes a big deal out of something which proves to be ineffective, this is a classic example.

Apple told us it’s safer to have it enabled, turns out a miscreant could get the actual Mac by probing a port on the device.

I’m a network engineer, have been for 23 years, when the manual says something specific you need to be able to trust it. Apple would have known about this “feature” I’m sure others that needed to know knew about this feature too.

the truth is you can’t trust anyone.

if available, it’s time to install a 3rd party firewall on your devices. 

Reason is Apple have proven to be deliberately dishonest and misleading about their products capabilities and features. 

Please.  Locking your door isn't "security theatre" because you forgot to close an upstairs window.  It's still a good measure that will be effective against opportunist burglars that only check the door, and while the window is a residual flaw, it has now been rectified.

clexman

Considering that I get a “Privacy Warning” when the feature is disabled, I agree it’s theater. Even fixed, it’s still theater. 

More than your MAC address is shared when you connect to a network. It’s still easy for someone to track you when you use a random MAC address.

dewme

chris-net said:

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

Security theatre is when someone makes a big deal out of something which proves to be ineffective, this is a classic example.

Apple told us it’s safer to have it enabled, turns out a miscreant could get the actual Mac by probing a port on the device.

I’m a network engineer, have been for 23 years, when the manual says something specific you need to be able to trust it. Apple would have known about this “feature” I’m sure others that needed to know knew about this feature too.

the truth is you can’t trust anyone.

if available, it’s time to install a 3rd party firewall on your devices. 

Reason is Apple have proven to be deliberately dishonest and misleading about their products capabilities and features. 

Nope. 

Every software vendor has at one time or another made a big deal out of something which turned out to be a failure or mistake because they designed or implemented it poorly or injected a bug that crippled the usefulness of the feature. This is a failure in technical engineering. 

Security theater is human engineering. It’s often used when there is no obvious or practical technical solution. It’s performance art, which often involves audience participation, like taking off your shoes to go through airport security checkpoints. 

Apple’s extremely sluggish responsiveness in fixing this bug is embarrassing, but they never engaged in performance art, they simply failed to perform. 

sconosciuto

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

That’s an awfully long trip for yet another tedious “i HaTe ApPLe” comment.

freeassociate2

dewme said:

The term “security theatre” is kind of hip and making a comeback of late, but it’s debatable whether Apple truly intended to promote this feature as a security benefit to the public at large when they knew very well from the start that it had little to no real value and was simply performance art.

It’s equally probable and I believe even more likely that this is simply a case of a pathetic level of security software implementation. The reason I say this is because the vast majority of Apple’s customers know little to nothing about this feature-fail and have no idea what a MAC address is, well, other than to think that a MAC address corresponds to the location of their closest McDonald’s restaurant. Plus, nobody was ever asked to remove their shoes. 

Yeah, dude, all us Mac users are soooo stoopid. Much less intelligent than an average Windows or Linux user.  There’s no security holes like this in other OSes, either.

I do so love when people like you display your ignorance and condescension. It makes you sound so smart.

BlueLightning

You may find the section on NSA tracking in the following article interesting.  
https://en.wikipedia.org/wiki/MAC_address  

If I recall correctly, you may be able to determine from a given MAC address who manufactured the device (CISCO, HP, Apple), the device model number and even the serial number.  It has been many years since I was looking into details.  Details have likely evolved (it has been at least 7 years since I've spent time reviewing Media Access Control addresses).  

Doubt that many Windows or macOS users look into this at great detail.  Would be more of interest to networking specialists.  Bet there are folks at NSA, CIA and FBI who are very interested in media access control addresses.  Likely of great interest to other spy agencies domestic and foreign, as well as cyber criminals.  Suspect you could spend a lifetime on detailed study (not my cup of tea).