Privacy breach: Apple devices were sending the real MAC of the device along with the random one

November 22, 2023

Introduction

Back in 2020, Apple introduced a feature that was very well received by people particularly vulnerable to attacks on their privacy. It consisted of hiding the real MAC (Media Access Control) address when a user of an Apple device connected to a WiFi network.

Instead of using the address assigned to the network interface of the smartphone or tablet, the device creates a random virtual MAC for each new network (SSID) it connects to. A functionality baptized as "Private Wi-Fi Address" and that was applied by default.

Image of Apple's "Private Wi-Fi Address" feature

Why is this relevant though?

Benefits of hiding the MAC address

Hiding the actual MAC address of a device, endows users with added privacy because it prevents an attacker connected to such networks from effectively recording the behavior, location and movement of the device.

Let's look at this from the other perspective to clarify this. If a device always uses the same Wi-Fi MAC address across networks, network operators and other network observers can more easily relate that address to the device's network activity and location over time. This allows for a type of user tracking or profiling, and applies to all devices on all Wi-Fi networks. In short: by keeping the MAC, it would be possible to know when a phone has connected to a Wi-Fi network and therefore trace a clear path of movement.

Starting with iOS 14, Apple allowed minimizing this risk, at least theoretically, with the use of different private MAC addresses for each network to which we connect.

Over the years, improvements have been made to the initial functionality, such as, for example, the ability to reset the MAC for known connections or automatically change the private MAC if you have not connected to the network in the last 6 weeks.

Malfunction detected

Two security researchers have discovered and reported to Apple a vulnerability that allowed to obtain the user's real MAC address in the additional information fields sent in the traffic to UDP port 5353. But what is UDP port 5353 used for?

Apple, as specified in its support documentation, uses port 5353 for the discovery of other AirPlay devices, Bonjour, and printers on the local network, an exchange defined by the Multicast DNS or mDNS standard .

As it turns out, as security researcher Tommy Mysk shows in the following video, simply using the well-known WireShark traffic inspector.

Although the source of the request reflects the private MAC correctly, in another part of the traffic the real MAC information is sent, which ultimately disables the main purpose of the stealth.

Solution Release

Apple has not provided much explanation as to how this malfunction went undetected for more than three years, simply stating that the vulnerable code has been removed in the CVE information released, and in the associated release notes, at the end of October 2023, for the following operating systems: watchOS 10.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1, iOS 17.1 and iPadOS 17.1..

Conclusions

For the vast majority of users the impact of this bug is minimal, but for those whose privacy is important, or even vital, this is very bad news.

These groups may have been tracked without their knowledge for more than three years, even more so when they thought they were protected by a feature that Apple itself described as helping to protect specifically against this threat.

This leads us to reflect on, security, on the one hand, and the feeling of security on the other, often a very bad traveling companion. When a person has or relies on a false sense of security, the risk is multiplied, since precaution is naturally reduced, under the premise that we are “protected”.

This reflection not only applies to this case but to many others, such as, for example, people who contact anonymous media reporting platforms and have seen their identity revealed after having mismanaged the metadata of the files sent.

Distrust is a great tool for groups highly sensitive to privacy attacks, as our colleague David Garcia commented in the closing of his post on password fatigue: “You trust, but then check”. Or my personal adaptation: “you trust, but always check”.

Pentesting and Security Assessment: two sides of the same coin in Cyber Security

Image from Freepik.