On Wednesday, October 25, Apple released a product update that includes a fix for the recently discovered vulnerability CVE-2023-42846: An information leak leading to disclosure of the device MAC address even if WiFi MAC address randomization is enabled.
We found that the reporting around this vulnerability was not providing enough context and want to take this opportunity to explain our view on it.
MAC Address Randomization
MAC address randomization is the practice of using a different, random MAC address for each time you connect to a WiFi network as well as for scans of networks in range. For example, Apple introduced this feature for a wide range of products with the release of iOS 14 in 2021.
In contrast, a static, non-random MAC address on devices like phones opens the user up to privacy issues because it can be tracked. The phone is almost constantly broadcasting it’s MAC address when looking for known networks using probe request frames. These requests can be collected with cheap and readily available sensors that can be deployed without much effort. Malls are known to have deployed such systems to track the behavior of their visitors and other actors like oppressive regimes are of course able to deploy passive tracking like this, too.
On top of that, owners of popular and widely available free WiFi networks (think coffee shops) could of course aggregate use statistics of their networks and build individual behavioral patterns based on the MAC addresses they see.
The Vulnerability
The now disclosed and fixed vulnerability shows that the static, non-randomized MAC address could be easily queried using UDP on port 5353 of the mobile device, no matter if WiFi MAC randomization was enabled or not.
Our View: The Feature was not “useless”
We have seen some widely shared commentary that described the iOS mac-randomization as having been entirely useless.
We do not agree with that assessment at all:
- The information leak is only possible to exploit when a device is connected to the same network as the attacker. There is no way to access any port on the device until it is authenticated with the WiFi network and associated with an access point, or, in simpler terms, until the user connected to the network.
- Passive tracking by sensors was prevented by MAC address randomization as designed. It was not possible to track mobile device presence without a user connecting to a WiFi network under threat actor control because each network scan came from a different, random MAC address.
Of course there are people with a risk profile large enough to consider this vulnerability. However, for the absolute vast majority of people, the MAC address randomization worked as designed and prevented them from being passively tracked. It was and is not entirely useless.
This is our view and we welcome any differing viewpoints or experiences! It’s still a wild WiFi world out there.