Yoodley is reader-supported. When you buy through links on our site, we may earn an affiliate commission.
Apple’s iOS 17.1 is now widely available. But aside from new features and bug fixes, it also comes with 18 security flaw fixes. One includes an issue with a high vulnerability rating score, which lasted for almost three years before being spotted.
In the release notes of Apple, it introduced several CVEs, including CVE-2023-42846 that affects the mDNSResponder. According to the iPhone maker, “a device may be passively tracked by its Wi-Fi MAC address” using this vulnerability. The giant didn’t share any other details about how serious the problem was, but the researchers who discovered it revealed that it fell under the high-level category. Worst, the issue started in 2020 and was only addressed this month.
The issue started with the feature Apple introduced in iOS 14, preventing wireless routers nearby and access points from collecting a device’s unique MAC address. Unfortunately, the feature was discovered to be working improperly, with Apple admitting in the notes that there was an issue that could track devices via their Wi-Fi MAC address.
Talal Haj Bakry and Tommy Mysk of Mysk Inc. were credited for the discovery of the flaw and shared more details about the problem in a recent YouTube video.
“This feature was useless all these years and now it is fixed in iOS and iPadOS 17.1,” the duo shared. “When an iPhone (or iPad) joins a Wi-Fi network, it immediately sends multicast requests to discover AirPlay devices in the network. We found out that iOS writes the iPhone’s real Wi-Fi address in the payload of the discovery requests sent to port 5353. Thus, iOS leaks the iPhone’s Wi-Fi address as soon as it joins a network, allowing bad actors to track users across different networks. Devices had been leaking their Wi-Fi addresses ever since this privacy feature was introduced in iOS 14, even when connected to a VPN.”
Mysk shared with TechCrunch that the issue was discovered in June and happened even with the Lockdown Mode enabled. Unfortunately, while there’s already a fix through iOS 17.1, the researchers stressed that Apple devices running iOS 14 or iOS 15 are “still vulnerable.”