Apple has fixed a years-old security vulnerability in its operating system for iPhone smartphones and iPad tablets that had been a privacy threat since it first appeared.
In 2020, Apple announced a new feature in iOS 14 that will prevent nearby Wi-Fi routers and access points from collecting MAC addresses unique to their devices.
MAC address tracking can have legitimate purposes, such as: b. By allowing administrators to mark any device connected to their network as unwanted. But if you know the MAC address of a device, you can track that device across different networks.
iOS does not share the device's unique MAC address, but instead uses a different private address for each network.
But it turns out that the feature has not worked as expected since it was first introduced, said security researchers Tommy Miske and Talal Haj Bakri, who discovered a security vulnerability that prevents the privacy feature from working properly.
In a video released this week, Musk explains that while iOS replaces a device's real MAC address with one randomly generated for each network, the system also includes the real MAC address in AirPlay discovery requests sent from the iPhone. network. The real MAC addresses are then sent to all other devices connected to the network.
“There is no way to prevent iPhones and iPads from sending AirPlay discovery requests, even when connected to a VPN,” Musk said. Therefore, Apple devices detect devices on the network that support AirPlay. "
Musk confirmed to TechCrunch that iPhones and iPads continue to send these requests even when users enable Lock Mode, an opt-in feature designed to prevent targeted cyberattacks.
Musk said he first discovered the issue in July, and submitted a security report to Apple on July 25. On October 3, the company informed him that a solution was available for testing.
This week, Apple patched the vulnerability identified as CVE-2023-42846 in iOS 17.1 and 16.7.2, and Musk warned that devices running iOS 14 and (iOS 15) would remain vulnerable.
Apple did not disclose the severity of the flaw, but Misk noted that its vulnerability assessment system rated the flaw as “high severity.”
Apple this week fixed several additional vulnerabilities in iOS 17.1, including: a vulnerability that could allow an attacker to access keys without authentication, and a Siri vulnerability that allows access to sensitive data. Exposure to hackers who have physical access. On the phone.