iOS 17.1: Apple Fixes Flaw That 'Passively Tracked' And Risked Privacy Of Users For Years; All You Need To Know

By Vikas Yadav
Sat, 28 Oct 2023 11:57 AM (IST)
Source:JND

Apple, a Cupertino-based tech giant, announced its new iOS 17.1 update for iPhones a few days back. While it packed several new features, a flaw that plagued iPhones for years was also fixed in the update, according to a report from TechCrunch.

Cut back to 2020 when Apple introduced the iOS 14 with features that restricted nearby internet routers and access points from collecting MAC addresses of iPhones. Tracking this address offers a wide range of legitimate use cases, such as helping administrators identify devices connected to the network to locate unauthorised activity.

Also Read: Apple iOS 17.1 Released: Enhancements For AirDrop, StandBy, Music and Bug Fixes Introduced; iPadOS 17.1 Tag Along

However, the MAC address can also track a device when it is connected to a different network. To tackle this, the iOS feature was supposed to share a "private address" to every network. However, it seems the feature did not solve the purpose. Security researchers Tommy Mysk and Talal Haj Bakry found this bug that did not let the feature function properly.

iOS 17.1 Update: Other vulnerabilities fixed in the update were around passkeys and Siri.(Image:Unsplash)

Mysk detailed in a video that though the MAC address is swapped with a random address, the real MAC ID was still present in AirPlay discovery requests that the iPhone sends to a network. This address is available to other devices on the network.

"There is no way to prevent iPhones and iPads from sending AirPlay discovery requests, even when connected to a VPN...Apple's devices do this to discover AirPlay-capable devices in the network," Mysk stated, as per TechCrunch. This was also possible when the iPhone was in Lockdown Mode.

Also Read: iPhone 15 Pro Max Display Issue: After Heating, Screen Defects Is The Latest Worry Of Apple Users; Details

The researcher reported the issue to Apple on July 25. A testing fix was implemented on October 3. The vulnerability 'CVE-2023-42846' gained limelight in the iOS 17.1 (available for iPhoneXS and later) and iOS 16.7.2 update. Older versions, like iOS 15 and iOS 14, are still vulnerable to this "high" risk bug.

"A device may be passively tracked by its Wi-Fi MAC address...This issue was addressed by removing the vulnerable code," Apple said in the update document of iOS 17.1. Other vulnerabilities fixed in the update were around passkeys and Siri. The display retention issue was also addressed in the update. You can read more on this here.