Hello, Penguins! We will interrupt this week’s showcase friday to bring you a breaking news story. Apple just released an update to iOS 17 that fixes a bug that has been leaking users’ Wi-Fi MAC addresses for the past three years. This is a major privacy faceplant for Apple, and it’s a cautionary tale for all closed-source giants.
The bug, reported under CVE-2023-42846 could have allowed attackers to track users’ movements by monitoring their Wi-Fi MAC addresses.
How is this a problem when the hardware address is dumped once packets are out onto the web? Are you worried your router knows it’s you? Outside your subnet, on the internet, your Mac address is not part of the packet.
that’s wrong. the device exposed the real mac address on port 5353 (udp) which is apple’s “bonjour” service, which acts as a service discovery/zeroconf network tool.
that means that other devices in the same network can know your real mac address, this makes it very easy for say ISPs to track you across networks if you use friends networks, open wifi networks in coffee shops etc.
deleted by creator
Still within a subnet. If you connect to an internet cafe Wifi, you should be more worried about your dns traffic for identifying you.
DNS tracking can be mitigated with Oblivious DoH, DNSCrypt or even a VPN.
And so on and so on. If you want to be tracked, you can be tracked, regardless of a mac address, or the hoops a user jump through to create the illusion of privacy. I can think of lots of unconventional ways to track a naive user.