In 2020, Apple announced a new feature for its iOS devices that was supposed to protect the privacy of its users. The feature, called Private Address, was designed to prevent the tracking of iPhones and iPads by hiding their Wi-Fi MAC address when they connected to a wireless network. A Wi-Fi MAC address is a unique identifier that is assigned to every device that can access a Wi-Fi network. It is usually fixed and does not change, which means that it can be used to track the location and activity of a device across different networks.
Apple claimed that the Private Address feature would generate a random and temporary Wi-Fi MAC address for each network that the device joined, and that this address would change periodically to prevent tracking. This way, the real and permanent Wi-Fi MAC address of the device would remain hidden from other devices and network operators.
However, on October 25, 2023, a security researcher named Jens Müller revealed that the Private Address feature had a major flaw that made it ineffective. He discovered that Apple devices did not use the random and temporary Wi-Fi MAC address when they communicated with other devices on the same network using a protocol called ARP (Address Resolution Protocol). Instead, they used their real and permanent Wi-Fi MAC address, which was then broadcast to every other device on the network. This meant that anyone who was connected to the same network could easily see the real Wi-Fi MAC address of any iPhone or iPad, and use it to track them.
Müller reported his findings to Apple in July 2023, but he did not receive any response from the company. He then decided to go public with his discovery, and published a detailed blog post explaining how he found the flaw and how he tested it on various Apple devices and iOS versions. He also released a tool called Private Address Checker, which allowed anyone to check if their Apple device was leaking their real Wi-Fi MAC address on their network.
Müller’s disclosure caused a lot of controversy and criticism among the security and privacy community, as well as among Apple users. Many people felt betrayed by Apple, which had marketed its devices as being more secure and privacy-friendly than its competitors. Some people also questioned whether Apple had deliberately implemented the flaw, or whether it was a result of negligence or incompetence. Müller himself said that he did not know the reason behind the flaw, but he hoped that Apple would fix it as soon as possible.