Apple promised users that this never-changing address would be hidden and replaced with a private one unique to each SSID. However, Apple devices have continued to display the real one, which was broadcast to every other connected device on the network.
Bizarrely Apple has enhanced the feature by allowing users to assign a new private Wi-Fi address for a given SSID – only it still did not work.
On Wednesday, Apple released iOS 17.1. Among the various fixes was a patch for a vulnerability, tracked as CVE-2023-42846, which prevented the privacy feature from working.
Tommy Mysk, one of the two security researchers Apple credited with discovering and reporting the vulnerability said he tested all recent iOS releases and found the flaw first appeared in September 2020.
"From the get-go, this feature was useless because of this bug. Even with a VPN, we couldn't stop the devices from sending these discovery requests. Even in the Lockdown Mode."
The only reason that this feature was not discovered, and Apple mocked, was that to the casual observer, the feature appeared to work as advertised. The "source" listed in the request was the private Wi-Fi address. Digging in a little further, however, it became clear that the real, permanent MAC was still broadcast to all other connected devices in a different field of the request.
Mysk published a short video showing a Mac using the Wireshark packet sniffer to monitor traffic on the local network the Mac is connected to. When an iPhone running iOS before version 17.1 joins, it shares its real Wi-Fi MAC on port 5353/UDP.