this post was submitted on 27 Oct 2023
322 points (95.5% liked)

Technology

59575 readers
3451 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

iPhones have been exposing your unique MAC despite Apple’s promises otherwise — “From the get-go, this feature was useless,” researcher says of feature put into iOS 14::“From the get-go, this feature was useless,” researcher says of feature put into iOS 14.

all 32 comments
sorted by: hot top controversial new old
[–] [email protected] 61 points 1 year ago (2 children)

tl;dr It was a bug. It is fixed in 17.1.

[–] [email protected] 59 points 1 year ago (2 children)

this is whitewashing Apple. It was introduced in iOS 14. A trillion dollar company like apple should have had this fixed long before.

[–] [email protected] 14 points 1 year ago (1 children)

Lol, and Apple didn't even "discover" it themselves. It was 2 unaffiliated security researchers who did. Who knows if they even implemented any logic besides the UI.

[–] [email protected] 8 points 1 year ago (1 children)

If you had read the article, you would have known that the bug relates to a very specific field inside a multicast payload and a network-specific unique MAC address is generated and retained as advertised. I'm not defending Apple; just reiterating the facts.

[–] [email protected] 0 points 1 year ago (1 children)

The way multicast works is that the destination mac address starts with 01 00 5e and then next 3 octets (mac addresses are 6 octets long) are copied from the IP address lower octets. The mac address is always this when building the L2 headers for the packet.

[–] [email protected] 1 points 1 year ago

It's not specified what precisely is provided in the payload of the multicast body. I suspect that the original MAC address is included in something like a Bonjour broadcast, but I wasn't able to find any documentation that confirms that.

[–] ink 12 points 1 year ago* (last edited 1 year ago) (1 children)

apple should have had this fixed long before

not if it was intentional. I mean apple bends over for authoritarian governments around the world. This could easily be used as a state surveillance apparatus and casually "fixed" when discovered down the road as a "bug".

[–] [email protected] 5 points 1 year ago (1 children)

yeah I agree that it was intentional. I can't believe Apple didn't properly test this feature. But I didn't want to speculate without actual proof

[–] [email protected] 4 points 1 year ago

Why not? Everyone else seems to be doing it, you’re probably just some Portuguese pastrie chef with a bad hair cut and a paid off mortgage

[–] [email protected] 8 points 1 year ago (1 children)

Hmm, tldr bot didn’t mention this…

[–] [email protected] 19 points 1 year ago

This is why we call it artificial intelligence, rather than digital intelligence.

[–] [email protected] 24 points 1 year ago

This is the best summary I could come up with:


Three years ago, Apple introduced a privacy-enhancing feature that hid the Wi-Fi address of iPhones and iPads when they joined a network.

Enter CreepyDOL, a low-cost, distributed network of Wi-Fi sensors that stalks people as they move about neighborhoods or even entire cities.

In 2020, Apple released iOS 14 with a feature that, by default, hid Wi-Fi MACs when devices connected to a network.

Over time, Apple has enhanced the feature, for instance, by allowing users to assign a new private Wi-Fi address for a given SSID.

In fairness to Apple, the feature wasn't useless, because it did prevent passive sniffing by devices such as the above-referended CreepyDOL.

But the failure to remove the real MAC from the port 5353/UDP still meant that anyone connected to a network could pull the unique identifier with no trouble.


The original article contains 680 words, the summary contains 136 words. Saved 80%. I'm a bot and I'm open source!

[–] [email protected] 7 points 1 year ago

Very useful tech for schools, supermarkets and malls. I wonder if Apple will patch the 5353 port issue.

[–] [email protected] 5 points 1 year ago (1 children)

I don’t understand why this article isn’t BS. It was meant to prevent passive snooping. If I connect to a network, it needs to know who I am.

I’ve worked with companies that implement this type of tech for monitoring road traffic congestion. IOS reduced the number of ‘saw same phone twice and can calculate speed’

[–] [email protected] 18 points 1 year ago

You are who you say you are to a network though, at least at layer 2.

If you say you’re one MAC address one time and another next time then so you are.

Let me give you an example. Let’s say I’m a device trying to connect to a network. Among other things I tell it “can I have an IP address, my MAC address is Majestic”. It says in turn, sure and notes down Majestic and routes or switches things to me when another device says it wants to reach my IP. In Wi-Fi it basically shouts out it has a packet for Majestic and sends it out onto the air with my unique encryption key I previously negotiated and I am listening for packets for Majestic and grab and process that packet. Now if I go back and connect again and call myself Dull it’ll do the same thing. Those names being stand-ins for MAC addresses of course.

This is simplified of course. And this is why MAC whitelisting is a futile attempt at security.

[–] [email protected] 5 points 1 year ago (2 children)
[–] [email protected] -2 points 1 year ago (3 children)

Step 1: Give the surveillance company money

[–] [email protected] 2 points 1 year ago

Check out Swappa

[–] [email protected] 2 points 1 year ago (1 children)

Better than giving them your data. They can't use your money to ruin your life, but they can very well do that with your data.

[–] [email protected] 0 points 1 year ago (1 children)

You're kidding right? Money can't ruin lives?

[–] [email protected] 2 points 1 year ago (1 children)

It definitely can. But Google won't randomly spend money in order to ruin your life. They will do that with your data though as can be seen in many unfortunate cases like these: https://www.phoenixnewtimes.com/news/google-geofence-location-data-avondale-wrongful-arrest-molina-gaeta-11426374 https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html And it's not just Google. Any data you expose can and will at some point be used to absolutely fuck you. The Snowden leaks have proven this.

[–] [email protected] 2 points 1 year ago

That's a direct impact, for sure, but money gives them power to build better surveillance, influence the public, influence politics, buy up competition and so much more. They affect you indirectly and over a much longer time-period.