Back at WWDC in June, Apple told the world that a new iOS 8 feature would stop marketers from spying on users through Wi-Fi. The feature is available now — but it turns out it only works if you turn off your GPS and disable your call signal, which isn’t quite as comprehensive as we may have thought.
Airtight Networks security researcher Bhupinder Misra dug into the MAC address randomisation feature built into iOS 8. As Apple described it, the feature seems pretty good for users: When your device is searching for Wi-Fi, say in a mall or sports stadium, it will send out a randomised MAC address, rather than your phone’s actual code. Ostensibly, this would prevent retailers from using your phone’s MAC address to send you contextual advertisements based on your location within the reach of their Wi-Fi.
But there are caveats: Earlier this week, Misra discovered that on an iPhone 5S, the MAC randomisation only happens when the phone is in sleep mode (i.e. display turned off) with Location services turned off. If you wake up your iDevice to check a text message, or if you leave your GPS signal turned on to use navigation or a fitness-tracking app, you’re out of luck.
But those first tests were done on devices with the SIM card removed. Today, Misra published a disappointing update: iOS 8’s MAC randomisation simply won’t work unless you’ve got your cellular data connection turned off.
That’s right; according to this research, if you don’t want people tracking your iDevice, you’ve got to leave it in sleep mode, with GPS turned off, and disconnect your cellular data. If you’ve done all that, you’ll be safe, sure. But at that point, you might as well have left your smartphone back at home, because there’s absolutely no utility in carrying around a device that you cannot turn on. Unfortunately, as it stands right now, that’s the only way you can utilise the randomised MAC address feature Apple says will prevent retailers from tracking you.
Misra discovered these findings on an iPhone 5S, and says he has not tested the iPhone 6 yet to see how it responds. He says the MAC randomisation feature did not work on an iPhone 5 or an iPad Mini.
It’s worth pointing out that this feature, and its apparent shortcomings, is entirely different from Apple’s new encryption techniques that are confounding authorities up to and including the FBI. That feature still works (with caveats), regardless of the MAC address randomisation setup, and is probably a lot more important to maintaining your privacy.
Update: Apple declined to comment specifically on this report, referring us to the company’s own description of how iOS 8 privacy features work, as well as a white paper detailing iOS 8 security.