Apple’s new anonymity feature for iPhones is flawed, researchers say
Mobile devices running Apple’s new iOS8 contain a feature designed to randomize the phone or tablet’s MAC address, meaning the unique identifier ascribed to a given iPhone or iPad will routinely change, in turn making it more difficult to trace the activities of an iOS-powered gadget to a specific device.
That’s how the function works in theory, at least. According to recent reports, actually enabling the MAC address randomizer is a feat that requires extra legwork on the part of the end user — the likes of which experts expect to rarely occur on a device that is known for otherwise being rather intuitive.
Last week, researcher Bhupinder Misra at the AirTight blog wrote that certain criteria must be met before the feature can enable anonymity. According to his report, a MAC address will be scrambled only if:
Phone is in sleep mode (display off, not being used)
Wi-Fi should be ON but not associated
Location services should be OFF in privacy settings
"If you're using the phone, it doesn't randomize," Misra explained to the Washington Post. "It's only randomizing if the location services are off and [the phone] is in sleep mode. There's only a small percentage of people who would do that."
Even after his report began to make waves, though, Misra noticed that the function requires even further action in order to work as intended. In a follow up blog, the researcher wrote:
“And then something hit me and it is even more ridiculous (damning) than the earlier finding that location services should be OFF for random MAC addresses to show up. It has to do with the cellular data connection setting. Basically, if the phone’s cellular data connection is ON, there is no MAC randomization! If you now turn OFF the cellular data connection (Settings -> Cellular -> Cellular Data OFF), random MAC addresses show up.”
If an individual with the right iPhone and the latest operating system indeed follows those steps, then they won’t have any real issue randomizing their MAC address and can thusly have their phone appear as a unique gadget whenever it attempts to connect to a Wi-Fi network. Otherwise, a consistent MAC address can make it possible to see what networks a device connects to and, if analyzed appropriately, the geolocation of the phone or tablet at a given time.
According to Misra, though, few iOS users will go to such lengths.
“Bottom line, this further shrinks the population which is covered by MAC address randomization, perhaps to inconsequential levels and maybe even zero,” he estimated. “Who turns OFF location services AND turns OFF cellular data connection while using their iPhone. That is why I now call it ‘iOS8 MAC RandomGate.’”