Security News > 2023 > October > Apple news: iLeakage attack, MAC address leakage bug

On Wednesday, Apple released security updates for all supported branches of iOS and iPadOS, macOS, tvOS, watchOS and Safari.

Another vulnerability of note fixed this Wednesday with the release of iOS 17.1 and iPadOS 17.1, iOS 16.7.2 and iPadOS 16.7.2, tvOS 17.1 and watchOS 10.1 is CVE-2023-42846, a bug that made a privacy-enhancing feature not work as intended.

"Ever since it was introduced [in iOS 14], the feature was completely useless. While iOS replaces the device's real MAC address in the data link layer with a generated address per network, it includes the real MAC address in the AirPlay discovery requests that an iPhone starts sending when it joins a network," the researchers explained.

A group of researchers has developed a side-channel attack exploiting Apple A-series or M-series CPUs' speculative execution capability to extract sensitive information when a Safari user lands on a specially crafted webpage.

The attack can also be leveraged against Chrome, Firefox and Edge users on iOS, since they use Safari's JavaScript engine.

The researchers pointed out that the attack is "Significantly difficult" to orchestrate end-to-end and that they currently do not have evidence that iLeakage has been abused by attackers.

News URL

https://www.helpnetsecurity.com/2023/10/27/ileakage-attack-mac-address-leakage/