Privacy features when connecting to wireless networks
Scan privacy
Apple platforms use a randomized Media Access Control address (MAC address) when performing Wi-Fi scans when not associated with a Wi-Fi network. These scans can be performed to find and connect to a known Wi-Fi network or to assist Location Services for apps that use geofences, such as location-based reminders or fixing a location in Apple Maps. Note that Wi-Fi scans that happen while trying to connect to a preferred Wi-Fi network aren’t randomized.
Apple platforms also use a randomized MAC address when conducting enhanced Preferred Network Offload (ePNO) scans when a device isn’t associated with a Wi-Fi network or its processor is asleep. ePNO scans are run when a device uses Location Services for apps that use geofences, such as location-based reminders that determine whether the device is near a specific location.
Because a device’s MAC address changes when disconnected from a Wi-Fi network, it can’t be used to persistently track a device by passive observers of Wi-Fi traffic, even when the device is connected to a cellular network. Apple has informed Wi-Fi manufacturers that iOS and iPadOS Wi-Fi scans use a randomized MAC address and that neither Apple nor manufacturers can predict these randomized MAC addresses.
Because a device’s MAC address changes when disconnected from a Wi-Fi network, it can’t be used to persistently track a device by passive observers of Wi-Fi traffic, even when the device is connected to a cellular network. Apple has informed Wi-Fi manufacturers that iOS and iPadOS Wi-Fi scans use a randomized MAC address. Neither Apple nor manufacturers can predict these randomized MAC addresses.
Wi-Fi frame privacy
Wi-Fi frames include a sequence number, which is used by the low-level 802.11 protocol to enable efficient and reliable Wi-Fi communications. Because these sequence numbers increment on each transmitted frame, they could be used to correlate information transmitted during Wi-Fi scans with other frames transmitted by the same device.
To guard against this, Apple devices randomize the sequence numbers whenever a MAC address is changed to a new randomized address. This includes randomizing the sequence numbers for each new scan request that’s initiated while the device is unassociated. This randomization was introduced in iOS 16.1, iPadOS 16.1, macOS 13.1, tvOS 16.1, watchOS 9.1, and visionOS 1.0, and is supported on the following devices:
All iPhone models starting with the iPhone 7 or later
All iPad models starting with theiPad (5th generation) or later
All Mac computers from late 2018 or later
iMac Pro (2017) or later
All Apple TV models starting with theApple TV 4K (1st generation) or later
All Apple Watch models starting with the Apple Watch series 3 or later
Apple Vision Pro
All HomePod models
Additionally, in an effort to increase user privacy and mitigate device fingerprinting, Apple devices randomize the seed value used for scrambling. This value is changed for every probe request and discovery frame, whenever an interface is started or stopped, on association and disassociation, on roam, and at random intervals.
Apple devices also randomize dialogue token fields in Information Elements (IEs) by selecting a new random value in each transaction. This helps ensure that there’s no predictable pattern to the value of these fields across multiple transactions, and that said pattern can’t be used to distinguish a given device. This applies to IEs across all interfaces (client, Access Point modes, and P2P).