How Apple Wi-Fi Positioning System can be abused to track people around the globe

SpaceX is smart on this, Cupertino and GL.iNet not so much

In-depth Academics have shown how Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare.

In a paper titled, "Surveilling the Masses with Wi-Fi-Based Positioning Systems," Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how the design of Apple's WPS facilitates mass surveillance, even of those not using Apple devices.

"This work identifies the potential for harm to befall owners of Wi-Fi APs (access points), particularly those among vulnerable and sensitive populations, that can be tracked using WPSes," the authors explain in their paper [PDF]. "The threat applies even to users that do not own devices for which the WPSes are designed – individuals who own no Apple products, for instance, can have their AP in Apple’s WPS merely by having Apple devices come within Wi-Fi transmission range."

Apple is one of several companies, along with Google, Skyhook, and others, that operate a WPS. They offer client devices a way to determine their location that's more energy efficient than using the Global Positioning System (GPS). For mobile phones, WPS also has less of a power drain than GPS.

Mobile devices that have used GPS to obtain their location often report back to a WPS service, along with a Wi-Fi Access Point's MAC address, which forms the AP's Basic Service Set Identifier (BSSID). Thereafter, other mobile devices that are not using GPS can obtain location data by querying the WPS service.

Device queries involve sending a list of nearby BSSIDs and their signal strength to the WPS. The WPS, as the paper describes, generally responds in one of two ways.

Either it calculates the client position and returns those coordinates, or it returns the geolocations of the submitted BSSIDs (which are associated with AP hardware) and lets the client perform the calculations to determine its location.

Google's WPS does the former while Apple's WPS does the latter. But Apple's system is exceptionally talkative, the boffins suggest.

"In addition to the geolocations of the BSSIDs the client submits, Apple’s API opportunistically returns the geolocations of up to several hundred more BSSIDs nearby the one requested," the paper states.

Erik Rye, co-author of the paper, explained to The Register that Google and Apple's WPS systems work in fundamentally different ways and that only Apple's, due to its openness, provided a way to conduct this study.

"In Apple's version, you submit BSSIDs to geolocate, and it returns the geolocation it believes the BSSID is at," said Rye. "It also returns many more (up to 400) that you didn't request that are nearby. The additional 400 were really important for our study, as they allowed us to accumulate a large quantity of geolocated BSSIDs in a short period of time. Additionally, Apple's WPS is not authenticated or rate limited and is free to use."

Google's WPS, he said, just returns a calculated location, and it is also authenticated, rate-limited, and paid, which makes it prohibitive for conducting studies of this sort.

The design of Apple's system allowed Rye and Levin to compile a database of 490 million BSSIDs around the world, which they could then use to track the movements of individuals and groups of people over time.

"Because the precision of Apple’s WPS is on the order of meters, this allows us to, in many cases, identify individual homes or businesses where APs are located," the paper explains. "Out of respect for user privacy, we do not include examples that could publicly identify individuals in the case studies we examine in this work."

Nonetheless, the researchers say, it's "eminently possible" to use the techniques described in the paper to determine the identities of individuals or groups they're part of, "down to individual names, military units and bases, or RV parking spots."

The paper goes on to explore various scenarios in which this sort of location data could be used for, including damage assessment after an attack (via disappeared BSSIDs), individual tracking using BSSIDs from GL.iNet travel routers, and tracing military movements in Ukraine via Starlink terminal BSSIDs.

The researchers say that they reported their findings to Apple, Starlink, and GL.iNet, and note that one way to keep your BSSID out of WPS databases is to append the string _nomap to the AP's Wi-Fi network name, or SSID – the SSID is set by the user while the BSSID is a hardware identifier.

Apple added support for _nomap in a March 27 update to its privacy and location services help page. Google's WPS and WiGLE, a crowdsourced geolocation project, have supported _nomap at least since 2016. We're told further mitigations are coming from the iPhone giant to thwart the described tracking.

"We know that Apple is taking our report seriously," Rye said. "We are given to understand that they have one or more additional remediations in the queue, and we're hopeful that these remediations will help protect the privacy of access point owners that would never know to append "_nomap" to their SSID to prevent them from being included in Apple's geolocation database."

We know that Apple is taking our report seriously

Rye also praised the product security team at SpaceX for moving to address this issue quickly and implement BSSID randomization in their products.

"They had begun having some of their products implement BSSID randomization during our study in 2023, but sped up the implementation on all of their Starlink devices after we spoke to them," he said. "It's worth noting that this vulnerability wasn't caused by SpaceX (they have no control over what Apple or Google does), but they dealt with it promptly and the right way nonetheless."

"It's our position that BSSID randomization is the most robust defense against being tracked by a WPS, as generating a random identifier every time the device boots (or moves locations) will make it appear as a completely different device in a WPS."

The authors also alerted GL-iNet, the maker of travel routers, and found it less receptive. "They acknowledged the concern and our proposed fix of randomizing BSSIDs, but told us they have no plans to deploy that defense," said Rye.

Client MAC address randomization suffered when manufacturers included different unique identifiers

Rye said that while he is not aware of work to make BSSID randomization – the recommended mitigation – part of the Wi-Fi standard, he's hopeful that this research will encourage technical experts at the IEEE to take up this issue, as they've done with MAC address randomization in the past.

"Certainly, there is now an almost 10 year history of client MAC address randomization, which I've worked on and you've covered in the past," he said. "That history can provide some lessons in what to do and what not to do.

"Specifically, client MAC address randomization suffered when device manufacturers included different unique identifiers other than the MAC address in their transmissions, or when randomization issues otherwise caused multiple 'random' MAC addresses to be linkable," Rye explained. "Wi-Fi access point manufacturers that implement BSSID randomization should be careful not to repeat those same mistakes."

Rye is scheduled to present the paper at Black Hat USA in August.

Apple did not respond to a request for comment. ®

More about

TIP US OFF

Send us news


Other stories you might like