In depth Scientists have suggested that Apple’s Wi-Fi Positioning System (WPS) could be exploited to create a global privacy nightmare.
In an article titled ‘Surveilling the Masses with Wi-Fi-Based Positioning Systems’, Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how design of Apple’s WPS facilitates mass surveillance, even of those who do not use Apple devices.
“This work identifies the potential harm that could befall owners of Wi-Fi APs (access points), especially those among vulnerable and sensitive populations, which can be tracked using WPSs,” the authors explain in their paper. [PDF]. “The threat applies even to users who do not own devices for which the WPSs are designed – for example, individuals who do not own Apple products could have their AP in Apple’s WPS simply by placing Apple devices within Wi-Fi transmission range to come.”
Apple is one of many companies, along with Google, Skyhook and others, that operate a WPS. They provide client devices with a way to determine their location that is more energy efficient than using the Global Positioning System (GPS). For mobile phones, WPS also has less power consumption than GPS.
Mobile devices that have used GPS to obtain their location often report to a WPS service, along with the MAC address of a Wi-Fi Access Point – the Basic Service Set Identifier (BSSID). After that, other mobile devices that do not use GPS can obtain location information by requesting the WPS service.
Device queries send a list of nearby BSSIDs and their signal strength to the WPS. The WPS, as the article describes, generally responds in two ways.
Either it calculates the client’s position and returns these coordinates, or it returns the geolocations of the submitted BSSIDs (which are associated with AP hardware) and lets the client do the calculations to determine its location.
Google’s WPS does the former, while Apple’s WPS does the latter. But Apple’s system is exceptionally chatty, the tech experts suggest.
“In addition to the geolocations of the BSSIDs that the customer submits, Apple’s API opportunistically returns the geolocations of hundreds more BSSIDs near those requested,” the paper said.
Erik Rye, co-author of the paper, explained The register that Google and Apple’s WPS systems work in fundamentally different ways and that only Apple’s, because of its openness, provided a way to conduct this research.
“In Apple’s version, you submit BSSIDs to geolocate, and it returns the geolocation where it thinks the BSSID is,” Rye said. “It also returns many more (up to 400) that you did not request and that are nearby. The additional 400 were very important to our research, as they allowed us to collect a large amount of geolocated BSSIDs in a short time. Additionally, Apple’s WPS is not authenticated or speed limited and is free to use.”
Google’s WPS, he said, merely returns a calculated location, and it is also verified, rate-capped and paid, making these types of surveys prohibitively expensive to conduct.
The design of Apple’s system allowed Rye and Levin to compile a database of 490 million BSSIDs around the world, which they could then use to track the movements of individuals and groups of people over time.
“Because the accuracy of Apple’s WPS is on the order of meters, in many cases we can identify individual homes or businesses where APs are located,” the paper explains. “Out of respect for user privacy, we do not include examples that could publicly identify individuals in the case studies we examine in this work.”
Nevertheless, the researchers say it is “eminently possible” to use the techniques described in the article to determine the identities of individuals or groups they belong to, “down to individual names, military units and bases, or parking lots for campers.”
The article then explores several scenarios in which this type of location data could be used, including post-attack damage assessment (via missing BSSIDs), individual tracking using BSSIDs from GL.iNet travel routers, and tracking military movements in Ukraine via BSSIDs from Starlink terminals.
The researchers say they reported their findings to Apple, Starlink and GL.iNet, and note that one way to keep your BSSID out of WPS databases is to add the string _nomap to the access point’s Wi-Fi network name or SSID – the SSID is set by the user while the BSSID is a hardware identifier.
Apple has added support for _nomap in a March 27 update to the privacy and location services help page. Google’s WPS and WiGLE, a crowdsourced geolocation project, have supported this _nomap at least since 2016. We’re told there are further measures coming from the iPhone giant to thwart the tracking described.
“We know Apple takes our report seriously,” Rye said. “We are being told that they have one or more additional remediations queued up, and we hope that these remediations will help protect the privacy of access point owners who would never know to add “_nomap” to their SSID to do this not be included in Apple’s geolocation database.”
We know Apple takes our report seriously
Rye also praised SpaceX’s product security team for quickly addressing this issue and implementing BSSID randomization into their products.
“They had started implementing BSSID randomization for some of their products in 2023 during our research, but accelerated implementation on all their Starlink devices after we spoke to them,” he said. “It’s worth noting that this vulnerability wasn’t caused by SpaceX (they have no control over what Apple or Google does), but they still dealt with it quickly and appropriately.”
“We believe that BSSID randomization is the most robust defense against tracking by a WPS, because generating a random identifier every time the device boots up (or moves locations) makes it appear in a WPS as a completely different device appears.”
The authors also warned GL-iNet, the maker of travel routers, and found it less receptive. “They acknowledged the concern and our proposed solution to randomize BSSIDs, but told us they have no plans to deploy that defense,” Rye said.
Client MAC address randomization suffered as manufacturers included different unique identifiers
Rye said that while he is not aware of any work to make BSSID randomization – the recommended restriction – part of the Wi-Fi standard, he is hopeful that this research will encourage technical experts at the IEEE to address this issue. take, as they did. with MAC address randomization in the past.
“Certainly, there’s now almost a decade of history of client MAC address randomization, which I’ve worked on and you’ve covered in the past,” he said. “That history can provide us with some lessons about what we should and shouldn’t do.
“Specifically, client MAC address randomization suffered when device manufacturers included unique identifiers other than the MAC address in their transmissions, or when randomization issues otherwise caused multiple ‘random’ MAC addresses were linkable,” Rye explains. “Wi-Fi access point manufacturers implementing BSSID randomization should be careful not to repeat the same mistakes.”
Rye will present the paper at Black Hat USA in August.
Apple did not respond to a request for comment. ®