Man
Professional
- Messages
- 3,077
- Reaction score
- 614
- Points
- 113
As is known, Android and iOS actively use information about surrounding Wi-Fi access points to position their smartphones. Periodically, the smartphone scans the surrounding space for surrounding BSSIDs (unique identifiers of WiFi routers), also registers its GPS coordinates - and sends the information to the manufacturer of the operating system.
In turn, Google and Apple provide geolocation information to everyone through open APIs.
But researchers from the University of Maryland (USA) have proven that the details of the API implementation allow tracking the movement of routers around the world, that is, tracking people.
Both Apple and Google use their own WiFi-based Positioning Systems (WPS), which receive specific hardware identifiers from all wireless access points within range of mobile devices. Both systems register the Media Access Control (MAC) identifier of the access point as a Basic Service Set Identifier, or BSSID.
Apple and Google mobile devices transmit their location data by querying GPS and/or using cell towers as landmarks, as well as any nearby BSSIDs. This combination of data allows smartphones to determine their location to within a few meters, and allows a mobile phone to display a planned route even if the device cannot determine it via GPS.
With Google's WPS, the device sends a list of BSSIDs of nearby Wi-Fi access points and their signal strength via an API, and WPS calculates the device's position and sends the result. WPS requires at least two BSSIDs to calculate the approximate location of a device.
Apple's similar WPS also takes a list of nearby BSSIDs, but instead of calculating the device's location based on a set of observed access points and their signal strength and then reporting that result to the user, the API returns the geolocation of up to 400 hundred more BSSIDs in the vicinity of the one requested. The device itself uses about eight of these BSSIDs to determine the user's location based on known landmarks.
Essentially, Google's WPS calculates the user's location and transmits it to the device. Apple's WPS provides its devices with a large enough volume of data about the location of known access points in the area that the devices can calculate it on their own.
As researchers from the University of Maryland found, this amount of data from Apple can be used to map the movements of individual devices in almost any specific area of the world. For example, you can choose a war zone and check what locations devices are moving there from. And this is a real threat to human life.
The authors of the study asked the API for the location of more than a billion randomly generated BSSIDs over the course of a month.
While only 3 million real BSSIDs were found among the randomly generated ones, Apple also returned an additional 488 million BSSID locations already stored in WPS.
The number of BSSIDs discovered by randomly guessing among IEEE-assigned OUIs, compared to the additional BSSIDs returned by Apple's Wi-Fi Geolocation API. Note that the vertical axis is logarithmic.
The resulting list of BSSIDs was filtered by a list of BSSID ranges assigned to specific device manufacturers. This is publicly availablefile from IEEE .
The number of unique geolocated BSSIDs, sorted by the most common OUI (left) and vendor (right). Some vendors are listed under multiple names in the IEEE OUI database; this table shows a summary after merging duplicates
By mapping the locations obtained from Apple WPS between November 2022 and November 2023, the authors of the study found that they had a nearly global view of the locations associated with more than two billion Wi-Fi access points. The map shows the geolocation of access points in almost every corner of the globe.
Heat map of BSSIDs discovered by randomly guessing among IEEE-assigned OUIs
And by targeting specific, smaller regions, it’s possible to track how Wi-Fi access points move over time. For example, you could track the movements of specific Starlink terminals in a given region.
Starlink released a software update in early 2023 to randomize the BSSID of its main router and, more recently, its WiFi repeaters, reports Brian Krebs.
In March 2024, Apple updated its privacy and location policy . You can now opt out of having your WiFi hotspots indexed by adding the suffix to your network name _nomap:
This flag also blocks Google from indexing your location.
Researchers believe that adding the flag is a good first step for Apple to avoid broadcasting every BSSID in the world on a large scale. They also believe that API request rates should be limited to prevent people from accumulating huge amounts of data that could be used to spy on WiFi routers at scale.
Users are encouraged to randomize the BSSID of a device that operates in hotspot mode.
Paper "Mass Surveillance with WiFi-Based Positioning Systems" presented May 21, 2024 at the 45th IEEE Symposium on Security and Privacy.
Source
