Researchers from the University of Maryland have raised alarms over privacy vulnerabilities in Apple’s Wi-Fi Positioning System (WPS). The study, led by PhD candidate Erik Rye and Associate Professor Dave Levin, suggests that Apple’s WPS could be exploited to track individuals globally, including those who do not use Apple devices.
Tracking Sensitive Populations
The research reveals that Wi-Fi access point (AP) owners, particularly those in sensitive situations, are susceptible to tracking via WPS. Like those from Google and Skyhook, Apple’s system offers a more energy-efficient alternative to GPS for location determination. Mobile devices using GPS often send a Wi-Fi AP’s MAC address (BSSID) to a WPS service, providing location data. Apple’s system, however, returns the geolocations of the submitted BSSIDs and up to several hundred additional nearby BSSIDs.
Unlike Google’s WPS, which returns a single calculated location, Apple’s system provides extensive data on nearby BSSIDs. This lack of authentication and rate limiting has enabled researchers to compile a database of 490 million BSSIDs globally. Rye notes that this openness allowed them to quickly gather many geolocated BSSIDs, essential for tracking the movements of individuals and groups with high precision.
Global Tracking Capabilities
The researchers utilized publicly available data from Apple to track billions of devices worldwide, including non-Apple devices like Starlink systems. They monitored events such as the destruction in Gaza and the movements of Russian and Ukrainian troops. Apple collects and shares precise location data of all Wi-Fi access points detected by its devices, returning the geolocations of up to 400 nearby BSSIDs.
Over a month, the researchers queried Apple’s API, discovering that Apple’s WPS contained 488 million BSSID locations. By consulting the IEEE list of BSSID ranges assigned to device manufacturers, they avoided unallocated BSSIDs. They mapped over two billion Wi-Fi access points globally, excluding regions like China, central Australia, and parts of Africa and South America.
The researchers emphasized the privacy risks for vulnerable populations, such as those fleeing abusive relationships or stalkers. Mobile phone hotspots use random BSSIDs, reducing location privacy risks. However, travel routers used in campers, RV parks, and marinas pose significant privacy risks, as they can be tracked between locations.
Geofencing Conflict Zones
By geofencing conflict zones in Ukraine, the researchers identified 3,722 Starlink terminals. These terminals include Wi-Fi access points indexed by nearby Apple devices with location services enabled. The researchers shared their findings with Starlink, leading to software updates that randomize BSSIDs. They also geo-fenced the Israel-Hamas war in Gaza, tracking device migration and disappearance as infrastructure was destroyed.
The study suggests appending “_nomap” to a Wi-Fi network’s SSID to prevent it from being included in WPS databases. Apple has updated its privacy and location services help page to support this mitigation. Google and WiGLE have supported this method since 2016. Further mitigations from Apple are anticipated to enhance privacy protections for AP owners unaware of the “_nomap” option.
Last Updated on November 7, 2024 8:11 pm CET