The key element of Apple's location services contains a serious privacy vulnerability that allows tracking the movement of Starlink in war zones. The vulnerability also allows a malicious actor to determine the location of anyone with a mobile Wi-Fi router.
How does Wi-Fi positioning work?
How do Apple devices determine their location? GPS is the primary technology used, but not the only one. In cities, for example, tall buildings can obstruct GPS signals. Another key method used by mobile devices is known as Wi-Fi positioning systems (WPS).
WPS utilizes a global database of almost 500 million Wi-Fi routers. It is important to note that it is not only public devices to which they may have access, but also all BSSID (set by manufacturers) that they can see. This includes common, widely available Wi-Fi routers. Devices do not access the router, but they can detect it and refer to the database to find out its exact location.
Both Apple and Google maintain their own WPS databases. The method they use is essentially the same: identifying nearby BSSID (Basic Service Set Identifier), measuring the strength of each signal, and comparing the results with the WPS database to determine the location of the mobile device.
However, there is a significant difference in how Apple and Google devices perform this task - and this is where the privacy issue arises.
Apple Location Services Vulnerability
An Android phone records the BSSID identifiers that it can see, along with signal strength, and sends this data to Google's server. The server uses the WPS database to calculate the location and sends it back to the phone.
However, researchers from the University of Maryland found that Apple devices use a different approach. Apple's WPS also takes a list of nearby BSSID identifiers, but instead of calculating the device's location based on a set of observed access points and signal strength received, and then reporting the result to the user.
- Apple's API returns location for over 400,000 nearby BSSID.
Approximately eight of these BSSID are then used to determine the user's location based on known landmarks.
Essentially, Google's WPS calculates the user's location and sends it to the device. Apple's WPS provides its devices with a substantial amount of data on the location of known access points in the area so that devices can make this assessment themselves. Data processing on the device is one of Apple's "features".
- Researchers claim that they can use Apple's API data stream to track the movement of individual devices in and out of virtually any specified area in the world. They spent a month at the beginning of their research, continuously querying the API about the location of over a billion randomly generated BSSID.
They found that while only about three million of these randomly generated BSSID were known to Apple's Wi-Fi geolocation API, Apple returned an additional 488 million BSSID that are already stored in the WPS database from other searches.
- As a result, researchers were able to essentially "steal" Apple's WPS database.
Studying location data obtained from Apple's WPS from November 2022 to November 2023, researchers gained an almost global view of the location of over 2 billion Wi-Fi access points.
- Researchers can track how Wi-Fi access points move over time. Why could this be a big problem? They found that by geofencing active war zones in Ukraine they were able to determine the location and movement of Starlink devices used by Ukrainian and Russian forces.
The risk was greatest with mobile Starlink access points, and now the company has addressed this by randomizing the BSSID used.
- To prevent Apple or Google from adding your router to their databases, you can add _nomap to your SSID.
Apple has stated that it will take measures to limit the number of requests to its database to reduce the risk.
Sources: Krebs on Security, 9to5mac
Comments (0)
There are no comments for now