Security researchers report that a key element of Apple Location Services contains what they call “a really serious privacy vulnerability” that allowed troop movements to be tracked.
The issue could also allow an attacker to work out the location of anyone using a mobile wifi router, such as those in RVs, and travel routers sometimes used by business travellers …
Understanding Wi-Fi-based Positioning Systems
We first need to understand how Apple devices figure out their locations.
GPS is the primary technology used, but not the only one. In urban locations, for example, tall buildings can make it difficult to receive the very weak signals from GPS satellites, so another key method used by mobile devices is known as Wi-Fi-based Positioning Systems (WPS).
WPS uses a global database of almost 500 million wifi routers. Crucially, this isn’t just public ones they can actually access, but all the BSSIDs* they can see. This includes your home wifi router, for example. Devices don’t gain any access to your router, but they can detect it and consult a database to find out exactly where it is located. (These databases were created by cars driving around, using multiple methods to track their locations, and collecting BSSIDs which could then be matched to those locations.)
*The manufacturer-set BSSID is different from the user-chosen SSID of your router. You can think of it as the MAC address of the radio card in the router.
Both Apple and Google maintain their own WPS databases, and the method they use is essentially the same. Detect nearby BSSIDs, measure the strength of each signal, and then compare this data with the WPS database to figure out where the mobile device is located.
However, there is one crucial difference between the way in which Apple and Google devices carry out this task – and that’s where the privacy issue arises.
Apple Location Services vulnerability
Google devices use WPS like this. An Android phone (say) notes the BSSIDs it can see, and their signal strengths, and sends that data to a Google server. The server uses the WPS database to calculate the phone’s location, and send it to the phone.
But researchers from the University of Maryland found that Apple devices take a different approach, as Krebs on Security reports.
Apple’s WPS also accepts a list of nearby BSSIDs, but instead of computing the device’s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.
In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.
On-device processing is one of Apple’s trademarks, and sounds more secure – but here’s where the problem arises.
Researchers at the University of Maryland […] theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.
They learned that while only about three million of those randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.
The result was that they were essentially able to ‘steal’ the WPS database.
Plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points […]
The researchers said that by zeroing in on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.
You can now opt out of your BSSID being collected
The risk was greatest with Starlink mobile hotspots, and the company has now addressed this by randomizing the BSSIDs used.
If you want to prevent both Apple and Google from adding your router to their databases, you can add _nomap to your SSID. For example, if your wifi SSID is currently John Appleseed Home, you can change it to John Appleseed Home_nomap.
This tells both Apple and Google that your router is off-limits, and they will not collect your BSSID.
Apple has said that it will be taking steps to limit the number of times its database can be queried in order to mitigate the risk.
Photo by GeoJango Maps on Unsplash
FTC: We use income earning auto affiliate links. More.
