Why Your Wi-Fi Router Doubles As an Apple AirTag (krebsonsecurity.com) 73
An anonymous reader quotes a report from Krebs On Security: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops. At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.
Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.
With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.
In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups. "Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."
The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."
A copy of the UMD research is available here (PDF).
Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.
With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.
In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups. "Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."
The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."
A copy of the UMD research is available here (PDF).
Monitor? (Score:3)
"and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops"
Israel's AIs might use this data to find the terrorist's locations when designing houses to bomb.
Re: (Score:1)
The IDF isn't really interested in that any more, they knew pretty much where people used to live before they started the carpet bombing. Their AIs were designed to predict when the target was at home so that they could be killed along with their entire family. (It was actually named "Where's Daddy".) It's irrelevant now, since over 70% of the structures in Gaza have been destroyed and most of those left are in such dangerous shape that they can't be safely occupied. They're a lot more interested in whi
Re: Monitor? (Score:3)
So you really don't know what is going on there? It must be hard to maintain your ignorance of the worst Crimes Against Humanity since Rwanda.
Re: (Score:2)
Spoiler: you're wrong. I'd guess the talking of Ukrainian children by the Russians is higher on the list, as are the deeds from October 7th.
Re: (Score:2)
So removing children from a conflict zone so that they won't be killed is worse to you than the deliberate massacre of tens of thousands of innocents? Your moral compass needs recalibration. And really, you think that the deaths of ~750 civilians (the rest were soldiers or police), an unknown but quite large percentage of whom were killed by the IDF's indiscriminate fire, is worse than carpet bombing high rise apartments full of children? The only conclusion possible from that absurdity is that you think
Re: (Score:2)
Aside that, you used big words to claim the actions of IDF are you be condemned, to which I posted a link, which you cleanly ignored, with nuan
Re: (Score:2)
Re: (Score:2)
'The IDF isn't really interested in that any more, they knew pretty much where people used to live before they started the carpet bombing. '
Bombing 27000 separately AI-designed targets, with an average of 1-2 collateral damage is not 'carpet bombing'.
Re: (Score:2)
So you've managed to avoid looking at photos of Gaza City? That's a very weird news consumption pattern you have.
Re: (Score:2)
I worked on this system nearly 10 years ago for the U.S. DoD.
If you're broadcasting your name through the (Score:3)
Luminiferous Aether, do you really have an expectation of privacy?
Re: (Score:2)
I know, this is why I have always just duplicated common default SSIDs on my networks.
Sites like wiggle.com have been around for a while and make it easy to locate people who have unique wifi network names.
Re: (Score:2)
Mistyped. It's wigle.net
Re: (Score:2)
The SSID doesn't matter, it's the MAC address of the radio interface of the AP. Also, not just *your* AP, but every AP within radio range of you including your neighbor's printer and your other neighbor's smart thermostat.
Escaping this tech would require a faraday cage.
Re: (Score:2)
Or changing the MAC address of the AP. MAC addresses are issued to manufacturers in blocks, change the address of your AP to one in the block that Sony used for its old security cameras or which Nokia used for its long-discontinued WAPs. Maybe something issued to 3-Com or Digital Equipment. As long as the local router doesn't somehow run into ancient equipment that should have been a brick decades ago you won't have a problem.
Re: (Score:2)
Right now, where I'm sitting, I can see beacon messages with BSSIDs for about 40 devices, and I control less than 10 of them. (Hey, what is this FBI surveillance van network. Weird.) Changing the mac addresses of my 10 devices still leaves two dozen data points an attacker can use to geolocate from this spot. What should I do? Move far enough away that I can't "see" BSSIDs in broadcasts from my neighbors? :)
Re: (Score:2)
How will that fix anything? Then MAC addresses they collect are just dumped into a
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re:Crowdsourced wardriving (Score:4, Interesting)
Privacy is dead, and anonymity isn't far behind.
It'll soon be next to impossible to actually conceal your identity, movements, or activities without going to truly extreme lengths. It's barely possible now.
Re: (Score:2)
It doesn't seem like a big deal. What is the privacy invasion due to everyone in range being able to detect your home WiFi's MAC address? What practical examples of bad things happening as a result are there?
The only real issue was mobile device MAC addresses facilitating tracking, but both Android and iOS randomize them now for open networks.
Re: Crowdsourced wardriving (Score:1)
It's not just physical location of the AP that's valuable but any devices talking to the AP that can be passively collected. I am not sure if any phone radios are doing rfmon for passive scanning but I honestly would not be surprised to see phones inherit this "capability" to collect location without sending active probes to see what aps advertise, either, for example in "airplane" mode, to later process offline location info/seen ap's with GPS coordinates when connectivity is restored.
Re: (Score:2)
APs broadcast their SSIDs at regular intervals, several times a second. Airplane mode only allows passive reception, so phones in that mode can still pick up nearby APs.
It's a fair point that every device talking to an AP broadcasts its MAC address in the clear. On Android you can change the settings to randomize the MAC address regularly, even for known encrypted APs.
Re: (Score:1)
To my knowledge most radios on android phones at least do not put the radio into "rfmon" but theoretically it wouldnt violate the premise that Airplane Mode doesnt interfere with aircraft as it's passive. It's speculative but something I would assume or even presume could happen in the rollout of any new phone if it hasnt happened already. Why wouldn't they? The entire point is to turn phones into environmental monitors. microphones, ISM bands, the more it can hear the better (to them).
Re: (Score:2)
Re: (Score:2)
I'm not talking about wifi signals; I'm speaking in a general sense. Wifi mapping is just one tiny, tiny part of the elimination of privacy or anonymity.
Re: Crowdsourced wardriving (Score:4, Informative)
"Since the lies about Russia manipulating social media"
Russian interference and manipulation of social media is a fact that's been proven repeatedly, and at this point anyone who believes it isn't happening is a fool.
Re: (Score:3)
US/EU manipulation of social media is several orders of magnitude greater and very much more intrusive. Farcebook, Instagram, Google, and the like have US government intrusion baked into their corporate DNA and are full of staffers from the alphabet soup of intel agencies. Of course they've just followed the lead of the corporate media, which were taken over decades ago. The US is the most intensely propagandized country on Earth, and very few of its citizens even realize it. As a Soviet general told wr
Re: (Score:1)
How the CIA made Google
Inside the secret network behind mass surveillance, endless war, and Skynet
a new crowd-funded investigative journalism project, breaks the exclusive story of how the United States intelligence community funded, nurtured and incubated Google as part of a drive to dominate the world through control of information. Seed-funded by the NSA and CIA, Google was merely the first among a plethora of private sector start-ups co-opted by US intelligence to retain ‘information superiority.’
https://medium.com/insurge-int... [medium.com]
Re: (Score:2)
"US/EU manipulation of social media is several orders of magnitude greater and very much more intrusive."
We don't know that, but I'm not saying it isn't the case. Still, that doesn't discount Russian state-level manipulation of social media that we *know* is happening.
Re: (Score:1)
Did you support the Iraq war? If we had the tools we did back in 2003, you'd be parroting that this is Iraqi/Iranian interference and propaganda questioning the WMD narrative.
Believing the Russian disinfo line means you believe the domestic interference and manipulation by our own media, and presumably a full supporter of "disinformation" censorship, dialogue about any talk about election interference, skepticism of government, etc. If it criticizes the powers at be, what a convenient bullshit propagandis
Re: (Score:2)
Focus, honey, focus.
Again, Russian interference and manipulation of social media is a fact that's been proven repeatedly, and at this point anyone who believes it isn't happening is a fool.
Similarly, the American and Chinese governments run their own interference campaigns, as do many other countries.
Or are you going to claim that none of this is going on and that the internet is free from state-level actors? You're not that dumb....are you?
Re: Crowdsourced wardriving (Score:1)
Also: Be ready to be "voluntaryed" the shit out of to join these coming soon programs It's been the wet dream accelerated since vaccine passports. Watch our five eyes and eu allies crumble as free speech and anonymity dries up there first.
https://digital-strategy.ec.eu... [europa.eu]
Re: (Score:2)
Privacy is dead, and anonymity isn't far behind.
It'll soon be next to impossible to actually conceal your identity, movements, or activities without going to truly extreme lengths. It's barely possible now.
Implications of this is that rights, like Freedom of Speech need to be taken A LOT more serious. Because loss of privacy directly translates into loss of ability to dissent.
Re: (Score:2)
"You have no privacy, get over it." - Scott McNealy, in 1998
The man may have been an asshole, but I've seen no indication since that he was wrong.
Re: (Score:1)
Privacy and free speech are worth dying for, and spilling the blood of those who threaten it.
Re: Crowdsourced wardriving (Score:2)
Well, once you get your time machine perfected we'll get right on it.
Re: (Score:2)
People like detritus always have simple, violent 'solutions' that never work.
Re: (Score:2)
Bingo, and the ability to monitor events was much, much lower than it is now.
Now when a residential crime occurs the cops just go up and down the street asking for doorbell and security cam footage, and 99% of the perpetrator is on video. Then they pull street cam and DOT footage and basically follow the person or car back to wherever it came from.
The Brits have been doing this for years and we're just now catching up. Drive around London for 5 minutes and you'll be on dozens and dozens of cameras (if not m
Re: Crowdsourced wardriving (Score:1)
Re: (Score:2, Interesting)
I was with you up to the point where you just HAD to pull the red MAGA flag from behind you back and wave it in front of everyone, trying to convince us that these problems just magically appeared during the past 3 years, four months and had to be the fault of the evil [insert bad guy of the day here].
Re: (Score:2)
Now everyone is effectively "wardriving" with this functionality built into the libraries used by 3rd party apps that millions of people use. It's an additional method of monetizing your app.
Re: (Score:2)
Seriously? (Score:2)
So the government has all this tracking ability, yet 40% of murders and and even worse number of stranger rapes and serious assaults go unsolved.
Re: (Score:3)
In what scenario would knowing the location of a particular wi-fi access point help you solve a murder? People aren't generally carrying them around with them when they go on crime sprees.
Re: (Score:2)
Generally they don't become criminals because they got bored being rocket scientists, they almost certainly ARE carrying their phones on the crime spree, and a ridiculous number of them use it to document it on their Farcebook or Instagram feed.
Re: (Score:2)
they almost certainly ARE carrying their phones on the crime spree
A phone isn't (generally) a wi-fi access point. Even if it were acting as one for tethering, Apple's data on a highly-mobile AP wouldn't tell you anything interesting about its actual location at a given point in time.
Re: Seriously? (Score:2)
Ah, misunderstood, thought that you meant the phone, which would record the closest APs to where they're criming.
Re: (Score:2)
Re: (Score:2)
"Publicly available" information (Score:2)
Re: (Score:2, Interesting)
I don't remember giving Apple or Google the permission to track the position of my devices. How did that information become "publicly available"?
For your mobile, one of two things happened.
Either you really did not go in to the settings and enable "track my phone", in which case that particular info isn't sent to them and isn't publicly available.
Or, you did go in and turn on the setting to track your phone and forgot you explicitly gave them that permission.
Of course for your AP, what this particular story is about, here's what happened.
You installed a device that screams out into the public to anyone around you that it is there.
It isn't reasonable
Re: (Score:3)
It isn't reasonable to expect the rest of the world to "protect your privacy" when you're screaming "here I am, here I am" to the public.
This is "shouldn't have dressed that way" argument. Arguing that technology leaking data is the same as surrendering privacy is a faulty argument. I also have a house number, bank account number, license plate, facial features, unique gait, fingerprints, shed DNA everywhere I go, etc. If you know my bank account number, this does not authorize you to make withdrawals without my permission, that would be fraud. Similarly, using my SSID to geolocate is a violation of privacy.
Re: (Score:2)
That's beyond stupid.
I'm no fan of Google or Apple, but here they're collecting radio signals YOU choose to broadcast. It's like saying you didn't give other patrons permission to listen to what you're saying in a crowded bar. If you don't want them listening in, your only option is to shut up.
Re: "Publicly available" information (Score:2)
Google was first (Score:4, Informative)
Google has been doing this for a couple decades now, using their Street View cars (you know, the ones that take 360 degree pictures while driving around every possible street and road). In addition to taking the pictures, they harvest all received WiFi MAC addresses and of course the exact location where those access points where heard.
There was a lawsuit over 10 years ago about this, because in addition to just collecting the MAC address, they were actually storing all the raw data they received. Back then a LOT of home WiFi access points didn't even use encryption (I remember what a pain it was to connect a Nintendo DS to a protected access point). So Google was collecting a tremendous amount of actual private data, which they weren't getting rid of. It was big news back then, here's an article on it. [theguardian.com]
Anyway, my point is that this has been going on a LONG time and is absolutely nothing new, and Apple wasn't even the first (by a long shot) to do this. Now pretty much everyone in the mobile device arena does this. However Google was the first to actively go out and collect this information using their own equipment. Now it is passively collected from everyone's cell phones continuously.
Wireless network mapping (Score:2)
What we need is a technical solution, allowing randomized per-device SSIDs, something similar to how smartphones randomize MAC addresses.