Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Wireless Networking Apple

Why Your Wi-Fi Router Doubles As an Apple AirTag (krebsonsecurity.com) 73

An anonymous reader quotes a report from Krebs On Security: Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally -- including non-Apple devices like Starlink systems -- and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops. At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.

Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier or BSSID. Periodically, Apple and Google mobile devices will forward their locations -- by querying GPS and/or by using cellular towers as landmarks -- along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it's what allows your mobile phone to continue displaying your planned route even when the device can't get a fix on GPS.

With Google's WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths -- via an application programming interface (API) request to Google -- whose WPS responds with the device's computed position. Google's WPS requires at least two BSSIDs to calculate a device's approximate position. Apple's WPS also accepts a list of nearby BSSIDs, but instead of computing the device's location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple's API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user's location based on known landmarks.

In essence, Google's WPS computes the user's location and shares it with the device. Apple's WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own. That's according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple's API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random. They learned that while only about three million of those randomly generated BSSIDs were known to Apple's Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups.
"Plotting the locations returned by Apple's WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points," the report adds. "The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America."

The researchers wrote: "We observe routers move between cities and countries, potentially representing their owner's relocation or a business transaction between an old and new owner. While there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location."

A copy of the UMD research is available here (PDF).
This discussion has been archived. No new comments can be posted.

Why Your Wi-Fi Router Doubles As an Apple AirTag

Comments Filter:
  • by nospam007 ( 722110 ) * on Wednesday May 22, 2024 @08:21PM (#64492307)

    "and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops"

    Israel's AIs might use this data to find the terrorist's locations when designing houses to bomb.

    • by cusco ( 717999 )

      The IDF isn't really interested in that any more, they knew pretty much where people used to live before they started the carpet bombing. Their AIs were designed to predict when the target was at home so that they could be killed along with their entire family. (It was actually named "Where's Daddy".) It's irrelevant now, since over 70% of the structures in Gaza have been destroyed and most of those left are in such dangerous shape that they can't be safely occupied. They're a lot more interested in whi

      • 'The IDF isn't really interested in that any more, they knew pretty much where people used to live before they started the carpet bombing. '

        Bombing 27000 separately AI-designed targets, with an average of 1-2 collateral damage is not 'carpet bombing'.

        • by cusco ( 717999 )

          So you've managed to avoid looking at photos of Gaza City? That's a very weird news consumption pattern you have.

    • I worked on this system nearly 10 years ago for the U.S. DoD.

  • Luminiferous Aether, do you really have an expectation of privacy?

    • I know, this is why I have always just duplicated common default SSIDs on my networks.

      Sites like wiggle.com have been around for a while and make it easy to locate people who have unique wifi network names.

      • Mistyped. It's wigle.net

      • The SSID doesn't matter, it's the MAC address of the radio interface of the AP. Also, not just *your* AP, but every AP within radio range of you including your neighbor's printer and your other neighbor's smart thermostat.

        Escaping this tech would require a faraday cage.

        • by cusco ( 717999 )

          Or changing the MAC address of the AP. MAC addresses are issued to manufacturers in blocks, change the address of your AP to one in the block that Sony used for its old security cameras or which Nokia used for its long-discontinued WAPs. Maybe something issued to 3-Com or Digital Equipment. As long as the local router doesn't somehow run into ancient equipment that should have been a brick decades ago you won't have a problem.

          • Right now, where I'm sitting, I can see beacon messages with BSSIDs for about 40 devices, and I control less than 10 of them. (Hey, what is this FBI surveillance van network. Weird.) Changing the mac addresses of my 10 devices still leaves two dozen data points an attacker can use to geolocate from this spot. What should I do? Move far enough away that I can't "see" BSSIDs in broadcasts from my neighbors? :)

          • by tlhIngan ( 30335 )

            Or changing the MAC address of the AP. MAC addresses are issued to manufacturers in blocks, change the address of your AP to one in the block that Sony used for its old security cameras or which Nokia used for its long-discontinued WAPs. Maybe something issued to 3-Com or Digital Equipment. As long as the local router doesn't somehow run into ancient equipment that should have been a brick decades ago you won't have a problem.

            How will that fix anything? Then MAC addresses they collect are just dumped into a

    • by sinij ( 911942 )
      This is faulty argument. Just because I have a house number outside my front door, it does not mean you root through my trash and follow me around.
      • it doesn't? I guess I will need to get a new hobby then...
      • Just because everybody knows where the house with your address is (that's what addresses are all about), that neither means anyone would want to go through your trash, nor does it mean anybody knows where you are when you are not at home, nor when you are at home, let alone who the fuck you are. But posting bullshit like that will likely get you on a watchlist for obviously pathologically paranoiacs.
  • So the government has all this tracking ability, yet 40% of murders and and even worse number of stranger rapes and serious assaults go unsolved.

    • In what scenario would knowing the location of a particular wi-fi access point help you solve a murder? People aren't generally carrying them around with them when they go on crime sprees.

      • by cusco ( 717999 )

        Generally they don't become criminals because they got bored being rocket scientists, they almost certainly ARE carrying their phones on the crime spree, and a ridiculous number of them use it to document it on their Farcebook or Instagram feed.

        • they almost certainly ARE carrying their phones on the crime spree

          A phone isn't (generally) a wi-fi access point. Even if it were acting as one for tethering, Apple's data on a highly-mobile AP wouldn't tell you anything interesting about its actual location at a given point in time.

      • it is also about knowing the location of every cell phone, precisely, and every reporting device, say, for example, your car if it is newer than maybe 5 years old. Law Enforcement has already used this data in prosecuting crimes.
    • Police/Law Enforcement are (sometimes) using this sort of data to prosecute criminals now... But, say, you're 2022 Subaru is reporting it's position via this network, and it is located at the scene of this type of crime, that means you were there, right? the Defense can argue that NO, your CAR was there doesn't mean that you were... But it is still one nugget in a chain of nuggets that can help the police solve the crime. For example, some murderer's car was at the victim's home for some tme, then it drove
  • I don't remember giving Apple or Google the permission to track the position of my devices. How did that information become "publicly available"?
    • Re: (Score:2, Interesting)

      by Anonymous Coward

      I don't remember giving Apple or Google the permission to track the position of my devices. How did that information become "publicly available"?

      For your mobile, one of two things happened.
      Either you really did not go in to the settings and enable "track my phone", in which case that particular info isn't sent to them and isn't publicly available.
      Or, you did go in and turn on the setting to track your phone and forgot you explicitly gave them that permission.

      Of course for your AP, what this particular story is about, here's what happened.
      You installed a device that screams out into the public to anyone around you that it is there.

      It isn't reasonable

      • by sinij ( 911942 )

        It isn't reasonable to expect the rest of the world to "protect your privacy" when you're screaming "here I am, here I am" to the public.

        This is "shouldn't have dressed that way" argument. Arguing that technology leaking data is the same as surrendering privacy is a faulty argument. I also have a house number, bank account number, license plate, facial features, unique gait, fingerprints, shed DNA everywhere I go, etc. If you know my bank account number, this does not authorize you to make withdrawals without my permission, that would be fraud. Similarly, using my SSID to geolocate is a violation of privacy.

    • That's beyond stupid.

      I'm no fan of Google or Apple, but here they're collecting radio signals YOU choose to broadcast. It's like saying you didn't give other patrons permission to listen to what you're saying in a crowded bar. If you don't want them listening in, your only option is to shut up.

      • There is a difference between just receiving information versus storing it in a database, correlating it with my position and making the result accessible to others. Corporations accept this principle very well when it matters for copyright law: I can listen to a song that is being played back in a public space, but I can't make a recording of that song in the same circumstance. A protection of the same kind is given by privacy laws to IP addresses: I give my IP address to every web site that I visit, but t
  • Google was first (Score:4, Informative)

    by Dan East ( 318230 ) on Thursday May 23, 2024 @08:37AM (#64493081) Journal

    Google has been doing this for a couple decades now, using their Street View cars (you know, the ones that take 360 degree pictures while driving around every possible street and road). In addition to taking the pictures, they harvest all received WiFi MAC addresses and of course the exact location where those access points where heard.

    There was a lawsuit over 10 years ago about this, because in addition to just collecting the MAC address, they were actually storing all the raw data they received. Back then a LOT of home WiFi access points didn't even use encryption (I remember what a pain it was to connect a Nintendo DS to a protected access point). So Google was collecting a tremendous amount of actual private data, which they weren't getting rid of. It was big news back then, here's an article on it. [theguardian.com]

    Anyway, my point is that this has been going on a LONG time and is absolutely nothing new, and Apple wasn't even the first (by a long shot) to do this. Now pretty much everyone in the mobile device arena does this. However Google was the first to actively go out and collect this information using their own equipment. Now it is passively collected from everyone's cell phones continuously.

  • Unfortunately, this kind of data is public and accessible via various search engines like Wigle [wigle.net]. While you can add _nomap to opt out of Google and now Apple mapping, it does not prevent collection and retention of such information.

    What we need is a technical solution, allowing randomized per-device SSIDs, something similar to how smartphones randomize MAC addresses.

Message from Our Sponsor on ttyTV at 13:58 ...

Working...