Vulnerability in Apple’s location services – troop movements can be tracked

Security researchers say a key element of Apple’s location services contains what they call a “really serious privacy vulnerability” that could allow military movements to be tracked.

The issue could also allow an attacker to determine the location of anyone using a mobile Wi-Fi router, such as routers in RVs, and travel routers, which are sometimes used by business travelers…

Understanding Wi-Fi based positioning systems

First, we need to understand how Apple devices determine their location.

GPS is the primary technology, but not the only one. For example, in urban locations, tall buildings can hinder the reception of very weak signals from GPS satellites, so another key method used in mobile devices is Wi-Fi-based positioning systems (WPS).

WPS uses a global database of nearly 500 million Wi-Fi routers. Most importantly, these are not just the public ones that they actually have access to, but All BSSID* identifiers they see. This applies, for example, to your home Wi-Fi router. The devices gain nothing access to the router, but they can detect it and check the database to find out exactly where it is. (These databases were created by cars driving around, using various methods to track their locations, and collecting BSSIDs that could then be matched to those locations.)

*The manufacturer-set SSID is different from the user-selected router SSID. You can think of it as the MAC address of the radio card in your router.

Both Apple and Google maintain their own WPS databases, and the methods they use are essentially the same. Detect nearby BSSIDs, measure the strength of each signal, then compare this data to the WPS database to find out where your mobile device is.

However, there is a fundamental difference between the way Apple and Google devices accomplish this task – and this is where the issue of privacy comes into play.

Vulnerability in Apple’s Location Services

Google devices use WPS this way. An Android phone (say) records the visible BSSIDs and their signal strength, and then sends this data to a Google server. The server uses the WPS database to calculate the phone’s location and send it to the phone.

However, researchers at the University of Maryland found that Apple devices take a different approach because Krebs on safety reports.

Apple’s WPS also accepts a list of nearby BSSIDs, but instead of calculating the device’s location based on a set of observed access points and received signal strength, and then reporting that result to the user, Apple’s API will return the geolocations of up to 400 hundred consecutive BSSIDs that are close to the desired one. It then uses approximately eight of these BSSIDs to determine the user’s location based on known landmarks.

Basically, Google’s WPS function calculates the user’s location and shares it with the device. Apple’s WPS feature gives its devices enough data about the location of known access points in an area for the devices to make this estimate on their own.

On-device computing is one of Apple’s trademarks and seems more secure – but here’s the problem.

Researchers at the University of Maryland (…) theorized that they could use the granularity of Apple’s API to map the movement of individual devices to and from virtually any specific area of ​​the world. The UMD pair said that early in their research, they spent a month constantly querying the API, asking it to locate over a billion randomly generated BSSIDs.

They learned that although only about three million of the randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in WPS based on other searches.

As a result, they managed to essentially “steal” the WPS database.

By plotting the locations returned by Apple’s WPS between November 2022 and November 2023, Levin and Rye noticed that they had a near-global view of the locations associated with more than two billion Wi-Fi access points (…)

Researchers said that by focusing on or “geofencing” other smaller regions indexed by Apple’s location API, they could monitor the movement of Wi-Fi access points over time. Why might this be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.

You can now opt out of collecting your BSSID

The risk was greatest for Starlink mobile hotspots, and the company addressed the issue by randomizing the BSSIDs used.

If you want to prevent Apple and Google from adding your router to their databases, you can add _nomap to your SSID. For example, if you currently have a Wi-Fi SSID John Appleseed’s houseyou can change it to John Appleseed Home Page Map.

This tells both Apple and Google that your router is unavailable and they will not collect your BSSID.

Apple said it would take steps to limit the number of queries to its database to reduce the risk.

Photo: GeoJango Maps on Unsplash