Apple’s Wi-Fi-based Positioning System Reveals Access Point Locations
At his Krebs on Security site, Brian Krebs writes:
Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices like Starlink systems — and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.
This fascinating story underscores the difficulty of imagining every potential security hole in advance. Practically speaking, if you want to opt out of having the location of your Wi-Fi access point tracked by Apple, append _nomap to the end of its name (SSID). That also blocks Google from recording its location. Unfortunately, you’ll have to reauthenticate every connected device. Locking down the location API used by the researchers is undoubtedly more complicated for Apple, but it seems likely that’s in the works.
Yeah, who could possibly have foreseen that it was a bad idea to send back the location of 400 nearby BSSIDs?
Look, I get what they’re trying to do and it’s not worthless. But slurping up the physical location of every Wi-Fi access point in the world and then sending them out to every device, hundreds at a time, was always a security and privacy apocalypse waiting to happen.
Also allegedly
_nomaphas existed for years but it took Apple until March 2024 and being called out about this insane API to actually tell anyone about it.Man, the world gets more dystopian every day.
I don’t think it’s nearly that simple. You have to know the BSSID of an access point to query, and the researchers used some clever approaches to figuring them out, notably trying a billion randomly generated BSSIDs and only after they hit on 3 million, narrowing it down to some common ranges.
As for why Apple is returning up to 400 nearby BSSIDs, again, I don’t know what the actual rationale was, but it’s likely a privacy issue. Google is computing the device’s location and sending it to the device, so Google knows that location. Apple is instead sending a list of nearby BSSIDs to the device and letting it calculate its location, so Apple knows much less about the precise location.
I’m not saying Apple didn’t make a mistake here, just that thinking of all possible ways a system could be abused or compromised isn’t trivial.
A couple thoughts:
First, I’ve never understood, given GPS is accurate within a few meters, why wifi is needed at all, ever. (Seems like if you’re in an area without cell service, there probably won’t be any wifi popping up either.)
Second, in all the years and the hundreds (maybe thousands) of SSIDs I’ve seen, not one has ever ended with _nomap. Makes me think this is either very unknown or very new.
As I understand it, GPS is difficult when there are obstructions to the view of the satellites - in cities with tall buildings, or even in dense forested areas. Second, I believe it uses more battery power than WiFi or cellular tower triangulation. Third, it can take a while to connect to the four satellites required to get a good lock. Fourth, it generally cannot be used indoors, except if you are very close to windows, etc.
That’s maximum accuracy under ideal conditions. There are a lot of things that can interfere with the signals; they are, after all, just EM waves going to orbit and back. Physical obstructions are the biggest source of interference, but weather also plays a part. It’s also dependent on the device’s hardware being capable of resolving to that accuracy (not a given with older devices) and working at full efficiency.
Edit: My bad, I misstated how the signals travel. Your device doesn’t send any signal to the GPS satellites; it only receives those signals. The satellites are receiving signals from elsewhere, but not end-user devices.
On the contrary, I would expect to see a significant amount of Wi-Fi usage in areas with poor cell connectivity. Most Wi-Fi access points connect to a wired Internet source, which is all you have to work with when cell service is poor. Even if it’s not true broadband speed and bandwidth, it’s still going to be a functional alternative to no service at all.
Case in point: My spouse’s family owns a vacation cabin in the northern part of lower-peninsula Michigan. Cell coverage there is extremely spotty. The first year we visited there, there was no wired Internet in the cabin, so connectivity was almost nil. Just two years later, two different broadband providers had moved into the area, and there are Wi-Fi access points everywhere. Cell service is still poor, but as long as you’re in town, you can get Wi-Fi.
It’s not new. Wikipedia has a citation from Google’s help files from 2012 where it’s explained how to opt out of WPS. It’s just not something that many people have been aware of, in part probably because the location service itself hasn’t been widely known about.
In addition to what others wrote, remember that devices without cellular radios generally don’t have GPS receivers. This includes Macs, iPods and many iPad models. All of which provide location services to apps.
Wi-Fi triangulation is generally going to give you a better estimated location than looking up an IP address, which typically gives you the location of the ISP’s central office. (For my home, this is about 25 miles away).