in Business, Security Collections

Apple API Allows Wi-Fi AP Location Tracking

1.2k Views

A T-shirt, reading “You are here”

Apple location service returns far more data than it should to people who have no business knowing it — and it does so without your permission.

Academic researchers have criticized Apple for enabling stalkers and warlords. An unrestricted Apple API endpoint allows for easy tracking of the location of Wi-Fi access points from almost any vendor.

Access point owners can opt-out, but it’s impractical. In today’s SB Blogwatchwe wonder why we should need to.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Clair de Banana.

Privacy FAIL

Who’s driving the news cycle? Brian Krebs: Your Wi-Fi Router Doubles as an Apple AirTag

Massive amounts of data
Apple and … Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers … say they relied on publicly available data from Apple to track the location of billions of devices globally — including non-Apple devices. … At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. … Instead of computing the device’s location based off the set of observed access points, … Apple’s API will return the geolocations of up to 400 more … that are nearby.

The researchers said … they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? … They were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces. (They) identified at least 3,722 Starlink terminals geolocated in Ukraine. … The location data made it easy to see where devices in contested regions originated from: … “We even believe we can identify people who have joined the Ukraine Foreign Legion.”

They hope Apple will consider … proactive ways to limit abuses: … “This data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did. … If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location. (And) we have evidence of their use by military members as they deploy from their homes and bases to war zones.”

Who can get more in depth? El Reg’s Thomas Claburn can: Apple Wi-Fi Positioning System can be abused to track people

2 billion BSSIDs
Erik Rye, a PhD student at the University of Maryland (UMD), … and Dave Levin, associate professor at UMD, describe how the design of Apple’s … Wi-Fi Positioning System (WPS) facilitates mass surveillance—even of those not using Apple devices. … Apple is one of several companies, along with Google, Skyhook, and others, that operate a WPS. They offer client devices a way to determine their location that’s more energy efficient than using … GPS (satellites).

Device queries involve sending a list of nearby BSSIDs and their signal strength to the WPS. … Apple’s system is exceptionally talkative, the boffins suggest. … “In Apple’s version, you submit BSSIDs to geolocate, and it returns the geolocation it believes the BSSID is at. … It also returns many more (up to 400) that you didn’t request that are nearby, (which) allowed us to accumulate a large quantity of geolocated BSSIDs in a short period of time. (It) is not authenticated or rate limited and is free to use,” (said) Rye.

Apple’s system allowed Rye and Levin to compile a database of (2 billion) BSSIDs around the world, which they could then use to track the movements of individuals and groups of people over time. … Rye is scheduled to present the paper at Black Hat USA in August.

Who are the researchers? Erik Rye and Dave Levin: Surveilling the Masses with Wi-Fi

Potential for harm
In this paper, we show that an unprivileged, weak attacker can take advantage of Apple’s WPS to perform mass surveillance of users’ Wi-Fi access points virtually anywhere in the world. … Making matters worse, users whose devices are being tracked never opted in to Apple’s WPS in the first place, nor did they have a way to opt out when we conducted this study.

Apple’s API opportunistically returns the geolocations of up to several hundred more BSSIDs nearby the one requested. These unrequested BSSID geolocations are presumably then cached by the client, which no longer needs to request the locations of the nearby BSSIDs it may soon encounter—e.g., as the user walks down a city street. (And it) will respond with geolocations for BSSIDs on … different continents … to a querier.

During this study, we issued approximately 30 queries per second; at this rate, we did not encounter rate-limiting or observe service interruptions or outages. Each API call can itself contain multiple BSSIDs to query, and in practice, we included 100 BSSIDs per API request. … This work identifies the potential for harm to befall owners of Wi-Fi APs … merely by having Apple devices come within Wi-Fi transmission range.

Should you worry? Depends on your risk profile. sneak does:

I don’t want my residential location moves being tracked, as the person who goes from zip code A to zip code B to zip code C is possibly a unique track. … I have three … residential record(s) of location. I sleep at the one on my driver’s license only a few nights per year. … I don’t register to vote or receive any mail at my primary residence. My government paperwork all goes to my tertiary residence.

But shouldn’t I have been asked to opt in? This Anonymous Coward thinks not:

Here’s what happened: You installed a device that screams out into the public to anyone around you that it is there. It isn’t reasonable to expect the rest of the world to “protect your privacy” when you’re screaming, “Here I am, here I am.”

Of course “you” is a radio transmitter device here, but that’s just the nature of how radio works. There’s just no way you can both use the public airwaves while at the same time not using the public airwaves.

Drip, drip, drip. Catwhisperer fashions some elegant aluminum headgear:

We’ve been getting surveilled for a long, long time. But it took the Internet to make the possibility of Orwellian surveillance a reality.

Humans, being the sheeple we are, gleefully and joyfully took the best tool for the job, a personal connected device, to heart. We even go so far as to camp out, in lines a block long, to purchase the latest tool.

But isn’t Apple’s brand all about privacy? 1vuio0pswjnm7 simply laughs:

“We don’t collect a lot of your data and understand every detail about your life. That’s just not the business that we are in,” says Apple CEO Tim Cook.

Apple marketing works. … I have never seen new computers out of the box that phone home more than Apple computers.

Meanwhile, speaking of CEO quotes, cusco remembers this one from 25 years ago:

“You have no privacy. Get over it.” — Scott McNealy, in 1998. The man may have been an ******* but I’ve seen no indication since that he was wrong.

And Finally:

You can practically hear Debussy roll in his grave

Previously in And Finally

You have been reading SB Blogwatch by Richie Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites—so you don’t have to. Hate mail may be directed to @RiCHi, @richij, @(email protected), @richi.bsky.social or (email protected). Ask your doctor before reading. Your mileage may vary. Past performance is no guarantee of future results. Do not stare into laser with remaining eye. E&OE. 30.

Image source: Geekgirly (cc:by; leveled and cropped)

Recent Articles By Author

What do you think?

0 Points
Upvote Downvote

Leave a Reply

Your email address will not be published. Required fields are marked *

GIPHY App Key not set. Please check settings

SEC Consult SA-20240522-0 :: Broken access control & API Information Exposure in 4BRO App

Morocco-based cybercriminals cashing in on bold gift card scams, Microsoft says