A recent one academic study highlighted one potential privacy vulnerability in Apple's Wi-Fi Positioning System (WPS). which, if exploited, could allow mass surveillance campaigns to be conducted globally.
In the publication titled “Surveilling the Masses with Wi-Fi-Based Positioning Systems,” Erik Rye, a doctoral candidate at the University of Maryland (UMD), and Dave Levin, an associate professor at the same university, describe how Apple's WPS design can facilitate the tracking of the position and movements of users, even those who do not use Apple devices but who could somehow come into contact with them.
Exploiting the vulnerability of the positioning system Wi-Fi it is, at the moment, only on an academic level, but the privacy risks are really high.
Vulnerabilities in Apple's WPS: what are the implications
To understand how this vulnerability can be exploited, it is useful to remember that WPS (used by Apple, but also by other companies, including Google which however applies a different operating mechanism) allows user devices to determine their geographical position in a more energy efficient than using the Global Positioning System (GPS).
In practice, the Wi-Fi Positioning System consumes less energy to operate than GPS and this is one of the reasons why it is increasingly used on smartphones and, more generally, on mobile devices.
The authors of the academic study demonstrated how an attacker without privileges and without particular prior knowledge can exploit Apple's WPS to create a global database of Wi-Fi Access Point locations in just a few days.
In particular, Apple's WPS allows mobile devices to know their position by reporting to a server the BSSID (Basic Service Set Identifier, used to uniquely identify a Wi-Fi access point within a wireless network) of nearby Wi-Fi access points, along with GPS coordinates.
This data is then used by other devices to estimate their position without using GPS, effectively allowing the devices' movements to be tracked by remotely geolocating the wireless access points to which they connect over time.
The researchers then discovered that the design of the Wi-Fi positioning system allows it to query any MAC address, returning its geolocation if it exists in the database. And it is precisely this loophole that can be exploited for mass surveillance without anyone knowing.
In fact, over the course of a year, researchers managed to compile a database of 490 million BSSIDs around the world, which could be used to track the movements of individuals and groups of people over time.
“Since the accuracy of Apple's WPS is on the order of a few meters, this allows, in many cases, to identify specific homes or businesses where Wi-Fi Access Points are located,” the researchers write in their paper.
The researchers themselves then presented several case studies to illustrate the potential misuse of this vulnerability, including:
- War zones: Devices were tracked as they entered and exited conflict areas in Ukraine and Gaza, revealing military movements and the locations of displaced people.
- Natural disasters: During the fires in Maui, Hawaii, the geolocations of Wi-Fi Access Points were monitored, demonstrating the impact of the disaster.
- Targeted Tracking: The vulnerability can be used to stalk or follow people by monitoring the geolocation of their personal devices or Access Points.
Responsibly and out of respect for the privacy of others, the researchers obviously avoided including examples used in their case studies that could have allowed them to publicly identify individuals in various parts of the world.
Security Mitigations
Upon completion of the study, the researchers reported their findings to Apple, Starlink, and GL.iNet.
They then highlighted that one way to keep your BSSID out of WPS databases is to add the string “_nomap” to your Wi-Fi network name. Apple added support for “_nomap” in a March 27 update to its privacy and location services support pages.
Of note, Google's WPS and WiGLE, a crowdsourced geolocation project, have also supported the “_nomap” option since at least 2016.
Additionally, Apple announced that it will release additional mitigations to address the global tracking threat described by University of Maryland researchers.
However, researchers have highlighted that more comprehensive mitigations are needed to fully address this systemic privacy problem and protect hundreds of millions of Wi-Fi access point owners around the world from unauthorized tracking enabled by WPSs like Apple's.
Erik Rye then praised the SpaceX security team for quickly addressing the issue and implementing BSSID randomization in their products – a solution that according to the researcher appears to be the most robust defense against tracking by a WPS , since generating a random identifier every time the device boots (or moves) will make it appear as a completely different device in a WPS database.
The research into the vulnerability in Apple's Wi-Fi Positioning System will be presented publicly in August during the Black Hat conference in the USA.
GIPHY App Key not set. Please check settings