In a recent presentation at Black Hat 2024, University of Maryland researcher Erik Rye unveiled the potential risks associated with Apple’s Wi-Fi Positioning System (WPS). Rye demonstrated how he was able to map hundreds of millions of Wi-Fi access points (APs) around the world in just a matter of days, without needing an Apple device or any kind of permissions.
The Wi-Fi Positioning System works similarly to GPS, but instead of relying on satellites, it uses Wi-Fi access points to determine a device’s location. Companies like Apple and Google collect data from devices running their operating systems, which report their locations and the signal strengths of nearby networks. This data is used to create massive databases of AP locations globally.
Rye highlighted a major flaw in Apple’s WPS – the open and free nature of its API. Despite being designed for Apple devices, anyone can query the API from a non-Apple device without authentication or an API key. Rye used a program written in Go and running on Linux to brute-force guess BSSID numbers, leading to the accumulation of over half a billion unique BSSIDs in less than a week.
The process was made more efficient by a unique feature of Apple’s WPS, which returns up to 400 results in response to a location query. This allowed Rye to create a comprehensive map of Wi-Fi networks globally, including remote locations like Antarctica and small islands in the Atlantic.
The implications of this mapping are concerning. Rye’s results included mapping Starlink APs in war-torn Ukraine and tracking the evolving Internet access across Gaza, raising potential privacy and security risks. Individuals could be tracked as they move homes or take trips with mobile APs, leading to potential privacy breaches.
While both Apple and Google have WPS systems, Google’s implementation is more secure. Google’s WPS API performs the triangulation instead of returning a long list of BSSIDs, keeping additional data private. Google also requires an API key for queries, imposing a small cost that proves prohibitive for attackers.
There are potential solutions to improve AP security, including randomizing BSSIDs manually and adopting new APs when moving for at-risk individuals. Apple has also implemented an opt-out feature – by adding “_nomap” to a network’s name, users can prevent their Wi-Fi access point from being included in Apple’s system.
Overall, the revelations by Erik Rye underscore the need for robust security measures in Wi-Fi positioning systems to protect user privacy and prevent potential misuse of location data. Individuals and companies alike should take proactive steps to safeguard their Wi-Fi networks and mitigate the risks associated with these technologies.