.webp "Apple’s Wi-Fi Positioning System can be exploited to track users")
Researchers at the University of Maryland have recently conducted a study that has shed light on a significant privacy vulnerability in Apple’s Wi-Fi Positioning System (WPS). This vulnerability could be exploited by attackers to track users’ locations and movements on a global scale, raising serious concerns about the potential for mass surveillance and the privacy of millions of Wi-Fi access point owners worldwide.
The study revealed that unprivileged attackers, without any prior knowledge, could abuse Apple’s WPS to compile a worldwide database of Wi-Fi access point locations in just a few days. By tapping into the relatively few dense regions of allocated MAC address space, attackers could efficiently guess BSSIDs to query the WPS API. Over the course of a year, the researchers managed to collect the precise locations of over 2 billion Wi-Fi access points worldwide.
This capability enables attackers to track devices’ movements by remotely geolocating the wireless access points they connect to over time. While most access points remain stationary, mobile devices such as travel routers could allow an attacker to infer the owner’s location. To illustrate the real-world implications of this vulnerability, the researchers presented several case studies, including tracking devices moving in and out of war zones in Ukraine and Gaza, monitoring the effects of natural disasters like the fires in Maui, and demonstrating the possibility of targeted individual tracking.
These case studies underscore how Apple’s WPS could be exploited for open-source intelligence gathering and surveillance of sensitive populations and events. Merely being within the Wi-Fi range of an Apple device could lead to one’s access point location and movements being exposed without consent.
In response to these findings, the researchers have proposed recommendations for WPS operators and Wi-Fi access point manufacturers to enhance privacy protections. These recommendations include implementing rate limiting and authentication for WPS queries, randomizing BSSIDs when access points are rebooted or moved, and allowing users to opt out of inclusion in WPS databases.
The researchers have responsibly disclosed their findings to Apple and major access point vendors. Apple has taken steps to address the issue by allowing access points to opt out by appending “_nomap” to the Wi-Fi network name. Some vendors, like SpaceX, have also started deploying BSSID randomization in their devices.
However, the researchers emphasize that more comprehensive mitigations are needed to fully address this systemic privacy issue and protect the hundreds of millions of Wi-Fi access point owners worldwide from unauthorized tracking facilitated by WPSes like Apple’s.
Overall, this study highlights the critical importance of safeguarding privacy in an increasingly connected world, where the potential for mass surveillance and unauthorized tracking poses a significant threat to individuals’ rights and freedoms. The ongoing efforts to address these vulnerabilities are crucial in ensuring that technology remains a force for good in society.