In recent news, Apple and Starlink have made efforts to address concerns raised by researchers at the University of Maryland regarding the security and privacy implications of how their services track and geo-locate devices. The researchers found that publicly available data from Apple could be used to monitor global events such as the destruction of Gaza and the movements of troops in conflict zones.
The issue revolves around how Apple collects and shares information about the precise location of Wi-Fi access points seen by its devices. This data is used to provide Apple devices with location information without constantly using GPS. Both Apple and Google operate their own Wi-Fi-based Positioning Systems (WPS) that collect MAC addresses of nearby wireless access points to determine device locations.
Apple’s WPS returns the geolocations of nearby BSSIDs, allowing devices to estimate their location based on known landmarks. Researchers at the University of Maryland discovered they could map the movement of individual devices globally by continuously querying Apple’s API for location data.
By monitoring the data between November 2022 and November 2023, the researchers obtained a global view of over two billion Wi-Fi access points. They focused on conflict zones in Ukraine and Gaza and were able to track the movements of Starlink devices used by military forces in these areas.
By geofencing these regions, they identified Starlink terminals used by Ukrainian and Russian forces, exposing pre-deployment sites and military positions. The researchers shared their findings with Starlink, leading to software updates that randomize BSSIDs to enhance privacy and security.
In response to these findings, Apple updated its privacy policy to allow users to opt-out of having their Wi-Fi access points collected and shared. The researchers emphasized the need for additional safeguards to prevent abuse of the location API and protect user privacy.
They highlighted the risks posed by tracking Wi-Fi access points for vulnerable populations, such as those fleeing abusive relationships. The researchers also noted that mobile hotspots implemented strong privacy protections by choosing random BSSIDs, unlike other devices like travel routers that could pose privacy risks.
Overall, the research points to the importance of balancing the convenience of location services with the need to protect user privacy and security. Researchers hope that companies like Apple will continue to improve privacy controls and limit the potential misuse of location data.