Apple Geolocation API Exposes Wi-Fi Access Points Worldwide

  /     /     /  
Publicated : 23/11/2024   Category : security


Apple Geolocation API Exposes Wi-Fi Access Points Worldwide


Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apples geolocation system.



Apples Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a
presentation at Black Hat 2024
, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.
Have you ever wondered how your phone knows where it is in the world?
The Global Positioning System (GPS) is one tool it uses, of course, but its not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isnt ideal for such a persistent task. 
Thats where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).
First, devices running Apple or Google operating systems periodically report back their locations (via GPS or cell tower triangulation) as well as the relative signal strengths coming from nearby networks (labeled by their Basic Service Set Identifiers, or BSSIDs), which gives some indication of their distance. Through this crowdsourcing, those companies develop huge databases of where APs lie around the globe.
As Rye explains, You might not own a single Apple device but, nonetheless, your Wi-Fi access point will still end up in this system, just due to the fact that people that own Apple devices walk by your house, deliver your packages, or live next to you. 
Individual devices, then, can determine their locations by scanning for and reporting nearby Wi-Fi networks to company servers. In Apples case, the WPS server will return the locations of those Wi-Fi networks, which the device can compare with observed signal strengths to determine its relative location. So, whats the problem?
Apples WPS API is open and free to use. Its designed for Apple devices, but anyone can query it from a non-Apple device without any kind of authentication or API key. Using a program written in Go and running on Linux, Rye brute-force guessed a large number of BSSID numbers until he eventually hit a real one, for which the WPS API endpoint gifted him a set of other BSSIDs near to it.
Once you start getting hits, you can do whats called snowball sampling and just feed those back in, and continuously sample over and over, he explains. Over a period of less than a week, we were able to amass about half a billion unique BSSIDs.
The process was made more efficient by a particular quirk in Apples WPS. In response to a location query, rather than just a few nearby networks, it will voluntarily return up to 400 results.
We were able to essentially create a Wi-Fi map of planet Earth, including some of the most remote locations: Antarctica, small islands in the middle of the Atlantic, that kind of thing, Rye says.
Among his results:
a map of Starlink APs
providing Internet access across war-torn Ukraine, and an evolving picture of Internet access across Gaza,
potentially valuable military intelligence
.
More targeted privacy attacks could involve tracking individuals as they move homes or take trips with mobile APs (say, in an RV).
Its funny — everyone has their own case study that they want to know about, Rye says. Somebody had asked [us] about Burning Man, which was a very easy one, because Burning Man is in the middle of nowhere. So if your access point pops up there, we know youre there for Burning Man.
The observant reader might ask: If Apple and Google both have WPSs, why are we picking on only one?
Both systems use huge databases of global BSSIDs to triangulate device locations. But when an Android device queries Googles WPS API instead of replying with a long list of BSSIDs, Googles server does the triangulation and replies with the result. Thus, all that extra data is kept unexposed.
Google also requires an API key, which it uses to impose a cost on queries (at most, one cent per two requests). Insignificant for regular users, this tiny cost would prove prohibitive for attackers who need to guess an extremely large number of BSSIDs before hitting on a real one, as Rye did in his tests.
These are just two among the many possible ways Apple, access point manufacturers, or even lawmakers could improve upon AP security. And there are preventative steps individuals can take in the meantime.
If youre a particularly technologically savvy user — running
OpenWrt, or something like that
— you can manually randomize your BSSID yourself. But thats beyond the scope for most folks, Rye says.
Particularly at-risk individuals can avoid travel APs altogether and adopt new APs whenever they move. And, Rye adds, Apple has implemented an opt-out ability. If you add a _nomap to the end of your networks name, Apple says that that will prevent your Wi-Fi access point from ending up in their system.

Last News

▸ Making use of a homemade Android army ◂
Discovered: 23/12/2024
Category: security

▸ CryptoWall is more widespread but less lucrative than CryptoLocker. ◂
Discovered: 23/12/2024
Category: security

▸ Feds probe cyber breaches at JPMorgan, other banks. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Apple Geolocation API Exposes Wi-Fi Access Points Worldwide