Apple’s location services are handy, with many useful functions such as Find My, maps, routes, and Emergency SOS calls. However, researchers at the University of Maryland have discovered a crucial vulnerability in the way Apple’s location services work, which could allow an unauthorized person to access data on millions of routers and potentially information on a person’s movements without much effort.
As reported by Krebs on Security, Erik Rye and Dave Levin from the University of Maryland have discovered one aspect of Apple’s location services that works strangely.
Positioning via WLAN instead of GPS
GPS and its constant queries are energy-intensive, so smartphone manufacturers try to use alternatives when available. An economical method of determining a device’s location is to analyze the data from surrounding Wi-Fi networks and calculate location based on the networks detected and the current signal strength. Apple and Google operate their databases with active Wi-Fi network names (Wi-Fi-based Positioning Systems, WPS for short), which make these calculations much easier.
The researchers discovered an oddity in the way Apple’s WPS works: the system sends the necessary data to the user’s device so that these calculations can be carried out locally. But apparently, Apple’s WPS server sends up to 400 other known Wi-Fi networks that may be in the approximate vicinity of the device as part of its crowdsourcing location database. From this list, the requesting device searches for eight possible variants and calculates its location based on this data. Apple’s WPS system, the iOS device, and the router on which the network is based operate with the so-called BSSIDs (Basic Service Set Identification) and usually correspond to the MAC address of the device, which is static in most cases.
Data from almost 500 million WLAN networks
The researchers took advantage of this fact and used a Linux computer (not a Mac) to query Apple’s WPS servers for valid BSSIDs and their locations. They simply created the initial BSSID for the request using a random generator.
Using the already known lists registered with the IEEE, which router manufacturers use for their products, the number of guessed BSSIDs can be narrowed down significantly. For their experiment, the researchers used 16,384 (2^14) randomly generated BSSID parts. The request via Apple’s APIs is free, so Rye and Levin sent 30 requests per second with 100 guessed BSSIDs.
Martyn Casserly
In the experiment, the researchers queried a total of 1,124,663,296 BSSIDs, and around 0.25 percent (2,834,067), were known to Apple. However, due to the way Apple’s location calculation works, the servers also sent additional registered BSSIDs, meaning that the researchers obtained data from a further 488,677,543 Wi-Fi networks. The researchers monitored the data from almost half a billion Wi-Fi routers over the period from November 2022 to November 2023 and used it to make their observations, particularly in crisis regions.
Using the manufacturer part of the MAC address, Rye and Levin were able to identify around 3,000 Starlink terminals in Ukraine. During the period observed, it was also possible to determine the location of some of them. However, the information on the current static location alone is life-threatening in the wrong hands, as it indicates the location data of the Ukrainian military units.
In Gaza, the researchers also monitored the development of the number of registered BSSIDs and their movements. After October 7, 2023, and until the end of November 2023, the number of Wi-Fi networks registered in the Gaza Strip decreased by 75 percent, with some moving from north to south.
How to exclude your Wi-Fi from Apple’s database
The researchers contacted Apple, Google, Starlink, and several other manufacturers with their discovery. It’s not clear if Apple will change the way it handles Wi-Fi networks, but it did update a support document to provide a way for anyone to opt out of this data collection.
To do this, you need to add the character string “_nomap” to the end of the name (SSID) of your network. This also applies to Google and its WPS. With Microsoft, you must enter your MAC address in a form so that the manufacturer can add it to a block list in its database. This can take up to five days.
This article originally appeared on our sister publication Macwelt and was translated and localized from German.