Apple’s location services are convenient, with many useful features like Find My, maps, directions, and emergency SOS calls. However, researchers at the University of Maryland have discovered a crucial vulnerability in the operation of Apple’s location services, which could allow an unauthorized person to effortlessly access the data of millions of routers and potentially to information about a person’s movements.
As Krebs Security reports, Erik Rye and Dave Levin of the University of Maryland have discovered an aspect of Apple’s location services that works strangely.
Positioning via WLAN instead of GPS
GPS and its constant requests are power hungry, so smartphone manufacturers try to use alternatives when available. A cost-effective method for determining the location of a device is to analyze data from surrounding Wi-Fi networks and calculate the location based on the detected networks and current signal strength. Apple and Google operate their databases with names of active Wi-Fi networks (Wi-Fi-based Positioning Systems, WPS for short), which greatly facilitates these calculations.
Researchers discovered a quirk in the way Apple’s WPS works: the system sends the necessary data to the user’s device so that these calculations can be performed locally. But apparently Apple’s WPS server sends up to 400 other known Wi-Fi networks that may be in the device’s approximate proximity as part of its crowdsourced location database. From this list, the requesting device searches for eight possible variants and calculates its location based on this data. Apple’s WPS system, the iOS device and the router on which the network is based work with so-called BSSIDs (Basic Service Set Identification) and generally correspond to the MAC address of the device, which is static in most cases.
Data from almost 500 million WLAN networks
The researchers took advantage of this fact and used a Linux computer (not a Mac) to query Apple’s WPS servers for valid BSSIDs and their locations. They simply created the initial BSSID for the request using a random generator.
By using the already known lists registered with the IEEE, which router manufacturers use for their products, the number of guessed BSSIDs can be significantly reduced. For their experiment, the researchers used 16,384 (2^14) randomly generated BSSID parts. Querying through Apple’s APIs is free, so Rye and Levin sent 30 queries per second with 100 BSSIDs guessed.
You can turn off Apple Location Services on your network so that they are not visible in Apple’s database.
You can turn off Apple Location Services on your network so that they are not visible in Apple’s database.
Martyn Casserly
You can turn off Apple Location Services on your network so that they are not visible in Apple’s database.
Martyn Casserly
Martyn Casserly
During the experiment, researchers queried a total of 1,124,663,296 BSSIDs, and approximately 0.25% (2,834,067) were known to Apple. However, because of the way Apple’s location calculation works, the servers also sent additional recorded BSSIDs, meaning the researchers obtained data from 488,677,543 other Wi-Fi networks. The researchers monitored data from nearly half a billion Wi-Fi routers between November 2022 and November 2023 and used it to make their observations, particularly in crisis regions.
Using the manufacturer part of the MAC address, Rye and Levin were able to identify approximately 3,000 Starlink terminals in Ukraine. During the observed period, it was also possible to determine the location of some of them. However, information about the current static position alone is life-threatening if it falls into the wrong hands, as it indicates the location data of Ukrainian military units.
In Gaza, researchers also tracked the number of registered BSSIDs and their movements. After October 7, 2023 and until the end of November 2023, the number of registered Wi-Fi networks in the Gaza Strip decreased by 75%, with some moving from the north to the south.
How to exclude your Wi-Fi from Apple database
The researchers contacted Apple, Google, Starlink and several other manufacturers to report their discovery. It’s unclear whether Apple will change how it manages Wi-Fi networks, but it has updated a support document to allow anyone to opt out of this data collection.
To do this, you must add the character string “_nomap” at the end of the name (SSID) of your network. This also applies to Google and its WPS. At Microsoft, you must enter your MAC address into a form so that the manufacturer can add it to a block list in its database. This may take up to five days.
This article was originally published on our sister publication Macwelt and has been translated and localized from German.
