back to article How Apple Wi-Fi Positioning System can be abused to track people around the globe

Academics have shown how Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare. In a paper titled, "Surveilling the Masses with Wi-Fi-Based Positioning Systems," Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how …

  1. Anonymous Coward
    Anonymous Coward

    Wait until you find out that Comcast's goal is to put a Comcast owned wifi router in every home. Then what is Ray going to do?

    1. Snake Silver badge

      Not just Comcast. Spectrum also "voluntarily" issues you a wi-fi modem/router for your home, broadcasting Spectrum's Out-of-Home shared wi-fi SSID automatically

      https://www.spectrum.com/internet/wifi-access-points

      You can opt-out, as I did, but you initially get a surprised Pikachu face to your request from the service representative behind the counter when you do so. But you need to know enough to ask for the opt-out in the first place.

      1. Dimmer Silver badge

        AT&T as well.

  2. Anonymous Coward
    Anonymous Coward

    This :-

    Rye explained. "Wi-Fi access point manufacturers that implement BSSID randomization should be careful not to repeat those same mistakes."

    Ok, I'll bite. When was the last update to your Wi-Fi access point software? I just checked mine and there are no updates available and the last one was back in 2021. My router was updated a few months ago but I can't find any reference to BSSID randomisation.

    I suspect that there are millions of devices out there in a similar situation. More devices heading for landfill... if the user even knows about this and then even cares.

    1. Anonymous Coward
      Anonymous Coward

      Re: This :-

      Last update was quite recent actually, I use ubiquiti hardware and they’re pretty good with updates.I’ll check whether or not BSSID randomisation is in release notes somewhere, after the first few years without issues I set everything to auto update.

      The thing is : BSSID randomisation doesn’t seem all that rando, it’s only at boot if I understand correctly. I think I’ll just go for the _nomap option.

      1. doublelayer Silver badge

        Re: This :-

        You can't change BSSID while things are connected without having a brief drop. However, you could write something to check when there are no WiFi devices connected, then change and bring the interfaces back up without rebooting. How useful that would be depends on the frequency of having no WiFi connections on your network.

        However, BSSID randomization is more important for access points that move, because your SSID won't be changing, so if your hardware never moves, it wouldn't be hard to use those instead to establish your location. In the case of travel routers, they're probably powered down each time you move them, so randomizing on boot could be quite helpful without having to try to randomize them during operation as well. The same would apply to mobile hotspots, mobile terminals like Starlink ones, etc.

        1. Roland6 Silver badge

          Re: This :-

          From reading the paper, this isn’t really about 802.13 but about Apple’s implementation of WPS:

          “ As prior work has noted [35], [12], popular WPSes (especially Apple’s and Google’s) are publicly accessible, and they do not require devices querying the database to prove they actually see the BSSIDs they claim to see. In other words, one can query for any arbitrary MAC address and, if it is in the WPS’s database, then it will return its location. This design lends itself to relatively obvious individually-targeted attacks.”

          Those references refer to published work, of which the most interesting and relevant is Tippenhauer’s 2009 paper “ Attacks on Public WLAN-based Positioning Systems”. It seems that Rye has found another way to use and interpret the available WPS data…

          I suggest the real individual privacy concern with BSSID location harvesting and tracking is the mobile phone personal hotspot (the one we use to connect our tablets and laptops to when out and about). I am thus a little surprised Rye and Levin didn’t experiment the tracking of such a mobile AP/BSSID, perhaps there is another paper in the pipeline…

          However, Rye’s paper (as is Tippenhauers) is a good clear read.

    2. Spamfast
      Happy

      Re: This :-

      When was the last update to your Wi-Fi access point software?

      All mine get updates weekly or more frequently.

      I use OpenWrt on all my routers and access points - the ISP's router simply provides the WAN connection and is firewalled off and its WiFi disabled.

      opkg update && opkg upgrade $(opkg list-upgradable | cut -d' ' -f 1)

      Or, as I do, write a script for a cron-job.

      It's also easy to set the BSSIDs to anything desired - a start-up or cron script can randomize them if wanted.

      1. IGotOut Silver badge

        Re: This :-

        @spamfast.

        And for the other 99.999% of the population?

        1. Snake Silver badge

          Re: other 99.999%

          Indeed. The router here in the office hasn't been issued a firmware update since October 2022, even though bugs were identified and fixed were promised as 'coming soon' with some users having to roll back to a previous version to seek relief. That being 3 years ago, that is.

          2 routers for my personal use both had the same bug, VPN SMB tunneling error, and that company issued me an out-of-band fix with a beta-marked firmware update. This being less than 6 months after I bought the 2nd router, which was still on sale in major outlets. That beta firmware never made it out to other consumers.

          So router manufacturers drop support for "legacy" products faster than Cheeto Jesus can make a promise on the campaign trail that he will never keep.

        2. Spamfast

          Re: This :-

          And for the other 99.999% of the population?

          The question was 'when was your router last updated?'. I replied for myself. They can reply for themselves. ;-)

          Seriously though ...

          I've got it de-wified and the Ethernet firewalled off but my ISP supplied me with a FRITZ!Box VDSL router which - as well as providing user-configurable SIP/DECT/FXS telephony - checks for security updates from the manufactuer (AVM) and provides occassional feature enhancements as well. My neighbour now has a FTTP rig from a different, also non-mass-market, provider that also provides regular updates for its network kit. Both of these are domestic, not business, services and don't cost much more than the mass-market ones. The small extra cost also comes with things like a static IPv4 address, an IPv6 connection with a static delegated prefix (/48 in my case, /52 for my neighbour) and reverse DNS configured as required.

          If they just pulled their fingers out, the mass-market ISPs could maintain their kit as well, especially since many of the routers they provide use OpenWrt under the hood with some extra web iinterface branding and restriction on top. The could use AVM or GL-iNet or just have an in-house maintained fork of OpenWrt with update servers without it eating anything more than a fraction of a percent of their profit margin. Actually, the improved customer experience might even increase their profits.

        3. rcxb Silver badge

          Re: This :-

          And for the other 99.999% of the population?

          Instead of buying the one first shinny one they see, they can easily check that the Wi-Fi router/AP they want has OpenWRT support:

          https://openwrt.org/toh/views/toh_available_16128

          Even if they use vendor firmware, at least they've always got the option to upgrade to OpenWRT later. Resale/reuse value will remain much higher as a result as well.

          1. Fred Dibnah

            Re: This :-

            99.999% don’t buy a router separately, they use the router provided by their ISP.

            And 99.999999% have no idea what OpenWRT is, nor do they they care when their router works just fine.

            That’s not to say their routers don’t have security issues, of course, but the average Joe & Julia Bloggs can’t be expected to know how to deal with them other than on a superficial level. The clever people who built the hardware and software are the ones who *should* have the skills and knowledge to do it.

            1. Crypto Monad Silver badge

              Re: This :-

              And 99.999999% have no idea what OpenWRT is

              Given a population of 8.1 billion, you're saying that there are only 81 people in the world who have ever heard of OpenWRT.

              1. Roland6 Silver badge

                Re: This :-

                There’s hearing of OpenWRT and here is actually doing the download and installing…

                Obviously, I’m ignoring those devices that come with some form of OpenWRT preinstalled.

    3. rcxb Silver badge

      Re: This :-

      Since 2010, I've made sure every Wi-Fi router/AP I buy has OpenWRT support:

      https://openwrt.org/toh/views/toh_available_16128

      Even if I use vendor firmware at first, I know I've always got the option to load OpenWRT later. In fact I only quite recently stopped using my 2010 (802.11n) AP.

    4. Roland6 Silver badge

      Re: This :-

      > When was the last update to your Wi-Fi access point software?

      Don’t forget the non-obvious APs like the printer hiding in plane sight running WiFi Direct….

  3. Mister Jones

    Burner Anyone?

    In summary:

    (1) Apple iPhones report back to Cupertino when they find (by Bluetooth) a "Find My" device in the neighbourhood

    (2) Apple iPhones report back to Cupertino when they find a handy geolocation service on a nearby WiFi router

    (3) Any other mobile phones using WiFi for GPS may be (are?) reported back to Cupertino

    One wonders what other "facilities" are buried in:

    - The WiFi infrastructure

    - The iPhone software

    - The Android software

    I think we should be told!!!

    P.S. Doesn't owning a burner seem increasingly attractive? Just saying!!!

    1. gnasher729 Silver badge

      Re: Burner Anyone?

      The phone reports locations - anonymously. Apple doesn’t know who reported or asked for a location.

      1. IceC0ld

        Re: Burner Anyone?

        not that great an amount of anonymity really, let the computers do what computers do best, crunch data, they will find links to the unknown, and match it to other details found elsewhere, pretty soon, all that is missing is your inside leg measurement :o(

        1. Great Southern Land

          Re: Burner Anyone?

          >pretty soon, all that is missing is your inside leg measurement

          And they'll get that from matching your credit/debit card to the store records.

        2. jmch Silver badge
          Trollface

          Re: Burner Anyone?

          "all that is missing is your inside leg measurement"

          Now, that reminds me of the joke about the guy whose balls hurt so much that his doctor recommended a ball-ectomy!

    2. DS999 Silver badge

      Re: Burner Anyone?

      P.S. Doesn't owning a burner seem increasingly attractive? Just saying!!!

      How does that solve cellular companies knowing exactly where you are via tower triangulation? (Exact to within 100 feet or so unless it is a rural area with few towers) They sell that information to governments and third parties and there is nothing stopping it.

      Because if you're worried about someone tracking you via wifi or bluetooth and think a burner dumbphone will fix it I've got bad news for you...

      1. Anonymous Coward
        Anonymous Coward

        Re: Burner Anyone?

        @DS999

        Quote: "....cellular companies knowing exactly where you are...."

        No!!! They know where THE PHONE IS LOCATED!!

        No contract, no credit card details......so they have no idea about the identity of "you".............

        1. Anonymous Coward
          Anonymous Coward

          Re: Burner Anyone?

          I've noticed at ASDA they have cameras on the tills. So if you still pay by cash you still have to scan the phone and they have a video of you buying it...

          I suppose you could go to a cashier while they still have them.

          1. This post has been deleted by its author

          2. Roland6 Silver badge

            Re: Burner Anyone?

            Buying your burner phone(s) from Asda…

            Personally, I’d visit a market trader specialising in unlocking and secondhand phones…

        2. DS999 Silver badge

          Re: Burner Anyone?

          All they need is one match of your identity to your phone being in the same location and they have you.

          Do you bring that burner phone home? Tower triangulation is easily accurate enough to pinpoint a single residence when a phone is there for long periods, so they have it down to your household. Do you carry it in your car? Cameras along the roadway will match your license plate to a list of phones in the area, and quickly be able to match up car to phone 1 to 1. There are probably cameras with facial recognition too.

          So no, they can know exactly who "you" are unless you're switching that burner phone every few days.

          1. Roland6 Silver badge

            Re: Burner Anyone?

            > All they need is one match of your identity to your phone being in the same location and they have you.

            Upload that image to FB and FB will auto facial recognition it and associate it with other pictures, accounts and names. Even though my FB account doesn’t have my picture on it, FB through its algorithms has managed to connect a lot of stuff to me, even with pictures others have put up (in groups I’m a member of) linked the right name to the face…

            1. DS999 Silver badge

              Re: Burner Anyone?

              If someone posts a photo of you and them together, with the comment "me and @Roland6" hanging out then if they know the friend's face they know the other one is you.

              1. Roland6 Silver badge

                Re: Burner Anyone?

                Precisely; now if Asda upload the checkout mug shot, don’t be surprised if FB kindly provide Asda with the “me and @Roland6” picture and comment, particularly if it was posted on a public group. So far FB don’t seem to do similar for pictures posted to closed user groups.

          2. Anonymous Coward
            Anonymous Coward

            Re: Burner Anyone?

            You don't get it do you?

            The physical phone was bought for cash (second hand) from a stall on the high street.

            The SIM(s) was/were bought for cash in a convenience store.

            The SIM was installed and the phone was switched on for the first time in the middle of Trafalgar Square.

            The phone now HAS NO CONNECTION AT ALL with any real identity.

            The mobile phone company can track THE LOCATION OF THE PHONE.

            So the phone turns up at Susan's house....or at Downing Street.......what EXACTLY does that prove?

            So the phone was in Starbucks when a hundred other people paid for coffee with a credit card. What EXACTLY does that prove?

            Same with matching up CCTV images?

            Please try harder..........burners look pretty good from where I'm sitting.......and is that seat the same place as my burner.....????????

            Who am I???

            1. Winkypop Silver badge
              Holmes

              Re: Burner Anyone?

              And yet.

              Said phone spends every evening until morning at 221B Baker Street…

            2. Roland6 Silver badge

              Re: Burner Anyone?

              All very good, until that phone becomes of interest to an agency who can cross reference different data sources and so start to close the net….

              Burner phones without an income to finance the habit can rapidly get expensive…

  4. Bebu Silver badge
    Windows

    Bit confused

    This positioning system uses the BSSID (mac/hardware address) of the Wifi AP as the unique key/identifier in its geoloc database unless you append _nomap to the SSID which is usually broadcast by default.

    This logic suggests if I disable SSID broadcasts (hidden) Apple should ignore my AP but I am guessing this isn't the case. Actually I suspect even with _nomap, Apple will still harvest your BSSID/location but not return it when queried by the polloi but is perhaps used for their own nefarious purposes.

    Wifi clients seem to randomize their mac addresses by default (every time the interface is brought up) but I assume AP can only practically do this once every restart.

    The rather aging APs I possess wouldn't have mac randomization but I have ssh access and could use /sbin/ip to randomize the wireless hardware address and bounce the interface from a cron job.

    1. DS999 Silver badge

      Re: Bit confused

      but I assume AP can only practically do this once every restart

      There's no reason they could do it every time the last client disconnects from them, they'd just need to have firmware that tells them to do so. They could even do it while clients are connected - they'd be interrupted and take a few seconds to reconnect but if you're willing to endure that there's no reason you couldn't randomize your BSSID every hour.

    2. Roland6 Silver badge

      Re: Bit confused

      > This logic suggests if I disable SSID broadcasts (hidden)…

      Trouble is we have been here before: disabling SsiD broadcast on the AP means it has to be enabled on the client, making it much easier to compromise client systems. Also your AP is only hidden whilst it is not communicating with a client device…(there were plenty of papers and tools available in the early 2000’s which exploded the myth surrounding the security it provided).

      Changing the BSSID is also potentially a connection problem, as many client devices store the SSID and BSSID pair and will ask the user for confirmation of connection if a different BSSID is discovered.

      However, as Wignle.net and WhatThreeWords confirm is that a relatively small number of SSIDs is necessary to get a reasonable geolocation, and given how many people use the ISP provided router with it’s probably unique SSID , that number is potentially one. Interestingly, many of the rules developed back in the early 2000’s about what consistutes a secure SSID still apply. Hence dynamic BSSID isn’t really a solution and dynamic SSID is probably only a solution to those who can embedded something like an RSA SecurID in all their clients so the client will only attempt to connect to SSID 443853 if the associated BSSID had immediately previously broadcast SSID 905595. Ie. We are moving into military levels of security.

      Basically, if you want security and a network connection then the only solution is to turn off your mobile device’s WiFi and plug in an adaptor that permits the use of fixed line Ethernet, which has been the case with WiFi right from the outset…

  5. Whitter
    Holmes

    Deja vu?

    Is this not a bit similar to Google's "accidental" harvesting of WIFI info from their street-map camera-cars many years back?

    This time, crowd-sourcing the car.

  6. Dostoevsky

    Now I want to see how well it correlates *my* router's BSSID and location. Hopefully poorly, but it sounds like living in a rural area won't protect me.

    This, I have to fix.

    1. phuzz Silver badge

      If anyone has come within wifi range of your router with a iPhone*, then there's a good chance it's in their database with a somewhat rough location.

      (At minimum they have a GPS location that is within rage of your wifi)

      * or iPad? Do they have GPS in?

      1. John Brown (no body) Silver badge

        All models with WWAN connecting to the mobile network have GPS. WiFi only models also have geolocation using the aforementioned BSSID location system over WiFi.

    2. 142

      If it's a statically located router, this issue is essentially spurious. Basically it allows someone to say "oh, there is a wifi access point in this house", and absolutely nothing else.

      It's only an issue when the access point moves e.g. for travel routers, or for people who have relocated to be in hiding, etc.

    3. Roland6 Silver badge

      > Now I want to see how well it correlates *my* router's BSSID and location.

      A look on Wigle.net for your SSID and location data might be educational…

      1. Dostoevsky

        Cool link! Thank you!

        I checked, and neither the new nor the old BSSID show up. That's the benefit of living way out here.

  7. Guy de Loimbard
    Alien

    Please, harvest some more from me......

    Interesting study and something that I wasn't aware of.

    I doff my cap to the learned studious types who have identified this.

    There appears to be no end of "features" being revealed in a myriad of home and personal network devices that, as far as I'm concerned, are going way past what the average person would consider acceptable.

    IMHO the use of hardware that you and I have spent our cash on to turn the globe into a technical playground for tech companies is really taking the biscuit or tin at the moment!

    Why do the various manufacturers require all this geo location information? (Rhetorical question!)

    1. Blazde Silver badge
      Big Brother

      Re: Please, harvest some more from me......

      Why do the various manufacturers require all this geo location information? (Rhetorical question!)

      The latest thing is selling it to the DOOH industry

      https://www.clearchannel.co.uk/faqs-1

      What is Clear Channel RADAR®?

      RADAR is a suite of tools that’s proprietary to Clear Channel and uses aggregated, anonymised mobile location data to better understand the audience groups that are passing by our advertising sites.

      ..

      Where does the data come from?

      In the UK, the mobile location data which is used to generate the audience profile insights in RADARView® currently comes from AdSquare, a carefully vetted third-party data provider and an established leader in location technology. They aggregate and anonymise data from mobile devices of consenting individuals, representing approx. 10% of UK population, prior to sharing the data with us.

      10%? Geez... I assume their use of the word 'consenting' is as loose as possible here.

      New jollies: Hang out by a busy digital billboard. Whenever someone passing by glances at it and it changes to something mildly embarrassing point and laugh. Plot twist: It won't stop showing my browsing history

      1. gnasher729 Silver badge

        Re: Please, harvest some more from me......

        You are confusing detecting the location of a Wifi router with detecting phones that come close to an advertising point. Let’s just mention that in the second case there is no need to get location data, because the phone is at the known location of the advertiser. (And iPhones cannot be identified because they use a random Id that changes all the time. )

        1. Blazde Silver badge

          Re: Please, harvest some more from me......

          Am I? They're getting mobile location data. Mobile location data which comes, in part, from locating the phone relative to Wi-Fi APs which in turn are located relative to each other and to phones using GPS.

          My quip about it being live was throw-away but AdSquare do offer 'Real-Time Footfall Measurement' (whatever that means) as part of their location data feed. They also tell you whether phones exposed to ads subsequently visit stores (statistically or actually I'm not sure). Again, they use location data for that.

          To turn your point around: There's no need to 'detect phones that come close to an advertising point' when you have the phone feeding you location data whether it's near an advertising point or not.

    2. IceC0ld

      Re: Please, harvest some more from me......

      [quote]Why do the various manufacturers require all this geo location information? (Rhetorical question!)[/quote]

      I am more concerned to think that they have deliberately built this ability into the device, it COULD be 'ghosts in the machine' but I seriously think they are just out to see just how far they can push boundary's before they get pulled back, although, from previous experiences, even when they ARE caught, and 'forced' to rein it in, the fines slapped on them are pitiful, massive to the man in the street, a few minutes of profit to these grubby types :o(

      1. gnasher729 Silver badge

        Re: Please, harvest some more from me......

        Since Apple has published for many years exactly what they are doing, your idea of “getting caught” doesn’t make any sense whatsoever.

      2. IceC0ld

        Re: Please, harvest some more from me......

        the more I think about it, the more it annoys me now

        someone HAD to have had input when they were designing the beast, to add it in to do what it does, it cannot just happen, the real question, therefore, is why ? and as a quick stab at that answer, I will suppose MONEY to be in there, quite high in the tree, if not actually the main reason :o(

    3. DS999 Silver badge

      Re: Please, harvest some more from me......

      Why do the various manufacturers require all this geo location information?

      Well you can make up your nefarious reasons, but the non-nefarious reason is because GPS doesn't work indoors or when blocked by buildings, trees, etc. So if you want location information to be properly updated, you need to have other sources to locate yourself when GPS is unavailable. GPS is also more power hungry, but I suspect the first reason is more important than that factor.

    4. gnasher729 Silver badge

      Re: Please, harvest some more from me......

      “ Why do the various manufacturers require all this geo location information? (Rhetorical question!)”

      So that your phone can tell you where you are, especially in a built-up area where GPS has problems working. Go to London. Lots of tall buildings that stop GPS from working (you need line-of-sight to three satellites, and tall buildings create reflections that make things worse). At the same time, you detect lots of WiFi networks and get their locations and calculate your own location from that.

  8. gnasher729 Silver badge

    The reason for providing a large list of locations: It means that my iPhone can travel some distance without asking for information again. I go on holiday in a small seaside town. First request I get all locations around me. Until l leave the area completely, the phone can just listen passively and nobody can figure out my movements in that town.

    1. Anonymous Coward
      Anonymous Coward

      believe that most smart phones can use inertial guidance to keep track of where they are when they lose gps signals. lost signal but google maps showed my position in the brooklyn-battery tunnel some years ago.

      1. gnasher729 Silver badge

        That’s another way to determine your location, but it will deteriorate over time. Router locations stored locally on the phone will give a much more precise location.

  9. Mike007 Bronze badge

    Since when was the physical location of a radio beacon considered "private sensitive confidential nobody can know this" information?

    Might as well start claiming that it's a security risk that when my neighbours open a list of WiFi networks they can see that I have one as well!

    1. W.S.Gosset Silver badge

      >Might as well start claiming that it's a security risk that when my neighbours open a list of WiFi networks they can see that I have one as well!

      That is, in fact, precisely correct, is precisely the case. It IS a security/privacy risk.

      And so the option of controlling/eliminating that risk is explicitly factored into the standard protocol. If you are sensitive to this risk (most people aren't, or deem negative the cost/benefit of controlling it) you simply toggle OFF the Broadcast option for your SSID.

      The point of this article is that, for this new capability, this risk-control option has NOT been provided by Apple.

      1. gnasher729 Silver badge

        You seem to be confused. You blame Apple that they dont let you disable a brand new feature that was used for at least 15 years on a wifi router that wasn’t built by apple if it is less than six years old.

        1. W.S.Gosset Silver badge

          >You seem to be confused. You blame Apple that they dont let you disable a brand new feature

          You seem to be confused. Competitors let you disable this "brand new feature" 13 YEARS AGO.

          Live in PROD in 2011 :- https://googleblog.blogspot.com/2011/11/greater-choice-for-wireless-access.html

          Announced as DEV 2 months earlier in response to requests from "several data protection agencies" in Europe :- https://europe.googleblog.com/2011/09/new-option-for-location-based-services.html

          1. gnasher729 Silver badge

            You seem to have lost the plot completely now. Apple doesn’t allow you to disable a feature in your non-Apple router that Apple cannot control whatsoever. There’s nothing that apple can allow or disallow because it’s not their router.

            BTW. If everyone disables it the result is that all phones will find it a lot harder to tell you where you are, especially in built-up areas.

            1. W.S.Gosset Silver badge

              Do feel free to read the article. You're contradicting it, and also Google's announcement.

            2. Roland6 Silver badge

              Firstly, the only feature a router currently has is the ability to hide or make public the SSID. I don’t know if Apple’s AirPort (withdrawn in 2015) supports this or not.

              However, as @W.S.Gosset references, the _NoMap prefix to the SSID promoted by Google (and the _OptOut SSID substring implemented by Microsoft, requires no special functionality in the router, just the ability to change the SSID.

              It is Apples choice whether its WPS supports the Google initiative or, like Microsoft do their own thing (although it seems MS have fallen into line with Google, although there is some uncertainty over whether _OptOut is stilled used on some other aspects of MS’s location services).

              There is an unspoken part of this debate, namely where the _NoMap request is processed, currently it seems it is only actioned by the central WPS service and not by the clientSSID/ BSSID collector. Hence regardless of this setting, the SSID is always uploaded.

              Likewise it is Apples choice how it distributes the WPS data to its service users.

      2. 142

        > The point of this article is that, for this new capability, this risk-control option has NOT been provided by Apple.

        I would contend that the risk control is most appropriately provided by the people responsible for the broadcasting, as mentioned in the second half of the article.

        1. Roland6 Silver badge

          > I would contend that the risk control is most appropriately provided by the people responsible for the broadcasting

          Depends on your definition of “broadcasting”…

          With respect to WPS, it is Apple doing the broadcasting:

          An Apple device is collecting a BSSID and forwarding the details to their WPS, which by the way it responds to requests broadcasts the location details to anyone who cares to ask.

          Yes, an AP owner can add “_NoMap” (and “_OptOut”) to the SSID; assuming it doesn’t cause the SSID to go over the 32 character limit, and then reconnect all their devices to the new SSID. However, that does not prevent the SSID and BSSID from being collected and forwarded to WPS services. The evidence is that such services maintain a DB of such APs, but don’t rebroadcast the BSSID etc.

          In some respects the issue of BSSIDs and WPS has parallels with aircraft location and flight tracking app’s; remember owners of private jets, such as Musk, dislike these services…

          So yes, the “risk control” is best addressed by not having a WiFi AP…

      3. razorfishsl

        nope... turning off the ssid Bcast is a security risk... go do some research.. , WIFI does not work the way you think it does...

        1. W.S.Gosset Silver badge

          2 ~identical commenters, 1 reply

      4. Roland6 Silver badge

        >” If you are sensitive to this risk … you simply toggle OFF the Broadcast option for your SSID.”

        ROFL

        Turning off SSID as some form of security was total discredited 20 years back! The laugh back then was that people also thought DES was secure. So a man-in-the-middle attack on clients of networks that used hidden SSIDs and/or DES was trivial…

        The laugh now is how many (and this includes “security experts”) who still think an AP not broadcasting the SSID is some form of security.

        1. W.S.Gosset Silver badge

          Roland6 & razorfishsl:

          Neither of you seem aware of how wifi works. More importantly, both of you are flipping the context into something utterly divorced from that being discussed in the article or the comments.

          razorfishl: "Hiding" your SSID creates no additional security risk.

          Both of you: have rotated the topic from APs not being passively scanned and included in WPS to be picked up by later data-grovellers, to security of the client against ACTIVE and sophisticated and hardware(usually)-prepared antagonists, specifically MitM attacks. These attacks are agnostic to SSID broadcast, something neither of you seem to realise. They pick the SSID out of the client's initial Probe frame. That occurs whether the AP broadcasts SSID or not (although, if it does, certainly an easy MitM attack would simply spoof ALL of them). If the client can pluck a known SSID out of the AP's beacon then it will send just the one probe; otherwise they typically blurt all their known SSIDs on broadcast until they get a hit. (If you are being personally targetted then obscurity is no defence. But it can prevent attracting attention from random idiots/opportunistic fraudsters.)

          Regardless, what I said is correct for the actual topic. It is not "perfect" security, but it reduces the attack surface for the actual exposure being discussed. As such, it's a candidate mitigation.

          1. Roland6 Silver badge

            Totally aware, just noting turning off AP SSID broadcast has ramifications, specifically increases the insecurity of client devices…

            > "Hiding" your SSID creates no additional security risk.

            Not according to the CLAS security briefing note on setting up a secure WiFi network…

            Remember with hidden SSIDs the client has to beacon to get a hidden AP to reveal itself, making drive by MitM attacks so much easier, ie. They can be performed wherever the client device may be.

            With broadcast/public APs, clients only reveal themselves when in the presence of the AP, making a drive by client attack more difficult.

            Also as you note, hidden SSIDs aren’t really hidden, with the AP at times broadcasting the hidden SSID, and if the APis also being used for non hidden SSIDs… A question is whether the BSSID collector makes any distinction between hidden and public SSIDs, from what has been written I suspect not; an Apple device once it knows of a hidden SSID, will simply upload the BSSID etc. …

            > As such, it's a candidate mitigation.

            Yes, but not without a downside… From the work I’ve done I would suggest it’s more of a comfort blanket than a security feature.

      5. gnasher729 Silver badge

        Maybe I should shoot the postman who knows which house belongs to my postal address, and delivers my mail and goods to me, breaching my privacy rights?

        What this does is figuring out that _my_ WiFi router is located at _my_ home. These clever guys figured out that if my house burnt down including the router then the router would stop transmitting data. Who would have thought that. Yes, that’s a total privacy risk.

    2. Colin Miller

      If a stalker knows their ex's accespoint's BSSID, then they might be able find out where it is, by sending a location request with (for example) FF:FF:FF:00:11:22 at 10%. If it returns an approximate location, then they can stalk the area (G's result). A's result appears to be the exact location of the access point.

      I hope both services will check what other access points should be visible, and if the request doesn't include any of them, then they will reject the request

      1. gnasher729 Silver badge

        Ex should ask a nice armed police officer to swap WiFi routers with her.

    3. John Brown (no body) Silver badge

      "Since when was the physical location of a radio beacon considered "private sensitive confidential nobody can know this" information?"

      As with so many areas of "big data", when it stopped being something someone with a receiver could make note of and changed to $Big_Corp collecting, collating and geolocating every single AP they can crowd source from millions of users all over the world. It not the act that may be wrong, morally or otherwise, it's the scale of it and how that data is then further used in linking to other large datasets.

      It's quite a difficult issue to resolve and it's been an ongoing issue ever since The Great Data Slurp started :-)

      Think, for example, of the Right To Be Forgotten laws in some jurisdictions. There was no need for that pre-Internet and data going online because in most cases it took some serious legwork and physical travelling to find out information about people, visiting records offices, newspaper archives, libraries and the like. If you needed to be "forgotten", you could just move to another town and start over. When you can find and track someone and all their past deeds or mis-deeds with the click of a button, it suddenly becomes very cheap and easy to do to just about anyone, not just someone "of value", hence the sticking plaster "Right To Be Forgotten" laws.

  10. Anonymous Coward
    Anonymous Coward

    This is not new.... and there are actually strings you can add to your WIFI pint to exclude it to from the database.

    it goes back to 2011, when google was busted for grabbing SSID's

    Also be aware of MS new AUTHENTICATOR app., that they are trying to stuff down everyones throat.

    It also has location tracking and can report back to MS every few minutes of where the device is , who else is near the device && any SSID's for wifi.

    This data is supposed to be available as a paid service for the company teh devices are attached to.

    We received notification from MS that in the next 2 weeks, their authenticator will become the DEFAULT system for logging into 365.

    All other 2fa authenticators WILL NOT be accepted.

  11. Duncan10101
    Joke

    But his mother's words echoed again ...

    "Don't take your phone to town, son

    Leave your phone at home, Bill

    Don't take your phone to town"

    (with apologies to Johnny Cash)

  12. Fred Fallacy

    I'm not sure SSID randomization is the answer.

    How about a rolling SSID derived everyday, eg using a TOTP-style algorithm. Then your router and clients can be set up with same key and each derive a new one each morning.

  13. Ethan Strongtower

    Randomization of mobile phone hotspot BSSIDs

    According to this article by Brian Krebs (https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/):

    'The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.

    “Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”'

  14. Ambivalous Crowboard

    FYI, GL.iNet are releasing randomised BSSID

    I've just had a firmware update advertised to me for version 4.6.2 (preview) and one of the features is you can turn on randomised BSSID to prevent tracking.

    https://blog.gl-inet.com/preventive-actions-to-safeguard-glinet-users-from-bssid-based-location-tracking/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like