Wait until you find out that Comcast's goal is to put a Comcast owned wifi router in every home. Then what is Ray going to do?
How Apple Wi-Fi Positioning System can be abused to track people around the globe
Academics have shown how Apple's Wi-Fi Positioning System (WPS) can be abused to create a global privacy nightmare. In a paper titled, "Surveilling the Masses with Wi-Fi-Based Positioning Systems," Erik Rye, a PhD student at the University of Maryland (UMD) in the US, and Dave Levin, associate professor at UMD, describe how …
COMMENTS
-
-
Friday 24th May 2024 13:06 GMT Snake
Not just Comcast. Spectrum also "voluntarily" issues you a wi-fi modem/router for your home, broadcasting Spectrum's Out-of-Home shared wi-fi SSID automatically
https://www.spectrum.com/internet/wifi-access-points
You can opt-out, as I did, but you initially get a surprised Pikachu face to your request from the service representative behind the counter when you do so. But you need to know enough to ask for the opt-out in the first place.
-
-
Thursday 23rd May 2024 09:09 GMT Anonymous Coward
This :-
Rye explained. "Wi-Fi access point manufacturers that implement BSSID randomization should be careful not to repeat those same mistakes."
Ok, I'll bite. When was the last update to your Wi-Fi access point software? I just checked mine and there are no updates available and the last one was back in 2021. My router was updated a few months ago but I can't find any reference to BSSID randomisation.
I suspect that there are millions of devices out there in a similar situation. More devices heading for landfill... if the user even knows about this and then even cares.
-
Thursday 23rd May 2024 09:41 GMT Anonymous Coward
Re: This :-
Last update was quite recent actually, I use ubiquiti hardware and they’re pretty good with updates.I’ll check whether or not BSSID randomisation is in release notes somewhere, after the first few years without issues I set everything to auto update.
The thing is : BSSID randomisation doesn’t seem all that rando, it’s only at boot if I understand correctly. I think I’ll just go for the _nomap option.
-
Thursday 23rd May 2024 19:00 GMT doublelayer
Re: This :-
You can't change BSSID while things are connected without having a brief drop. However, you could write something to check when there are no WiFi devices connected, then change and bring the interfaces back up without rebooting. How useful that would be depends on the frequency of having no WiFi connections on your network.
However, BSSID randomization is more important for access points that move, because your SSID won't be changing, so if your hardware never moves, it wouldn't be hard to use those instead to establish your location. In the case of travel routers, they're probably powered down each time you move them, so randomizing on boot could be quite helpful without having to try to randomize them during operation as well. The same would apply to mobile hotspots, mobile terminals like Starlink ones, etc.
-
Friday 24th May 2024 17:27 GMT Roland6
Re: This :-
From reading the paper, this isn’t really about 802.13 but about Apple’s implementation of WPS:
“ As prior work has noted [35], [12], popular WPSes (especially Apple’s and Google’s) are publicly accessible, and they do not require devices querying the database to prove they actually see the BSSIDs they claim to see. In other words, one can query for any arbitrary MAC address and, if it is in the WPS’s database, then it will return its location. This design lends itself to relatively obvious individually-targeted attacks.”
Those references refer to published work, of which the most interesting and relevant is Tippenhauer’s 2009 paper “ Attacks on Public WLAN-based Positioning Systems”. It seems that Rye has found another way to use and interpret the available WPS data…
I suggest the real individual privacy concern with BSSID location harvesting and tracking is the mobile phone personal hotspot (the one we use to connect our tablets and laptops to when out and about). I am thus a little surprised Rye and Levin didn’t experiment the tracking of such a mobile AP/BSSID, perhaps there is another paper in the pipeline…
However, Rye’s paper (as is Tippenhauers) is a good clear read.
-
-
-
Thursday 23rd May 2024 21:13 GMT Spamfast
Re: This :-
When was the last update to your Wi-Fi access point software?
All mine get updates weekly or more frequently.
I use OpenWrt on all my routers and access points - the ISP's router simply provides the WAN connection and is firewalled off and its WiFi disabled.
opkg update && opkg upgrade $(opkg list-upgradable | cut -d' ' -f 1)
Or, as I do, write a script for a cron-job.
It's also easy to set the BSSIDs to anything desired - a start-up or cron script can randomize them if wanted.
-
-
Friday 24th May 2024 13:20 GMT Snake
Re: other 99.999%
Indeed. The router here in the office hasn't been issued a firmware update since October 2022, even though bugs were identified and fixed were promised as 'coming soon' with some users having to roll back to a previous version to seek relief. That being 3 years ago, that is.
2 routers for my personal use both had the same bug, VPN SMB tunneling error, and that company issued me an out-of-band fix with a beta-marked firmware update. This being less than 6 months after I bought the 2nd router, which was still on sale in major outlets. That beta firmware never made it out to other consumers.
So router manufacturers drop support for "legacy" products faster than Cheeto Jesus can make a promise on the campaign trail that he will never keep.
-
Friday 24th May 2024 13:57 GMT Spamfast
Re: This :-
And for the other 99.999% of the population?
The question was 'when was your router last updated?'. I replied for myself. They can reply for themselves. ;-)
Seriously though ...
I've got it de-wified and the Ethernet firewalled off but my ISP supplied me with a FRITZ!Box VDSL router which - as well as providing user-configurable SIP/DECT/FXS telephony - checks for security updates from the manufactuer (AVM) and provides occassional feature enhancements as well. My neighbour now has a FTTP rig from a different, also non-mass-market, provider that also provides regular updates for its network kit. Both of these are domestic, not business, services and don't cost much more than the mass-market ones. The small extra cost also comes with things like a static IPv4 address, an IPv6 connection with a static delegated prefix (/48 in my case, /52 for my neighbour) and reverse DNS configured as required.
If they just pulled their fingers out, the mass-market ISPs could maintain their kit as well, especially since many of the routers they provide use OpenWrt under the hood with some extra web iinterface branding and restriction on top. The could use AVM or GL-iNet or just have an in-house maintained fork of OpenWrt with update servers without it eating anything more than a fraction of a percent of their profit margin. Actually, the improved customer experience might even increase their profits.
-
Friday 24th May 2024 19:24 GMT rcxb
Re: This :-
And for the other 99.999% of the population?
Instead of buying the one first shinny one they see, they can easily check that the Wi-Fi router/AP they want has OpenWRT support:
https://openwrt.org/toh/views/toh_available_16128
Even if they use vendor firmware, at least they've always got the option to upgrade to OpenWRT later. Resale/reuse value will remain much higher as a result as well.
-
Monday 27th May 2024 06:20 GMT Fred Dibnah
Re: This :-
99.999% don’t buy a router separately, they use the router provided by their ISP.
And 99.999999% have no idea what OpenWRT is, nor do they they care when their router works just fine.
That’s not to say their routers don’t have security issues, of course, but the average Joe & Julia Bloggs can’t be expected to know how to deal with them other than on a superficial level. The clever people who built the hardware and software are the ones who *should* have the skills and knowledge to do it.
-
-
-
-
Friday 24th May 2024 19:18 GMT rcxb
Re: This :-
Since 2010, I've made sure every Wi-Fi router/AP I buy has OpenWRT support:
https://openwrt.org/toh/views/toh_available_16128
Even if I use vendor firmware at first, I know I've always got the option to load OpenWRT later. In fact I only quite recently stopped using my 2010 (802.11n) AP.
-
-
Thursday 23rd May 2024 10:16 GMT Mister Jones
Burner Anyone?
In summary:
(1) Apple iPhones report back to Cupertino when they find (by Bluetooth) a "Find My" device in the neighbourhood
(2) Apple iPhones report back to Cupertino when they find a handy geolocation service on a nearby WiFi router
(3) Any other mobile phones using WiFi for GPS may be (are?) reported back to Cupertino
One wonders what other "facilities" are buried in:
- The WiFi infrastructure
- The iPhone software
- The Android software
I think we should be told!!!
P.S. Doesn't owning a burner seem increasingly attractive? Just saying!!!
-
Thursday 23rd May 2024 20:31 GMT DS999
Re: Burner Anyone?
P.S. Doesn't owning a burner seem increasingly attractive? Just saying!!!
How does that solve cellular companies knowing exactly where you are via tower triangulation? (Exact to within 100 feet or so unless it is a rural area with few towers) They sell that information to governments and third parties and there is nothing stopping it.
Because if you're worried about someone tracking you via wifi or bluetooth and think a burner dumbphone will fix it I've got bad news for you...
-
-
-
This post has been deleted by its author
-
-
Friday 24th May 2024 18:40 GMT DS999
Re: Burner Anyone?
All they need is one match of your identity to your phone being in the same location and they have you.
Do you bring that burner phone home? Tower triangulation is easily accurate enough to pinpoint a single residence when a phone is there for long periods, so they have it down to your household. Do you carry it in your car? Cameras along the roadway will match your license plate to a list of phones in the area, and quickly be able to match up car to phone 1 to 1. There are probably cameras with facial recognition too.
So no, they can know exactly who "you" are unless you're switching that burner phone every few days.
-
Saturday 25th May 2024 10:38 GMT Roland6
Re: Burner Anyone?
> All they need is one match of your identity to your phone being in the same location and they have you.
Upload that image to FB and FB will auto facial recognition it and associate it with other pictures, accounts and names. Even though my FB account doesn’t have my picture on it, FB through its algorithms has managed to connect a lot of stuff to me, even with pictures others have put up (in groups I’m a member of) linked the right name to the face…
-
-
Saturday 25th May 2024 22:30 GMT Roland6
Re: Burner Anyone?
Precisely; now if Asda upload the checkout mug shot, don’t be surprised if FB kindly provide Asda with the “me and @Roland6” picture and comment, particularly if it was posted on a public group. So far FB don’t seem to do similar for pictures posted to closed user groups.
-
-
-
Sunday 26th May 2024 15:24 GMT Anonymous Coward
Re: Burner Anyone?
You don't get it do you?
The physical phone was bought for cash (second hand) from a stall on the high street.
The SIM(s) was/were bought for cash in a convenience store.
The SIM was installed and the phone was switched on for the first time in the middle of Trafalgar Square.
The phone now HAS NO CONNECTION AT ALL with any real identity.
The mobile phone company can track THE LOCATION OF THE PHONE.
So the phone turns up at Susan's house....or at Downing Street.......what EXACTLY does that prove?
So the phone was in Starbucks when a hundred other people paid for coffee with a credit card. What EXACTLY does that prove?
Same with matching up CCTV images?
Please try harder..........burners look pretty good from where I'm sitting.......and is that seat the same place as my burner.....????????
Who am I???
-
-
-
-
Thursday 23rd May 2024 11:06 GMT Bebu
Bit confused
This positioning system uses the BSSID (mac/hardware address) of the Wifi AP as the unique key/identifier in its geoloc database unless you append _nomap to the SSID which is usually broadcast by default.
This logic suggests if I disable SSID broadcasts (hidden) Apple should ignore my AP but I am guessing this isn't the case. Actually I suspect even with _nomap, Apple will still harvest your BSSID/location but not return it when queried by the polloi but is perhaps used for their own nefarious purposes.
Wifi clients seem to randomize their mac addresses by default (every time the interface is brought up) but I assume AP can only practically do this once every restart.
The rather aging APs I possess wouldn't have mac randomization but I have ssh access and could use /sbin/ip to randomize the wireless hardware address and bounce the interface from a cron job.
-
Thursday 23rd May 2024 20:34 GMT DS999
Re: Bit confused
but I assume AP can only practically do this once every restart
There's no reason they could do it every time the last client disconnects from them, they'd just need to have firmware that tells them to do so. They could even do it while clients are connected - they'd be interrupted and take a few seconds to reconnect but if you're willing to endure that there's no reason you couldn't randomize your BSSID every hour.
-
Friday 24th May 2024 16:20 GMT Roland6
Re: Bit confused
> This logic suggests if I disable SSID broadcasts (hidden)…
Trouble is we have been here before: disabling SsiD broadcast on the AP means it has to be enabled on the client, making it much easier to compromise client systems. Also your AP is only hidden whilst it is not communicating with a client device…(there were plenty of papers and tools available in the early 2000’s which exploded the myth surrounding the security it provided).
Changing the BSSID is also potentially a connection problem, as many client devices store the SSID and BSSID pair and will ask the user for confirmation of connection if a different BSSID is discovered.
However, as Wignle.net and WhatThreeWords confirm is that a relatively small number of SSIDs is necessary to get a reasonable geolocation, and given how many people use the ISP provided router with it’s probably unique SSID , that number is potentially one. Interestingly, many of the rules developed back in the early 2000’s about what consistutes a secure SSID still apply. Hence dynamic BSSID isn’t really a solution and dynamic SSID is probably only a solution to those who can embedded something like an RSA SecurID in all their clients so the client will only attempt to connect to SSID 443853 if the associated BSSID had immediately previously broadcast SSID 905595. Ie. We are moving into military levels of security.
Basically, if you want security and a network connection then the only solution is to turn off your mobile device’s WiFi and plug in an adaptor that permits the use of fixed line Ethernet, which has been the case with WiFi right from the outset…
-
-
-
Thursday 23rd May 2024 21:48 GMT 142
If it's a statically located router, this issue is essentially spurious. Basically it allows someone to say "oh, there is a wifi access point in this house", and absolutely nothing else.
It's only an issue when the access point moves e.g. for travel routers, or for people who have relocated to be in hiding, etc.
-
Thursday 23rd May 2024 14:04 GMT Guy de Loimbard
Please, harvest some more from me......
Interesting study and something that I wasn't aware of.
I doff my cap to the learned studious types who have identified this.
There appears to be no end of "features" being revealed in a myriad of home and personal network devices that, as far as I'm concerned, are going way past what the average person would consider acceptable.
IMHO the use of hardware that you and I have spent our cash on to turn the globe into a technical playground for tech companies is really taking the biscuit or tin at the moment!
Why do the various manufacturers require all this geo location information? (Rhetorical question!)
-
Thursday 23rd May 2024 18:09 GMT Blazde
Re: Please, harvest some more from me......
Why do the various manufacturers require all this geo location information? (Rhetorical question!)
The latest thing is selling it to the DOOH industry
https://www.clearchannel.co.uk/faqs-1
What is Clear Channel RADAR®?
RADAR is a suite of tools that’s proprietary to Clear Channel and uses aggregated, anonymised mobile location data to better understand the audience groups that are passing by our advertising sites.
..
Where does the data come from?
In the UK, the mobile location data which is used to generate the audience profile insights in RADARView® currently comes from AdSquare, a carefully vetted third-party data provider and an established leader in location technology. They aggregate and anonymise data from mobile devices of consenting individuals, representing approx. 10% of UK population, prior to sharing the data with us.
10%? Geez... I assume their use of the word 'consenting' is as loose as possible here.
New jollies: Hang out by a busy digital billboard. Whenever someone passing by glances at it and it changes to something mildly embarrassing point and laugh. Plot twist: It won't stop showing my browsing history
-
Thursday 23rd May 2024 21:43 GMT gnasher729
Re: Please, harvest some more from me......
You are confusing detecting the location of a Wifi router with detecting phones that come close to an advertising point. Let’s just mention that in the second case there is no need to get location data, because the phone is at the known location of the advertiser. (And iPhones cannot be identified because they use a random Id that changes all the time. )
-
Friday 24th May 2024 00:14 GMT Blazde
Re: Please, harvest some more from me......
Am I? They're getting mobile location data. Mobile location data which comes, in part, from locating the phone relative to Wi-Fi APs which in turn are located relative to each other and to phones using GPS.
My quip about it being live was throw-away but AdSquare do offer 'Real-Time Footfall Measurement' (whatever that means) as part of their location data feed. They also tell you whether phones exposed to ads subsequently visit stores (statistically or actually I'm not sure). Again, they use location data for that.
To turn your point around: There's no need to 'detect phones that come close to an advertising point' when you have the phone feeding you location data whether it's near an advertising point or not.
-
-
-
Thursday 23rd May 2024 18:36 GMT IceC0ld
Re: Please, harvest some more from me......
[quote]Why do the various manufacturers require all this geo location information? (Rhetorical question!)[/quote]
I am more concerned to think that they have deliberately built this ability into the device, it COULD be 'ghosts in the machine' but I seriously think they are just out to see just how far they can push boundary's before they get pulled back, although, from previous experiences, even when they ARE caught, and 'forced' to rein it in, the fines slapped on them are pitiful, massive to the man in the street, a few minutes of profit to these grubby types :o(
-
Friday 24th May 2024 00:05 GMT IceC0ld
Re: Please, harvest some more from me......
the more I think about it, the more it annoys me now
someone HAD to have had input when they were designing the beast, to add it in to do what it does, it cannot just happen, the real question, therefore, is why ? and as a quick stab at that answer, I will suppose MONEY to be in there, quite high in the tree, if not actually the main reason :o(
-
Thursday 23rd May 2024 20:36 GMT DS999
Re: Please, harvest some more from me......
Why do the various manufacturers require all this geo location information?
Well you can make up your nefarious reasons, but the non-nefarious reason is because GPS doesn't work indoors or when blocked by buildings, trees, etc. So if you want location information to be properly updated, you need to have other sources to locate yourself when GPS is unavailable. GPS is also more power hungry, but I suspect the first reason is more important than that factor.
-
Saturday 25th May 2024 19:18 GMT gnasher729
Re: Please, harvest some more from me......
“ Why do the various manufacturers require all this geo location information? (Rhetorical question!)”
So that your phone can tell you where you are, especially in a built-up area where GPS has problems working. Go to London. Lots of tall buildings that stop GPS from working (you need line-of-sight to three satellites, and tall buildings create reflections that make things worse). At the same time, you detect lots of WiFi networks and get their locations and calculate your own location from that.
-
-
Thursday 23rd May 2024 17:51 GMT gnasher729
The reason for providing a large list of locations: It means that my iPhone can travel some distance without asking for information again. I go on holiday in a small seaside town. First request I get all locations around me. Until l leave the area completely, the phone can just listen passively and nobody can figure out my movements in that town.
-
-
Thursday 23rd May 2024 21:37 GMT W.S.Gosset
>Might as well start claiming that it's a security risk that when my neighbours open a list of WiFi networks they can see that I have one as well!
That is, in fact, precisely correct, is precisely the case. It IS a security/privacy risk.
And so the option of controlling/eliminating that risk is explicitly factored into the standard protocol. If you are sensitive to this risk (most people aren't, or deem negative the cost/benefit of controlling it) you simply toggle OFF the Broadcast option for your SSID.
The point of this article is that, for this new capability, this risk-control option has NOT been provided by Apple.
-
-
Saturday 25th May 2024 05:09 GMT W.S.Gosset
>You seem to be confused. You blame Apple that they dont let you disable a brand new feature
You seem to be confused. Competitors let you disable this "brand new feature" 13 YEARS AGO.
Live in PROD in 2011 :- https://googleblog.blogspot.com/2011/11/greater-choice-for-wireless-access.html
Announced as DEV 2 months earlier in response to requests from "several data protection agencies" in Europe :- https://europe.googleblog.com/2011/09/new-option-for-location-based-services.html
-
Saturday 25th May 2024 19:10 GMT gnasher729
You seem to have lost the plot completely now. Apple doesn’t allow you to disable a feature in your non-Apple router that Apple cannot control whatsoever. There’s nothing that apple can allow or disallow because it’s not their router.
BTW. If everyone disables it the result is that all phones will find it a lot harder to tell you where you are, especially in built-up areas.
-
Wednesday 29th May 2024 12:25 GMT Roland6
Firstly, the only feature a router currently has is the ability to hide or make public the SSID. I don’t know if Apple’s AirPort (withdrawn in 2015) supports this or not.
However, as @W.S.Gosset references, the _NoMap prefix to the SSID promoted by Google (and the _OptOut SSID substring implemented by Microsoft, requires no special functionality in the router, just the ability to change the SSID.
It is Apples choice whether its WPS supports the Google initiative or, like Microsoft do their own thing (although it seems MS have fallen into line with Google, although there is some uncertainty over whether _OptOut is stilled used on some other aspects of MS’s location services).
There is an unspoken part of this debate, namely where the _NoMap request is processed, currently it seems it is only actioned by the central WPS service and not by the clientSSID/ BSSID collector. Hence regardless of this setting, the SSID is always uploaded.
Likewise it is Apples choice how it distributes the WPS data to its service users.
-
-
-
-
Wednesday 29th May 2024 10:57 GMT Roland6
> I would contend that the risk control is most appropriately provided by the people responsible for the broadcasting
Depends on your definition of “broadcasting”…
With respect to WPS, it is Apple doing the broadcasting:
An Apple device is collecting a BSSID and forwarding the details to their WPS, which by the way it responds to requests broadcasts the location details to anyone who cares to ask.
Yes, an AP owner can add “_NoMap” (and “_OptOut”) to the SSID; assuming it doesn’t cause the SSID to go over the 32 character limit, and then reconnect all their devices to the new SSID. However, that does not prevent the SSID and BSSID from being collected and forwarded to WPS services. The evidence is that such services maintain a DB of such APs, but don’t rebroadcast the BSSID etc.
In some respects the issue of BSSIDs and WPS has parallels with aircraft location and flight tracking app’s; remember owners of private jets, such as Musk, dislike these services…
So yes, the “risk control” is best addressed by not having a WiFi AP…
-
-
-
Friday 24th May 2024 16:36 GMT Roland6
>” If you are sensitive to this risk … you simply toggle OFF the Broadcast option for your SSID.”
ROFL
Turning off SSID as some form of security was total discredited 20 years back! The laugh back then was that people also thought DES was secure. So a man-in-the-middle attack on clients of networks that used hidden SSIDs and/or DES was trivial…
The laugh now is how many (and this includes “security experts”) who still think an AP not broadcasting the SSID is some form of security.
-
Saturday 25th May 2024 05:33 GMT W.S.Gosset
Roland6 & razorfishsl:
Neither of you seem aware of how wifi works. More importantly, both of you are flipping the context into something utterly divorced from that being discussed in the article or the comments.
razorfishl: "Hiding" your SSID creates no additional security risk.
Both of you: have rotated the topic from APs not being passively scanned and included in WPS to be picked up by later data-grovellers, to security of the client against ACTIVE and sophisticated and hardware(usually)-prepared antagonists, specifically MitM attacks. These attacks are agnostic to SSID broadcast, something neither of you seem to realise. They pick the SSID out of the client's initial Probe frame. That occurs whether the AP broadcasts SSID or not (although, if it does, certainly an easy MitM attack would simply spoof ALL of them). If the client can pluck a known SSID out of the AP's beacon then it will send just the one probe; otherwise they typically blurt all their known SSIDs on broadcast until they get a hit. (If you are being personally targetted then obscurity is no defence. But it can prevent attracting attention from random idiots/opportunistic fraudsters.)
Regardless, what I said is correct for the actual topic. It is not "perfect" security, but it reduces the attack surface for the actual exposure being discussed. As such, it's a candidate mitigation.
-
Wednesday 29th May 2024 11:25 GMT Roland6
Totally aware, just noting turning off AP SSID broadcast has ramifications, specifically increases the insecurity of client devices…
> "Hiding" your SSID creates no additional security risk.
Not according to the CLAS security briefing note on setting up a secure WiFi network…
Remember with hidden SSIDs the client has to beacon to get a hidden AP to reveal itself, making drive by MitM attacks so much easier, ie. They can be performed wherever the client device may be.
With broadcast/public APs, clients only reveal themselves when in the presence of the AP, making a drive by client attack more difficult.
Also as you note, hidden SSIDs aren’t really hidden, with the AP at times broadcasting the hidden SSID, and if the APis also being used for non hidden SSIDs… A question is whether the BSSID collector makes any distinction between hidden and public SSIDs, from what has been written I suspect not; an Apple device once it knows of a hidden SSID, will simply upload the BSSID etc. …
> As such, it's a candidate mitigation.
Yes, but not without a downside… From the work I’ve done I would suggest it’s more of a comfort blanket than a security feature.
-
-
-
Saturday 25th May 2024 19:06 GMT gnasher729
Maybe I should shoot the postman who knows which house belongs to my postal address, and delivers my mail and goods to me, breaching my privacy rights?
What this does is figuring out that _my_ WiFi router is located at _my_ home. These clever guys figured out that if my house burnt down including the router then the router would stop transmitting data. Who would have thought that. Yes, that’s a total privacy risk.
-
-
Friday 24th May 2024 14:01 GMT Colin Miller
If a stalker knows their ex's accespoint's BSSID, then they might be able find out where it is, by sending a location request with (for example) FF:FF:FF:00:11:22 at 10%. If it returns an approximate location, then they can stalk the area (G's result). A's result appears to be the exact location of the access point.
I hope both services will check what other access points should be visible, and if the request doesn't include any of them, then they will reject the request
-
Friday 24th May 2024 17:35 GMT John Brown (no body)
"Since when was the physical location of a radio beacon considered "private sensitive confidential nobody can know this" information?"
As with so many areas of "big data", when it stopped being something someone with a receiver could make note of and changed to $Big_Corp collecting, collating and geolocating every single AP they can crowd source from millions of users all over the world. It not the act that may be wrong, morally or otherwise, it's the scale of it and how that data is then further used in linking to other large datasets.
It's quite a difficult issue to resolve and it's been an ongoing issue ever since The Great Data Slurp started :-)
Think, for example, of the Right To Be Forgotten laws in some jurisdictions. There was no need for that pre-Internet and data going online because in most cases it took some serious legwork and physical travelling to find out information about people, visiting records offices, newspaper archives, libraries and the like. If you needed to be "forgotten", you could just move to another town and start over. When you can find and track someone and all their past deeds or mis-deeds with the click of a button, it suddenly becomes very cheap and easy to do to just about anyone, not just someone "of value", hence the sticking plaster "Right To Be Forgotten" laws.
-
-
Friday 24th May 2024 09:33 GMT Anonymous Coward
This is not new.... and there are actually strings you can add to your WIFI pint to exclude it to from the database.
it goes back to 2011, when google was busted for grabbing SSID's
Also be aware of MS new AUTHENTICATOR app., that they are trying to stuff down everyones throat.
It also has location tracking and can report back to MS every few minutes of where the device is , who else is near the device && any SSID's for wifi.
This data is supposed to be available as a paid service for the company teh devices are attached to.
We received notification from MS that in the next 2 weeks, their authenticator will become the DEFAULT system for logging into 365.
All other 2fa authenticators WILL NOT be accepted.
-
Thursday 30th May 2024 23:20 GMT Ethan Strongtower
Randomization of mobile phone hotspot BSSIDs
According to this article by Brian Krebs (https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/):
'The researchers said Wi-Fi access points that can be created using a mobile device’s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.
“Modern Android and iOS devices will choose a random BSSID when you go into hotspot mode,” he said. “Hotspots are already implementing the strongest recommendations for privacy protections. It’s other types of devices that don’t do that.”'
-
Wednesday 10th July 2024 13:49 GMT Ambivalous Crowboard
FYI, GL.iNet are releasing randomised BSSID
I've just had a firmware update advertised to me for version 4.6.2 (preview) and one of the features is you can turn on randomised BSSID to prevent tracking.
https://blog.gl-inet.com/preventive-actions-to-safeguard-glinet-users-from-bssid-based-location-tracking/