Apple's Wi-Fi Positioning System

A recent study by security researchers has revealed a major privacy vulnerability in Apple’s Wi-Fi Positioning System (WPS) that allows hackers to track the locations of Wi-Fi access points and their owners globally.

Researchers from the University of Maryland published their findings, which reveal that an unprivileged attacker can exploit Apple’s crowdsourced location tracking system to amass a worldwide database of Wi-Fi access point locations and track devices’ movements over time.

Apple’s WPS relies on the company’s vast network of iPhones, iPads, and MacBooks to collect the geolocation of Wi-Fi access points based on their unique Basic Service Set Identifier (BSSID).

When an Apple device uses GPS to determine its location, it periodically reports nearby Wi-Fi BSSIDs and their GPS coordinates to Apple’s servers. This allows other Apple devices to query the WPS with visible BSSIDs to estimate their location, even without GPS connectivity.

Free Webinar on Live API Attack Simulation: Book Your Seat | Start protecting your APIs from hackers

The researchers found that Apple’s WPS can be abused by repeatedly querying the service with BSSIDs derived from the IEEE’s public database of Organizationally Unique Identifiers (OUIs) assigned to device manufacturers.

Researchers said that by systematically scanning the allocated OUI space, an attacker with no prior knowledge can quickly discover the location of millions of Wi-Fi access points worldwide.

Shockingly, the WPS will return the location of the queried BSSID and the coordinates of up to 400 nearby access points.

Over a year, the research team collected the precise locations of over 2 billion BSSIDs on every continent.

The privacy implications are profound, as this data can be analyzed over time to track devices’ movements as they connect to different Wi-Fi networks.

While most access points remain stationary, many devices like travel routers are designed to be mobile, allowing an attacker to trace their owner’s location history.

The attack exploits the fact that MAC addresses are allocated to device manufacturers in contiguous blocks.

By generating random MAC addresses within those assigned blocks and querying Apple’s WPS, the attacker can quickly discover Wi-Fi access points worldwide without prior knowledge.

Furthermore, for each valid query, the WPS returns the location of that access point and the locations of up to 400 nearby access points.

While most Wi-Fi routers remain stationary, many mobile hotspot devices, such as travel routers, move with their owners. By tracking the locations of these devices over time, an attacker can infer individuals’ movements.

The researchers demonstrated the real-world impact through several case studies:

  • Tracking troop and refugee movements in and out of war zones in Ukraine and Gaza
  • Monitoring the aftermath of natural disasters like the Maui wildfires
  • Identifying Starlink satellite internet terminals used by the Ukrainian military

The researchers responsibly disclosed the vulnerability to Apple, router manufacturers, and other stakeholders. In response, Apple has provided a way for Wi-Fi access point owners to opt out of having their devices’ locations tracked by appending “_nomap” to the SSID.

Some manufacturers, like SpaceX, have also begun deploying firmware updates to randomize device MAC addresses.

However, the researchers argue that the most effective mitigation would be for all Wi-Fi access points to randomly assign their MAC addresses regularly, like modern mobile devices do, to prevent tracking.

They also recommend that WPS operators restrict access to their APIs and that governments consider regulating the use of WPS data.

The discovery of this vulnerability emphasizes the often overlooked privacy risks posed by geolocation services that piggyback on widespread Wi-Fi usage.

It also underscores the need for improved privacy protections in the next generation of wireless standards and internet-connected devices.

As more of our infrastructure becomes connected, it will be crucial to identify and mitigate these types of privacy blind spots proactively.

ANYRUN malware sandbox’s 8th Birthday Special Offer: Grab 6 Months of Free Service

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.