Charlie
2024-05-28 06:37:49 UTC
Surveillance Risk: Apple's WiFi-Based Positioning System
<https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330>
The attack risk stems from Apple's WiFi-based Positioning System, or WPS,
which offers an API to which any device or service, Apple-made or
otherwise, can submit one or more Basic Service Set Identifiers, together
with their signal strength.
A BSSID is a number - oftentimes unique - that serves as a WiFi access
point's MAC address. By cataloging these BSSIDs and their location, WPSes
offered by the likes of Apple and Google help other devices triangulate
their location without using power-hungry global positioning system
capabilities.
Two University of Maryland researchers report that problem with Apple's
WPS, which anyone or thing can query for free, is that it offers overly
verbose responses that can potentially be abused by remote attackers to
track any device with a BSSID, anywhere across the globe. While Google's
WPS returns a single BSSID in response to a query, Apple's returns a list
of up to 400.
The researchers' proof-of-concept attack used fabricated queries to trick
Apple's WPS into giving it extensive information about the BSSIDs it
stored.
"Applying this technique over the course of a year, we learned the precise
locations of over 2 billion BSSIDs around the world," said the report's
co-authors, Erik Rye, a University of Maryland Ph.D. student focused on
network security and privacy, and Dave Levin, a computer science professor
at the university.
The researchers said they didn't study WPSes offered by others, including
Google, although noted that Google's is less susceptible to this attack,
because it requires all users to authenticate to its WPS API, and charges
them for queries, although the fee is nominal for a small volume of
requests.
By contrast, "Apple's API opportunistically returns the geolocations of up
to several hundred more BSSIDs nearby the one requested," they said. "These
unrequested BSSID geolocations are presumably then cached by the client,
which no longer needs to request the locations of the nearby BSSIDs it may
soon encounter, e.g., as the user walks down a city street."
While that's the legitimate use case, attackers can turn such functionality
to malicious ends.
"We demonstrated that this attack could be applied to individual users,
such as travel router owners, as they move from location to location. We
also showed that WPSes could be used to find sensitive equipment, like
Starlink routers in Ukraine," the researchers said.
They shared their results in advance of publication with Apple and Google,
as well as two of the router manufacturers whose users are most at risk
from the attack: SpaceX's Starlink, and Hong Kong-based GL.iNet.
Via their attack, the researchers said they could track live movements of
devices connected to Starlink, locating military members and civilians in
Ukraine and Gaza. They could also track devices as they moved around the
world.
"The ability to track users via their access points over time using Apple's
WPS is a severe privacy vulnerability," said report co-author Erik Rye,
who's a network security researcher at the University of Maryland. "Anyone,
not just a privileged adversary like a nation-state, could execute the
attack," which could be used not just for location tracking by governments
but also for stalking or even advertising purposes.
One country underrepresented in researchers' data set was China. They
hypothesized that this black hole is likely due to Chinese laws prohibiting
the domestic collection or sharing BSSIDs. While they did count a few
thousand BSSIDs in China, they said this likely traced to "tourists or
foreigners" using devices that cataloged the BSSIDs around them.
What can be done to block this BSSID-cataloging and tracking attack? The
researchers points to four strategies: WPS service operators limiting
access to their APIs, governments passing legislation prohibiting
individuals' devices being used for geolocation purposes, users not taking
their travel modems with them at all, or best of all, having devices
randomize their BSSID on reboot or whenever they get moved.
Multiple vendors have begun making changes in response to the research.
While Apple did not immediately respond to a request for comment, the
company in March
added the ability for access point operators to opt out of its gathering of
crowdsourced location data, in line with what Google since 2016 already
offered for its WPS.
"The owner of a Wi-Fi access point can opt it out of Apple's Location
Services - which prevents its location from being sent to Apple to include
in Apple's crowd-sourced location database - by changing the access point's
SSID (name) to end with '_nomap,'" Apple said. "For example, 'Access_Point'
would be changed to 'Access_Point_nomap.'"
"We're also told that they have a couple of other remediations that are due
to be in place soon," Rye said.
Starlink responded by pushing updates to its routers to stop using static
BSSIDs and to start randomizing them instead. The researchers said that
while this update process, started in 2023, appears to still be underway,
"we hope that other router manufacturers will follow their example in the
near future, and that BSSID randomization will become the norm rather than
the exception."
While GL.iNet's product security team said they plan to randomize their
routers' MAC addresses, they aren't planning to do the same with their
products' BSSIDs, the researchers reported.
<https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330>
The attack risk stems from Apple's WiFi-based Positioning System, or WPS,
which offers an API to which any device or service, Apple-made or
otherwise, can submit one or more Basic Service Set Identifiers, together
with their signal strength.
A BSSID is a number - oftentimes unique - that serves as a WiFi access
point's MAC address. By cataloging these BSSIDs and their location, WPSes
offered by the likes of Apple and Google help other devices triangulate
their location without using power-hungry global positioning system
capabilities.
Two University of Maryland researchers report that problem with Apple's
WPS, which anyone or thing can query for free, is that it offers overly
verbose responses that can potentially be abused by remote attackers to
track any device with a BSSID, anywhere across the globe. While Google's
WPS returns a single BSSID in response to a query, Apple's returns a list
of up to 400.
The researchers' proof-of-concept attack used fabricated queries to trick
Apple's WPS into giving it extensive information about the BSSIDs it
stored.
"Applying this technique over the course of a year, we learned the precise
locations of over 2 billion BSSIDs around the world," said the report's
co-authors, Erik Rye, a University of Maryland Ph.D. student focused on
network security and privacy, and Dave Levin, a computer science professor
at the university.
The researchers said they didn't study WPSes offered by others, including
Google, although noted that Google's is less susceptible to this attack,
because it requires all users to authenticate to its WPS API, and charges
them for queries, although the fee is nominal for a small volume of
requests.
By contrast, "Apple's API opportunistically returns the geolocations of up
to several hundred more BSSIDs nearby the one requested," they said. "These
unrequested BSSID geolocations are presumably then cached by the client,
which no longer needs to request the locations of the nearby BSSIDs it may
soon encounter, e.g., as the user walks down a city street."
While that's the legitimate use case, attackers can turn such functionality
to malicious ends.
"We demonstrated that this attack could be applied to individual users,
such as travel router owners, as they move from location to location. We
also showed that WPSes could be used to find sensitive equipment, like
Starlink routers in Ukraine," the researchers said.
They shared their results in advance of publication with Apple and Google,
as well as two of the router manufacturers whose users are most at risk
from the attack: SpaceX's Starlink, and Hong Kong-based GL.iNet.
Via their attack, the researchers said they could track live movements of
devices connected to Starlink, locating military members and civilians in
Ukraine and Gaza. They could also track devices as they moved around the
world.
"The ability to track users via their access points over time using Apple's
WPS is a severe privacy vulnerability," said report co-author Erik Rye,
who's a network security researcher at the University of Maryland. "Anyone,
not just a privileged adversary like a nation-state, could execute the
attack," which could be used not just for location tracking by governments
but also for stalking or even advertising purposes.
One country underrepresented in researchers' data set was China. They
hypothesized that this black hole is likely due to Chinese laws prohibiting
the domestic collection or sharing BSSIDs. While they did count a few
thousand BSSIDs in China, they said this likely traced to "tourists or
foreigners" using devices that cataloged the BSSIDs around them.
What can be done to block this BSSID-cataloging and tracking attack? The
researchers points to four strategies: WPS service operators limiting
access to their APIs, governments passing legislation prohibiting
individuals' devices being used for geolocation purposes, users not taking
their travel modems with them at all, or best of all, having devices
randomize their BSSID on reboot or whenever they get moved.
Multiple vendors have begun making changes in response to the research.
While Apple did not immediately respond to a request for comment, the
company in March
added the ability for access point operators to opt out of its gathering of
crowdsourced location data, in line with what Google since 2016 already
offered for its WPS.
"The owner of a Wi-Fi access point can opt it out of Apple's Location
Services - which prevents its location from being sent to Apple to include
in Apple's crowd-sourced location database - by changing the access point's
SSID (name) to end with '_nomap,'" Apple said. "For example, 'Access_Point'
would be changed to 'Access_Point_nomap.'"
"We're also told that they have a couple of other remediations that are due
to be in place soon," Rye said.
Starlink responded by pushing updates to its routers to stop using static
BSSIDs and to start randomizing them instead. The researchers said that
while this update process, started in 2023, appears to still be underway,
"we hope that other router manufacturers will follow their example in the
near future, and that BSSID randomization will become the norm rather than
the exception."
While GL.iNet's product security team said they plan to randomize their
routers' MAC addresses, they aren't planning to do the same with their
products' BSSIDs, the researchers reported.