A key element of Apple’s location services contains a serious privacy vulnerability that allows Starlink to track the movements of a war zone. The vulnerability also allows an attacker to determine the location of anyone with a mobile Wi-Fi router.
How Wi-Fi positioning works
How do Apple devices determine their location? GPS is the primary technology used, but it’s not the only one. In cities, for example, tall buildings can make it difficult to receive signals from GPS satellites. Another key method used by mobile devices is known as Wi-Fi positioning systems (WPS).
WPS uses a global database of nearly 500 million Wi-Fi routers. Importantly, it is not only public devices that they can access, but also all BSSIDs (set by manufacturers) that they can see. This applies, for example, to commonly distributed Wi-Fi routers. Devices do not access the router, but they can detect it and consult the database to find out where it is located.
Apple and Google maintain their own WPS databases. The method they use is essentially the same: detecting a nearby BSSID, measuring the strength of each signal, and comparing the results to the WPS database to determine where the mobile device is located.
However, there is a significant difference between how Apple and Google devices perform this task – and that’s where the privacy issue comes in.
Apple Location Services vulnerability
The Android phone records the BSSIDs it can see and the signal strength, and sends this data to a Google server. The server uses the WPS database to calculate the location and send it to the phone.
But researchers at the University of Maryland found that Apple devices use a different approach. Apple’s WPS also accepts a list of nearby BSSIDs, but instead of calculating the device’s location based on a set of observed access points and the strength of the received signal, and then reporting this result to the user.
- The Apple API returns geolocation to more than 400,000 BSSIDs that are nearby.
Approximately eight of these BSSIDs are then used to determine the user’s location based on known landmarks.
In essence, Google’s WPS calculates the user’s location and transmits it to the device. Apple’s WPS provides its devices with enough data about the location of known access points in the area that the devices can make this estimate on their own. Data processing on the device is one of Apple’s «features».
- The researchers claim that they can use Apple’s API data stream to map the movements of individual devices to and from virtually any specific area of the world. They spent a month at the beginning of their study continuously querying the API for the location of over a billion randomly generated BSSIDs.
They learned that while only about three million of these randomly generated BSSIDs were known to Apple’s Wi-Fi geolocation API, Apple brought back an additional 488 million BSSIDs already stored in the WPS database from other searches.
- The result was that the researchers were actually able to «steal» Apple’s WPS database.
By studying location data from Apple WPS for the year from November 2022 to November 23, the researchers gained a nearly global view of the location of more than 2 billion Wi-Fi access points.
Spelling error report
The following text will be sent to our editors: