Hackers Can Exploit Apple’s Wi-Fi Positioning System

A recent study by University of Maryland security researchers revealed a major privacy vulnerability in Apple’s Wi-Fi Positioning System (WPS). This flaw allows hackers to globally track Wi-Fi access points and their owners. The findings show that an unprivileged attacker can exploit Apple’s crowdsourced location system to build a worldwide database of Wi-Fi access point locations and monitor device movements over time.

Apple’s WPS uses its extensive network of iPhones, iPads, and MacBooks to gather Wi-Fi access points’ geolocation based on their unique Basic Service Set Identifier (BSSID).

When an Apple device uses GPS, it periodically sends nearby Wi-Fi BSSIDs and their GPS coordinates to Apple’s servers. This enables other Apple devices to query the WPS with visible BSSIDs to estimate their location, even without GPS connectivity.

The researchers found that Apple’s WPS can be exploited by repeatedly querying the service with BSSIDs derived from the IEEE’s public database of Organizationally Unique Identifiers (OUIs) assigned to device manufacturers.

By systematically scanning the allocated OUI space, an attacker with no prior knowledge can quickly locate millions of Wi-Fi access points worldwide. Shockingly, the WPS returns the location of the queried BSSID and the coordinates of up to 400 nearby access points.

Over the course of a year, the research team gathered the precise locations of over 2 billion BSSIDs across every continent.

The privacy implications are profound, as this data can track device movements over time by analyzing their connections to different Wi-Fi networks.

While most access points are stationary, mobile devices like travel routers allow attackers to trace their owner’s location history. The attack leverages MAC addresses allocated to manufacturers in contiguous blocks.

By generating random MAC addresses within those blocks and querying Apple’s WPS, attackers can quickly locate Wi-Fi access points worldwide. Each valid query returns the access point’s location and up to 400 nearby access points.

While most Wi-Fi routers are stationary, mobile hotspots like travel routers move with their owners. By tracking these devices, attackers can infer individuals’ movements.

Researchers demonstrated real-world impacts:

Tracking troop and refugee movements in Ukraine and Gaza
Monitoring the aftermath of natural disasters like the Maui wildfires
Identifying Starlink terminals used by the Ukrainian military

They disclosed the vulnerability to Apple, router manufacturers, and other stakeholders. Apple responded by allowing Wi-Fi access point owners to opt out by appending “_nomap” to the SSID.

Some manufacturers, like SpaceX, are deploying firmware updates to randomize device MAC addresses.

However, researchers suggest that all Wi-Fi access points should regularly randomize their MAC addresses to prevent tracking. They also recommend that WPS operators restrict API access and that governments regulate WPS data use.

This vulnerability highlights the privacy risks of geolocation services using widespread Wi-Fi and underscores the need for better privacy protections in future wireless standards and connected devices. As our infrastructure becomes more connected, it’s crucial to proactively address these privacy blind spots.