Surveillance Risk: Apple’s WiFi-Based Positioning System – Source: www.databreachtoday.com

Governance & Risk Management
,
Patch Management
,
Privacy

Starlink Routers in Ukraine and Gaza Trackable via Apple WPS, Researchers Warn

Akshaya Asokan (asokan_akshaya) ,
Mathew J. Schwartz (euroinfosec) •
May 27, 2024    

Apple’s WiFi-based positioning system can be abused to track the live location of device owners across the globe, including in war zones, researchers warn. Until Apple puts in place more defenses, they say the system will continue to pose a “large-scale privacy threat” and safety risk, facilitating mass surveillance – and not just for Apple device users.

See Also: Finding and Managing the Risk in your IT Estate: A Comprehensive Overview

The attack risk stems from Apple’s WiFi-based Positioning System, or WPS, which offers an API to which any device or service, Apple-made or otherwise, can submit one or more Basic Service Set Identifiers, together with their signal strength. A BSSID is a number – oftentimes unique – that serves as a WiFi access point’s MAC address. By cataloging these BSSIDs and their location, WPSes offered by the likes of Apple and Google help other devices triangulate their location without using power-hungry global positioning system capabilities.

Two University of Maryland researchers report that problem with Apple’s WPS, which anyone or thing can query for free, is that it offers overly verbose responses that can potentially be abused by remote attackers to track any device with a BSSID, anywhere across the globe. While Google’s WPS returns a single BSSID in response to a query, Apple’s returns a list of up to 400.

The researchers’ proof-of-concept attack used fabricated queries to trick Apple’s WPS into giving it extensive information about the BSSIDs it stored.

“Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world,” said the report’s co-authors, Erik Rye, a University of Maryland Ph.D. student focused on network security and privacy, and Dave Levin, a computer science professor at the university.

The researchers said they didn’t study WPSes offered by others, including Google, although noted that Google’s is less susceptible to this attack, because it requires all users to authenticate to its WPS API, and charges them for queries, although the fee is nominal for a small volume of requests.

By contrast, “Apple’s API opportunistically returns the geolocations of up to several hundred more BSSIDs nearby the one requested,” they said. “These unrequested BSSID geolocations are presumably then cached by the client, which no longer needs to request the locations of the nearby BSSIDs it may soon encounter, e.g., as the user walks down a city street.”

While that’s the legitimate use case, attackers can turn such functionality to malicious ends.

“We demonstrated that this attack could be applied to individual users, such as travel router owners, as they move from location to location. We also showed that WPSes could be used to find sensitive equipment, like Starlink routers in Ukraine,” the researchers said.

They shared their results in advance of publication with Apple and Google, as well as two of the router manufacturers whose users are most at risk from the attack: SpaceX’s Starlink, and Hong Kong-based GL.iNet.

Via their attack, the researchers said they could track live movements of devices connected to Starlink, locating military members and civilians in Ukraine and Gaza. They could also track devices as they moved around the world.

“The ability to track users via their access points over time using Apple’s WPS is a severe privacy vulnerability,” said report co-author Erik Rye, who’s a network security researcher at the University of Maryland. “Anyone, not just a privileged adversary like a nation-state, could execute the attack,” which could be used not just for location tracking by governments but also for stalking or even advertising purposes.

One country underrepresented in researchers’ data set was China. They hypothesized that this black hole is likely due to Chinese laws prohibiting the domestic collection or sharing BSSIDs. While they did count a few thousand BSSIDs in China, they said this likely traced to “tourists or foreigners” using devices that cataloged the BSSIDs around them.

What can be done to block this BSSID-cataloging and tracking attack? The researchers points to four strategies: WPS service operators limiting access to their APIs, governments passing legislation prohibiting individuals’ devices being used for geolocation purposes, users not taking their travel modems with them at all, or best of all, having devices randomize their BSSID on reboot or whenever they get moved.

Multiple vendors have begun making changes in response to the research. While Apple did not immediately respond to a request for comment, the company in March

added the ability for access point operators to opt out of its gathering of crowdsourced location data, in line with what Google since 2016 already offered for its WPS.

“The owner of a Wi-Fi access point can opt it out of Apple’s Location Services – which prevents its location from being sent to Apple to include in Apple’s crowd-sourced location database – by changing the access point’s SSID (name) to end with ‘_nomap,'” Apple said. “For example, ‘Access_Point’ would be changed to ‘Access_Point_nomap.'”

“We’re also told that they have a couple of other remediations that are due to be in place soon,” Rye said.

Starlink responded by pushing updates to its routers to stop using static BSSIDs and to start randomizing them instead. The researchers said that while this update process, started in 2023, appears to still be underway, “we hope that other router manufacturers will follow their example in the near future, and that BSSID randomization will become the norm rather than the exception.”

While GL.iNet’s product security team said they plan to randomize their routers’ MAC addresses, they aren’t planning to do the same with their products’ BSSIDs, the researchers reported.