{"id":7410,"date":"2024-05-23T08:13:56","date_gmt":"2024-05-23T15:13:56","guid":{"rendered":"https:\/\/jasonsblog.ddns.net\/?p=7410"},"modified":"2024-05-23T08:13:56","modified_gmt":"2024-05-23T15:13:56","slug":"why-your-wi-fi-router-doubles-as-an-apple-airtag","status":"publish","type":"post","link":"https:\/\/jasonsblog.ddns.net\/index.php\/2024\/05\/23\/why-your-wi-fi-router-doubles-as-an-apple-airtag\/","title":{"rendered":"Why Your Wi-Fi Router Doubles as an Apple AirTag"},"content":{"rendered":"\n

One of the ways they track you like a dog, and Apple is no better than Google. Nice tip though, append _nomap to your WiFi AP name and they claim they won’t track your access point (good for travelers). And why I keep location services off when not utilizing them, and you can utilize airplane mode, enable developer mode in Android and turn off sensors<\/a>… Hopefully GNU\/Linux phone hardware will improve enough so we can dump these big tech platforms, though we’ll probably still be compromised by the radio hardware the carriers have control over to get on their networks, not to mention the chip makers sending telemetry as was exposed with Qualcomm<\/a> (these happen outside your phone’s operating system layer). As the digital Panopticon continues to form, there might come a time to just keep a feature phone burner that is off except for emergencies.<\/p>\n\n\n\n

https:\/\/krebsonsecurity.com\/2024\/05\/why-your-wi-fi-router-doubles-as-an-apple-airtag\/<\/a><\/p>\n\n\n

<\/div><\/div><\/div>\n\n\n

Apple<\/strong> and the satellite-based broadband service Starlink<\/strong> each recently took steps to address new research into the potential security and privacy implications of how their services geo-locate devices. Researchers from the University of Maryland<\/strong> say they relied on publicly available data from Apple to track the location of billions of devices globally \u2014 including non-Apple devices like Starlink systems \u2014 and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.<\/p>\n\n\n\n

At issue is the way that Apple collects and publicly shares information about the precise location of all Wi-Fi access points seen by its devices. Apple collects this location data to give Apple devices a crowdsourced, low-power alternative to constantly requesting global positioning system (GPS) coordinates.<\/p>\n\n\n\n

Both Apple and Google<\/strong> operate their own Wi-Fi-based Positioning Systems<\/strong> (WPS) that obtain certain hardware identifiers from all wireless access points that come within range of their mobile devices. Both record the Media Access Control<\/strong> (MAC) address that a Wi-FI access point uses, known as a Basic Service Set Identifier<\/strong> or BSSID<\/strong>.<\/p>\n\n\n\n

Periodically, Apple and Google mobile devices will forward their locations \u2014 by querying GPS and\/or by using cellular towers as landmarks \u2014 along with any nearby BSSIDs. This combination of data allows Apple and Google devices to figure out where they are within a few feet or meters, and it\u2019s what allows your mobile phone to continue displaying your planned route even when the device can\u2019t get a fix on GPS.<\/p>\n\n\n\n

With Google\u2019s WPS, a wireless device submits a list of nearby Wi-Fi access point BSSIDs and their signal strengths \u2014 via an application programming interface<\/a> (API) request to Google \u2014 whose WPS responds with the device\u2019s computed position. Google\u2019s WPS requires at least two BSSIDs to calculate a device\u2019s approximate position.<\/p>\n\n\n\n

Apple\u2019s WPS also accepts a list of nearby BSSIDs, but instead of computing the device\u2019s location based off the set of observed access points and their received signal strengths and then reporting that result to the user, Apple\u2019s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested<\/em>. It then uses approximately eight of those BSSIDs to work out the user\u2019s location based on known landmarks.<\/p>\n\n\n\n

In essence, Google\u2019s WPS computes the user\u2019s location and shares it with the device. Apple\u2019s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.<\/p>\n\n\n\n

That\u2019s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple\u2019s API to map the movement of individual devices into and out of virtually any defined area of the world. The UMD pair said they spent a month early in their research continuously querying the API, asking it for the location of more than a billion BSSIDs generated at random.<\/p>\n\n\n\n

They learned that while only about three million of those randomly generated BSSIDs were known to Apple\u2019s Wi-Fi geolocation API, Apple also returned an additional 488 million BSSID locations already stored in its WPS from other lookups<\/em>.<\/p>\n\n\n\n

UMD Associate Professor David Levin<\/strong> and Ph.D student Erik Rye<\/strong> found they could mostly avoid requesting unallocated BSSIDs by consulting the list of BSSID ranges assigned to specific device manufacturers. That list<\/a> is maintained by the Institute of Electrical and Electronics Engineers<\/strong> (IEEE), which is also sponsoring the privacy and security conference<\/a> where Rye is slated to present the UMD research later today.<\/p>\n\n\n\n

Plotting the locations returned by Apple\u2019s WPS between November 2022 and November 2023, Levin and Rye saw they had a near global view of the locations tied to more than two billion Wi-Fi access points. The map showed geolocated access points in nearly every corner of the globe, apart from almost the entirety of China, vast stretches of desert wilderness in central Australia and Africa, and deep in the rainforests of South America.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

<\/a>A \u201cheatmap\u201d of BSSIDs the UMD team said they discovered by guessing randomly at BSSIDs.<\/p>\n\n\n\n

The researchers said that by zeroing in on or \u201cgeofencing\u201d other smaller regions indexed by Apple\u2019s location API, they could monitor how Wi-Fi access points moved over time. Why might that be a big deal? They found that by geofencing active conflict zones in Ukraine, they were able to determine the location and movement of Starlink devices used by both Ukrainian and Russian forces.<\/p>\n\n\n\n

The reason they were able to do that is that each Starlink terminal \u2014 the dish and associated hardware that allows a Starlink customer to receive Internet service from a constellation of orbiting Starlink satellites \u2014 includes its own Wi-Fi access point, whose location is going to be automatically indexed by any nearby Apple devices that have location services enabled.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A heatmap of Starlink routers in Ukraine. Image: UMD.<\/p>\n\n\n\n

The University of Maryland team geo-fenced various conflict zones in Ukraine, and identified at least 3,722 Starlink terminals geolocated in Ukraine.<\/p>\n\n\n\n

\u201cWe find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,\u201d the researchers wrote. \u201cOur results also show individuals who have left Ukraine to a wide range of countries, validating public reports of where Ukrainian refugees have resettled.\u201d<\/p>\n\n\n\n

In an interview with KrebsOnSecurity, the UMD team said they found that in addition to exposing Russian troop pre-deployment sites, the location data made it easy to see where devices in contested regions originated from.<\/p>\n\n\n\n

\u201cThis includes residential addresses throughout the world,\u201d Levin said. \u201cWe even believe we can identify people who have joined the Ukraine Foreign Legion.\u201d<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

A simplified map of where BSSIDs that enter the Donbas and Crimea regions of Ukraine originate. Image: UMD.<\/p>\n\n\n\n

Levin and Rye said they shared their findings with Starlink in March 2024, and that Starlink told them the company began shipping software updates in 2023 that force Starlink access points to randomize their BSSIDs.<\/p>\n\n\n\n

Starlink\u2019s parent SpaceX did not respond to requests for comment. But the researchers shared a graphic they said was created from their Starlink BSSID monitoring data, which shows that just in the past month there was a substantial drop in the number of Starlink devices that were geo-locatable using Apple\u2019s API.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

UMD researchers shared this graphic, which shows their ability to monitor the location and movement of Starlink devices by BSSID dropped precipitously in the past month.<\/p>\n\n\n\n

They also shared a written statement they received from Starlink, which acknowledged that Starlink User Terminal routers originally used a static BSSID\/MAC:<\/p>\n\n\n\n

\n

\u201cIn early 2023 a software update was released that randomized the main router BSSID. Subsequent software releases have included randomization of the BSSID of WiFi repeaters associated with the main router. Software updates that include the repeater randomization functionality are currently being deployed fleet-wide on a region-by-region basis. We believe the data outlined in your paper is based on Starlink main routers and or repeaters that were queried prior to receiving these randomization updates.\u201d<\/p>\n<\/blockquote>\n\n\n\n

The researchers also focused their geofencing on the Israel-Hamas war in Gaza, and were able to track the migration and disappearance of devices throughout the Gaza Strip as Israeli forces cut power to the country and bombing campaigns knocked out key infrastructure.<\/p>\n\n\n\n

\u201cAs time progressed, the number of Gazan BSSIDs that are geolocatable continued to decline,\u201d they wrote. \u201cBy the end of the month, only 28% of the original BSSIDs were still found in the Apple WPS.\u201d<\/p>\n\n\n\n

In late March 2024, Apple quietly updated its website<\/a> to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple \u2014 by appending \u201c_nomap\u201d to the end of the Wi-Fi access point\u2019s name (SSID). Adding \u201c_nomap\u201d to your Wi-Fi network name also blocks Google from indexing its location<\/a>.<\/p>\n\n\n\n

\"\"<\/p>\n\n\n\n

Apple updated its privacy and location services policy in March 2024 to allow people to opt out of having their Wi-Fi access point indexed by its service, by appending \u201c_nomap\u201d to the network\u2019s name.<\/p>\n\n\n\n

Asked about the changes, Apple said they have respected the \u201c_nomap\u201d flag on SSIDs for some time, but that this was only called out in a support article earlier this year.<\/p>\n\n\n\n

Rye said Apple\u2019s response addressed the most depressing aspect of their research: That there was previously no way for anyone to opt out of this data collection.<\/p>\n\n\n\n

\u201cYou may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple\u2019s] database,\u201d he said. \u201cWhat\u2019s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.\u201d<\/p>\n\n\n\n

The researchers said they hope Apple will consider additional safeguards, such as proactive ways to limit abuses of its location API.<\/p>\n\n\n\n

\u201cIt\u2019s a good first step,\u201d Levin said of Apple\u2019s privacy update in March. \u201cBut this data represents a really serious privacy vulnerability. I would hope Apple would put further restrictions on the use of its API, like rate-limiting these queries to keep people from accumulating massive amounts of data like we did.\u201d<\/p>\n\n\n\n

The UMD researchers said they omitted certain details from their study to protect the users they were able to track, noting that the methods they used could present risks for those fleeing abusive relationships or stalkers.<\/p>\n\n\n\n

\u201cWe observe routers move between cities and countries, potentially representing their owner\u2019s relocation or a business transaction between an old and new owner,\u201d they wrote. \u201cWhile there is not necessarily a 1-to-1 relationship between Wi-Fi routers and users, home routers typically only have several. If these users are vulnerable populations, such as those fleeing intimate partner violence or a stalker, their router simply being online can disclose their new location.\u201d<\/p>\n\n\n\n

The researchers said Wi-Fi access points that can be created using a mobile device\u2019s built-in cellular modem do not create a location privacy risk for their users because mobile phone hotspots will choose a random BSSID when activated.<\/p>\n\n\n\n

\u201cModern Android and iOS devices will choose a random BSSID when you go into hotspot mode,\u201d he said. \u201cHotspots are already implementing the strongest recommendations for privacy protections. It\u2019s other types of devices that don\u2019t do that.\u201d<\/p>\n\n\n\n

For example, they discovered that certain commonly used travel routers compound the potential privacy risks.<\/p>\n\n\n\n

\u201cBecause travel routers are frequently used on campers or boats, we see a significant number of them move between campgrounds, RV parks, and marinas,\u201d the UMD duo wrote. \u201cThey are used by vacationers who move between residential dwellings and hotels. We have evidence of their use by military members as they deploy from their homes and bases to war zones.\u201d<\/p>\n\n\n\n

A copy of the UMD research is available here<\/a> (PDF).<\/p>\n\n\n\n

Update, May 22, 4:54 p.m. ET:<\/strong> Added response from Apple.<\/p>\n","protected":false},"excerpt":{"rendered":"

One of the ways they track you like a dog, and Apple is no better than Google. Nice tip though, append _nomap to your WiFi AP name and they claim they won’t track your access point (good for travelers). And why I keep location services off when not utilizing them, and you can utilize airplane […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-7410","post","type-post","status-publish","format-standard","hentry","category-tech"],"blocksy_meta":[],"featured_image_src":null,"author_info":{"display_name":"Jason","author_link":"https:\/\/jasonsblog.ddns.net\/index.php\/author\/jturning\/"},"_links":{"self":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/7410","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/comments?post=7410"}],"version-history":[{"count":1,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/7410\/revisions"}],"predecessor-version":[{"id":7415,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/posts\/7410\/revisions\/7415"}],"wp:attachment":[{"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/media?parent=7410"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/categories?post=7410"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jasonsblog.ddns.net\/index.php\/wp-json\/wp\/v2\/tags?post=7410"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}