Anyone can tap into your WiFi location data to track you, researchers find

Apple will provide your WiFi location to anyone sending a query, and researchers demonstrated that “an unprivileged, weak attacker” – in other words, anyone – can exploit Apple’s WiFi-based positioning system (WPS) to perform global mass surveillance.

“Merely being within WiFi range of an Apple device can lead to a device’s location and movements being made widely and publicly available,” said a paper by Erik Rye and Dave Levin, researchers at the University of Maryland.

The researchers managed to learn the precise locations of over two billion WiFi access points around the world.

They also demonstrated that large-scale global surveillance attacks could be launched by any remote and unprivileged adversaries.

The problem lies in the way publicly accessible WPSes work. When GPS is unavailable, mobile devices send a query to a WPS server for their location based on the WiFi access points around them. The Apple WPS server responds with the geolocation of those access points and up to 400 additional nearby WiFi devices.

Moreover, WPSes, such as those from Apple or Google, do not require devices to prove they actually see the WiFi devices they claim to see.

“In other words, one can query for any arbitrary MAC address, and, if it is in the WPS’s database, it will return its location,” the paper reads.

Then, the search can be expanded to build a global map of WiFi devices and track their movement periodically.

“Apple’s WPS API is free, and places few restrictions on its use. It requires neither an API key, authentication, nor an Apple device,” the researchers noted.

“Moreover, Apple appears to make no attempt to filter physically impossible queries. The BSSIDs (devices’ unique identifiers) submitted to the WPS need not be physically proximate to each other nor to the device submitting the query.”

Researchers provided a disturbing example where not even a global WiFi map is needed. If a domestic violence survivor moves to an undisclosed location, the abuser, knowing the victim’s WiFi access point (travel modem, WiFi-enabled TV, phone hotspot) identifier, could periodically query it until its location appears.

Any hotspot, such as laptop, or travel router, can be tracked this way.

Other “unprivileged, weak” attackers could perform mass surveillance by constantly scanning all WiFi access points virtually anywhere in the world, “without any a priori knowledge.”

“Making matters worse, users whose devices are being tracked never opted into Apple’s WPS in the first place, nor did they have a way to opt out when we conducted this study,” the researchers said.

After responsible disclosure, according to the paper, Apple now provides a way for users to opt their devices out.

Apple is aware of the issues highlighted by the researchers. The company has already implemented server-side measures to greatly reduce the vulnerability and additional measures are planned for the release this summer.

A longstanding mitigation Apple has had in place for years allows Wi-Fi access point owners to opt-out.

“The owner of a Wi-Fi access point can opt it out of Apple's Location Services — which prevents its location from being sent to Apple to include in Apple's crowd-sourced location database — by changing the access point's SSID (name) to end with "_nomap." For example, "Access_Point" would be changed to "Access_Point_nomap,” according to Apple’s support documentation.

Tracking device movements in the Russia-Ukraine war

The paper also demonstrated that the vulnerability introduces some useful open-source intelligence (OSINT) applications. From November 2022 to November 2023, Researchers built a corpus consisting of over two billion distinct WiFi hotspots.

“We use Apple’s WPS to analyze device movements into and out of Ukraine and Russia, gaining insights into their ongoing war that, to the best of our knowledge, have yet to be made public. We find what appear to be personal devices being brought by military personnel into war zones, exposing pre-deployment sites and military positions,” the paper reads.

The results also reveal individuals who have left Ukraine for a wide range of countries.

Apple’s WPS was also used to track movement out of and within Gaza, as well as the disappearance of devices in the Strip.

“It’s possible to use WPS data to track extensive outages and loss of devices,” the researchers write.

They also found that by querying 10 million BSSIDs daily, only 0.06% of devices moved more than one kilometer over the course of a month. Both commercial and residential WiFi deployments are rarely taken down and set back up once they’re installed.

What can users do?

Users seem “at the mercy of WPS operators and the equipment vendor that manufactures their access point.” However, the researchers provide some practical steps.

First, users concerned about being tracked as they change locations should avoid using the same access point at each location if possible.

Users can also limit the time they spend on their access point to prevent it from appearing in a WPS, as those systems require access points to “exhibit some degree of stability” before adding them to the database.

“Anecdotally, we find that an AP running in a suburban area will appear in Apple’s WiFi geolocation system after two to seven days of continuous operation.”

Randomizing BSSIDs is recommended for the most technically savvy and privacy-conscious users who can modify the operation of their access point software.

“The type of unlimited and unregulated access to WiFi geolocation data Apple currently permits via its API should be prohibited,” the researchers suggest

They recommend Apple introduce per-device rate limits and cease providing unrequested nearby BSSID geolocations.

“Apple has indicated that they are on track to make several changes to their WPS in order to better protect user privacy,” the paper Surveilling the Masses with WiFi-Based Positioning Systems said.

Updated on May 29th [02:15 p.m. GMT] with additional information from Apple.