Skip to content

Apple’s WiFi flaw enables mass surveillance globally

  • by
  • 4 min read

Critical vulnerabilities in Apple’s WiFi Positioning Services (WPS) allow attackers to query without verification, enabling them to track the locations and movements of WiFi access points (APs) globally. By generating random Basic Service Set Identifiers (BSSIDs) and querying the WPS, attackers can gather extensive data on device locations.

This capability enables them to monitor WiFi APs, track movements, and even identify devices entering or leaving specific geographic locations.

“We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space,” noted cybersecurity researchers Erik Rye and Dave Levin from the University of Maryland. “Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world.”


Attack methodology

The WPS service is designed to improve location accuracy by leveraging nearby WiFi APs. However, a severe flaw allows these services to be hacked.

Attackers generate random Basic Service Set Identifiers (BSSIDs), unique identifiers assigned to each WiFi AP. These BSSIDs can be either real or fabricated. Using these BSSIDs, attackers query Apple’s WPS, which responds with the geolocation data associated with each BSSID. This response includes latitude and longitude coordinates, providing precise location information.

Map showing the distribution of Basic Service Set Identifiers (BSSIDs) obtained through random guessing of OUIs | Source: Erik Rye and Dave Levin

“In Apple’s version, you submit BSSIDs to geolocate, and it returns the geolocation it believes the BSSID is at,” Rye said to The Register. It also returns many more (up to 400) that you didn’t request that are nearby. The additional 400 were important for our study, as they allowed us to accumulate a large quantity of geolocated BSSIDs quickly. Additionally, Apple’s WPS is not authenticated or rate limited and is free to use.”

On the other hand, Google’s WPS calculates and then returns the location. Also, it is a paid service and is rate-limited.

By systematically querying many BSSIDs, attackers can build a comprehensive database of WiFi AP locations. This data can be used to monitor movements and track the presence of devices within specific geographic regions.

Once the database is established, attackers can track device movements by observing changes in the proximity of WiFi APs. For example, if a device connects to APs in different locations over time, its movement can be inferred.


Case studies

Cybersecurity researchers demonstrated the vulnerability in several case studies. One notable case study involved tracking personal devices brought by military personnel into conflict zones during the Russia-Ukraine war.

Heatmap of devices entering Donbas and Crimea regions. | Source: Erik Rye and Dave Levin

Researchers were able to identify devices moving into and out of Ukraine and Russia, revealing pre-deployment sites and military positions. The data also validated reports of Ukrainian refugees resettling in various countries.

Another case study focused on the Gaza Strip during the Israel-Hamas conflict. The study tracked movements within Gaza and documented the disappearance of devices, illustrating how WPS data can be used to monitor extensive outages and the loss of devices during power cuts and conflicts.

In August 2023, devastating wildfires in Maui, Hawaii, provided another opportunity to test the WPS vulnerabilities. Researchers queried BSSIDs in Lhaina before and after the fires, identifying which devices were destroyed. This real-world phenomenon is reflected in the WPS data, showing how natural disasters impact device geolocation.

Researchers proposed several remediation strategies to address these vulnerabilities. These include policy-based, technical, and legal solutions to prevent unauthorised global tracking while allowing for necessary targeted tracking. They emphasise the need for robust security measures to protect user privacy and prevent mass surveillance.

In the News: Spyware discovered in Wyndham Hotel systems; leaks guest info

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>