It is pointed out that the Wi-Fi positioning system used by Apple's 'Find' app can be easily used to track location information
[2405.14975] Surveilling the Masses with Wi-Fi-Based Positioning Systems
https://arxiv.org/abs/2405.14975
Surveilling the Masses with Wi-Fi\replaced-Based Positioning Systems Geolocation Services
https://arxiv.org/html/2405.14975v1
Mobile devices often use location information frequently and accurately not only for location services, but also to track devices when lost or stolen. A prime example of this is the ' Find My ' service on Apple devices. GPS consumes a lot of power, so it is not suitable for such frequent location checks. For this reason, Apple and Google use WPS to track the location of mobile devices.
More specifically, a mobile device uses GPS to determine its location and periodically reports the MAC addresses ( BSSIDs ) and GPS coordinates of Wi-Fi access points it observes to WPS. WPS stores the reported BSSIDs on a server, and when GPS is unavailable or not desired, it queries the server and provides a set of BSSIDs, allowing the device to determine its approximate location 'accurately without using GPS.'
However, general WPS (including Apple and Google) is accessible to anyone, and the device that queries the database does not need to prove which BSSID it has detected. In other words, the device can query WPS for any BSSID, and if the BSSID is in the WPS database, the device will notify the location. The research group pointed out that 'even a weak, unprivileged attacker could use Apple's WPS to monitor users' Wi-Fi access points on a large scale, virtually anywhere in the world, without prior knowledge.'
Regarding the existing design of WPS, the research group pointed out that 'it is well suited to targeted attacks.' For example, if a victim of intimate partner violence moves to an undisclosed location, the ex-partner could query WPS for location information if he or she knows the BSSID of the victim's Wi-Fi access point (or travel modem, Wi-Fi-enabled TV, etc.) to determine where the victim moved to. The research group points out that such targeted attacks 'have limited potential threat' because the attacker must have prior knowledge of the target.
Lai and Levin have been working on this technique for over a year and report that they have successfully determined the precise locations of over 2 billion BSSIDs around the world.
The research group also cites possible measures to limit WPS vulnerabilities: 'WPS operators can restrict access to the API, so governments can legislate to prevent citizens' devices from being used as geolocation landmarks, and users who are wary of being tracked can avoid using the same Wi-Fi access points in multiple locations.'
A more robust solution would be to implement the same privacy protections in Wi-Fi access points that are implemented in mobile devices, which would allow the BSSID to be randomized at boot time or every time the device's location changes, preventing user tracking even if the WPS operator allows open access to the API.
Related Posts: