LAS VEGAS—You rely on your smartphone to determine your location and help you get where you’re going. Android and iOS devices rely on the Wi-Fi Positioning System (WPS) to fix that information, and any smartphone that comes within range of your home router also confirms that router’s location in the WPS database. That’s not always a good thing, explained University of Maryland researcher Erik Rye here at Black Hat.
“WPS allows mobile devices to be geolocated using Wi-Fi routers as reference points,” Rye said. “Apple, Google, Microsoft, Skyhook and Mozilla all maintain WPS databases, but Apple’s is uniquely vulnerable.”
Each router has a unique identifier called a BSSID. “Apple’s WPS is objectively a cool system,” he said. “When it searches for the location of a BSSID, it returns up to 400 nearby ones. It is a publicly accessible, unauthenticated API with no fee cap.” Rye did not go into detail about other WPS systems, except to say that they do not offer the same capabilities as Apple’s system.
“In a naive attack, you can just start guessing all the 48-bit numbers. “You ask Apple about location and mostly you get back ‘I don’t know,'” Rye said. “When you know, you get up to 400 nearby BSSIDs and their locations.”
But not every 48-bit number is a possible BSSID. Each router manufacturer receives one or more Organizational Unique Identifiers (OUIs), which occupy the first three bytes of BSSIDs. And there are only about 36,000 OUIs assigned. “Stick with assumptions that start with a valid OUI gives more than a 99% reduction in search space,” Rye said, “and the IEEE publishes the list of OUIs.”
“You’re still trying a lot of wrong,” he continued, “but with Apple, for every hit you get up to 400 more.”
Rye showed a worldwide map of BSSIDs found, including some in Antarctica. He noted that China was initially a big gap – it turns out there is a separate WPS just for China, though it’s still accessible for the same questions.
Simple attacks on privacy
“Say I’m a law enforcer, or I’m chasing an unrighteous husband,” said Rye. “Maybe they take it and run away. To find them, I can just search for their router’s BSSID until it shows up again. This is the most basic attack.”
He noted that it would also be easy to enumerate all BSSIDs from a given router manufacturer, using their OUIs. “If it’s Cisco, who cares. But what if it’s something private, like Starlink? Yes, we can geolocate all Starlink routers in Ukraine. We can even make out the contours of the front lines in the war with Russia.
By ingesting massive amounts of WPS data, Rye can identify routers that change location. Tracking a router on a boat may be trivial, but there are darker surveillance possibilities. “We checked Donbas in Ukraine, seeing where the equipment was before it showed up there, potentially learning their pre-deployment sites.”
If a router does not receive any pings to the system for a certain amount of time, usually three to seven days, it disappears from the WPS system. Rye checked BSSIDs in Gaza before and after the October 7 attack. “We can see a 75% drop in visible routers,” he said. “We’re likely seeing routers that have gone offline due to a lack of power, or simply crashed.”
Recommended by our Editors
What is the solution?
“We disclosed it to Apple in December of last year,” Rye said. He noted that disclosure to any router company might be too much, so they just disclosed to Starlink and mobile router vendor GL.iNet.
In March, Apple reached out to inform users how they could opt out. The process involves changing your router’s SSID so that it ends in “_nomap”.
“What they should have done is quite different,” according to Rye, who said Apple should have acted to prevent redundant queries, require authentication and limit additional BSSIDs apart from the current 400. But they didn’t.
“For vendors, our fix is to randomize your BSSID,” Rye said. “This will prevent all the attacks I mentioned. To their true credit, Starlink started randomizing in April 2024. They initially focused on specific router types and regions, but now there are no more Starlink routers to be found.”
Am I in danger?
Should you change your SSID from “MyWiFi” to “MyWiFi_nomap”? If you’re concerned about your privacy and willing to accept the hassle of entering a new SSID on all your devices, sure, go ahead! While you’re at it, enter “_optout”, which will opt you out of Microsoft’s WPS. Yes, it is now “MyWiFi_optout_nomap”. But if you don’t and you’re not in a conflict zone, you’re probably fine.
Like what you’re reading?
Register for Security Watch newsletter for our best privacy and security stories delivered straight to your inbox.
This newsletter may contain advertisements, deals or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You can unsubscribe from newsletters at any time.