Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]
Groups > comp.mobile.android > #141499 > unrolled thread
| Started by | Charlie <charlie@nospam.com> |
|---|---|
| First post | 2024-05-28 01:10 -0600 |
| Last post | 2024-06-01 10:58 +0200 |
| Articles | 5 — 4 participants |
Back to article view | Back to comp.mobile.android
Surveillance Risk: Apple's WiFi-Based Positioning System Charlie <charlie@nospam.com> - 2024-05-28 01:10 -0600
Re: Surveillance Risk: Apple's WiFi-Based Positioning System Oscar Mayer <nobody@oscarmayer.com> - 2024-05-28 17:38 -0400
Re: Surveillance Risk: Apple's WiFi-Based Positioning System Oscar Mayer <nobody@oscarmayer.com> - 2024-05-31 14:53 -0400
Re: Surveillance Risk: Apple's WiFi-Based Positioning System Andrew <andrew@spam.net> - 2024-05-31 17:38 +0000
Re: Surveillance Risk: Apple's WiFi-Based Positioning System anonymous <anon@anon.com> - 2024-06-01 10:58 +0200
| From | Charlie <charlie@nospam.com> |
|---|---|
| Date | 2024-05-28 01:10 -0600 |
| Subject | Surveillance Risk: Apple's WiFi-Based Positioning System |
| Message-ID | <v3400s$aag$1@neodome.net> |
Surveillance Risk: Apple's WiFi-Based Positioning System <https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330> The attack risk stems from Apple's WiFi-based Positioning System, or WPS, which offers an API to which any device or service, Apple-made or otherwise, can submit one or more Basic Service Set Identifiers, together with their signal strength. A BSSID is a number - oftentimes unique - that serves as a WiFi access point's MAC address. By cataloging these BSSIDs and their location, WPSes offered by the likes of Apple and Google help other devices triangulate their location without using power-hungry global positioning system capabilities. Two University of Maryland researchers report that problem with Apple's WPS, which anyone or thing can query for free, is that it offers overly verbose responses that can potentially be abused by remote attackers to track any device with a BSSID, anywhere across the globe. While Google's WPS returns a single BSSID in response to a query, Apple's returns a list of up to 400. The researchers' proof-of-concept attack used fabricated queries to trick Apple's WPS into giving it extensive information about the BSSIDs it stored. "Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world," said the report's co-authors, Erik Rye, a University of Maryland Ph.D. student focused on network security and privacy, and Dave Levin, a computer science professor at the university. The researchers said they didn't study WPSes offered by others, including Google, although noted that Google's is less susceptible to this attack, because it requires all users to authenticate to its WPS API, and charges them for queries, although the fee is nominal for a small volume of requests. By contrast, "Apple's API opportunistically returns the geolocations of up to several hundred more BSSIDs nearby the one requested," they said. "These unrequested BSSID geolocations are presumably then cached by the client, which no longer needs to request the locations of the nearby BSSIDs it may soon encounter, e.g., as the user walks down a city street." While that's the legitimate use case, attackers can turn such functionality to malicious ends. "We demonstrated that this attack could be applied to individual users, such as travel router owners, as they move from location to location. We also showed that WPSes could be used to find sensitive equipment, like Starlink routers in Ukraine," the researchers said. They shared their results in advance of publication with Apple and Google, as well as two of the router manufacturers whose users are most at risk from the attack: SpaceX's Starlink, and Hong Kong-based GL.iNet. Via their attack, the researchers said they could track live movements of devices connected to Starlink, locating military members and civilians in Ukraine and Gaza. They could also track devices as they moved around the world. "The ability to track users via their access points over time using Apple's WPS is a severe privacy vulnerability," said report co-author Erik Rye, who's a network security researcher at the University of Maryland. "Anyone, not just a privileged adversary like a nation-state, could execute the attack," which could be used not just for location tracking by governments but also for stalking or even advertising purposes. One country underrepresented in researchers' data set was China. They hypothesized that this black hole is likely due to Chinese laws prohibiting the domestic collection or sharing BSSIDs. While they did count a few thousand BSSIDs in China, they said this likely traced to "tourists or foreigners" using devices that cataloged the BSSIDs around them. What can be done to block this BSSID-cataloging and tracking attack? The researchers points to four strategies: WPS service operators limiting access to their APIs, governments passing legislation prohibiting individuals' devices being used for geolocation purposes, users not taking their travel modems with them at all, or best of all, having devices randomize their BSSID on reboot or whenever they get moved. Multiple vendors have begun making changes in response to the research. While Apple did not immediately respond to a request for comment, the company in March added the ability for access point operators to opt out of its gathering of crowdsourced location data, in line with what Google since 2016 already offered for its WPS. "The owner of a Wi-Fi access point can opt it out of Apple's Location Services - which prevents its location from being sent to Apple to include in Apple's crowd-sourced location database - by changing the access point's SSID (name) to end with '_nomap,'" Apple said. "For example, 'Access_Point' would be changed to 'Access_Point_nomap'" "We're also told that they have a couple of other remediations that are due to be in place soon," Rye said. Starlink responded by pushing updates to its routers to stop using static BSSIDs and to start randomizing them instead. The researchers said that while this update process, started in 2023, appears to still be underway, "we hope that other router manufacturers will follow their example in the near future, and that BSSID randomization will become the norm rather than the exception." While GL.iNet's product security team said they plan to randomize their routers' MAC addresses, they aren't planning to do the same with their products' BSSIDs, the researchers reported.
[toc] | [next] | [standalone]
| From | Oscar Mayer <nobody@oscarmayer.com> |
|---|---|
| Date | 2024-05-28 17:38 -0400 |
| Message-ID | <v35is7$p89q$1@dont-email.me> |
| In reply to | #141499 |
On Tue, 28 May 2024 01:10:20 -0600, Charlie wrote: > Surveillance Risk: Apple's WiFi-Based Positioning System > <https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330> > > The attack risk stems from Apple's WiFi-based Positioning System, or WPS, > which offers an API to which any device or service, Apple-made or > otherwise, can submit one or more Basic Service Set Identifiers, together > with their signal strength. Why would Apple design a system so incredibly horrific against privacy? Basically you can track anyone simply by asking Apple for their location. No permission? No problem, says Apple. Here's their location & also the location of the nearest 400 people to that person. How's that for privacy. Researchers find Apple's Wi-Fi Positioning System represents a serious privacy vulnerability. <https://www.macworld.com/article/2343297/apple-wi-fi-network-wps-vulnerability-location-services-leak.html> "Apple's WPS server sends up to 400 other known Wi-Fi networks that may be in the approximate vicinity of the device as part of its crowdsourcing location database. From this list, the requesting device searches for eight possible variants and calculates its location based on this data. Apple's WPS system, the iOS device, and the router on which the network is based operate with the so-called BSSIDs (Basic Service Set Identification) and usually correspond to the MAC address of the device, which is static in most cases. The request via Apple's APIs is free, so Rye and Levin sent 30 requests per second with 100 guessed BSSIDs. The information on the current static location alone is life-threatening in the wrong hands, as it indicates the location data of the Ukrainian military units and of refugees as they move about in the Gaza Strip. With Apple & Google, you can add "_nomap" to your Access Point SSID. However, Microsoft requires you to give them all your MAC addresses first! https://account.microsoft.com/privacy/location-services-opt-out
[toc] | [prev] | [next] | [standalone]
| From | Oscar Mayer <nobody@oscarmayer.com> |
|---|---|
| Date | 2024-05-31 14:53 -0400 |
| Message-ID | <v3d6bu$2bldf$1@dont-email.me> |
| In reply to | #141534 |
On Tue, 28 May 2024 17:38:16 -0400, Oscar Mayer wrote: On 30 May 2024 21:30:37 GMT, Jolly Roger wrote: >>>> Since even the Apple shills directly blame Apple for this privacy hole >>> >>> A database of publicly-broadcasted WiFi BSSIDs is not a "privacy hole". >> >> Only Apple > > Nope, sorry. Nobody but you denies what even Apple doesn't deny. Why do you do that? [https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/] "There is one crucial difference between the way in which Apple and Google devices carry out this task and that's exactly where the privacy issue arises." [https://www.macworld.com/article/2343297/apple-wi-fi-network-wps-vulnerability-location-services-leak.html] "Researchers have discovered a crucial vulnerability in the way only Apple's location services work" [https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330] "The attack risk stems from Apple's WiFi-based Positioning System, or WPS" [https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/] "We need to understand Apple devices figure out locations differently" [https://securityboulevard.com/2024/05/apple-wi-fi-location-privacy-richixbw/] "An unrestricted Apple API endpoint allows for easy tracking." [https://cybernews.com/privacy/apple-beams-wifi-location-data-privacy-risk/] "Anyone can exploit Apple's flawed WiFi-based positioning system (WPS)* [https://arxiv.org/abs/2405.14975] "In this work, we show that Apple's flawed WPS can too easily be abused" Why do you deny what nobody but you denies (not even Apple denies it)?
[toc] | [prev] | [next] | [standalone]
| From | Andrew <andrew@spam.net> |
|---|---|
| Date | 2024-05-31 17:38 +0000 |
| Message-ID | <v3d1v2$2q7i$1@nnrp.usenet.blueworldhosting.com> |
| In reply to | #141499 |
Alan Browne wrote on Thu, 30 May 2024 19:18:55 -0400 : > The "general" case is that it is absolutely not an Apple issue. > SSID/BSSID's are OPENLY AND LOUDLY BROADCAST WORLDIWDE IN THE BILLIONS. The fact is you're defending Apple's holes, to the death, no matter what. Every desperate excuse you make for the flaws in Apple's implementation show you not understand what only Apple does that's different here. Worse, you were not aware the outward facing MAC address cannot be cloned (in almost all routers and particularly in the tested travel routers). And you were not aware that the SSID is meaningless for this exploit, other than the workaround that Apple suggested (of appending _nomac to the SSID). Furthermore, you're still not aware that a "hidden broadcast" has been a feature of nearly every router since the dawn of Wi-Fi, where the mere act of clicking that checkbox prevents the BSSID from being *uploaded* to the Google and Apple and Mozilla and Wigle databases, by default. (See notes in the sig, given the Apple religious zealots don't understand this issue). While you're frantically desperate to fabricate excuses for Apple's vulnerabilities, you don't ever show any understanding of them. Notes in the sig given Apple religious zealots don't understand anything. -- Note 1: The hidden broadcast won't hide the BSSID from a seasoned attacker (such as a Google or Apple transit vehicle - depending on how its code is written); but the mere act of hiding the SSID broadcast packet has been proven to prevent the normal users' device (i.e., mobile phones) from uploading your BSSID using the typical software that we are speaking about Note 2: Since the Apple religious zealots act only out of franctic desperation to make excuses for all Apple's vulnerabilities, it should be noted that an intelligent person knows the difference between the upload of the BSSID (which is a first-order issue) vs the deletion of the BSSID from the Internet databases (which requires second-order software processing). Note 3: There's no way the Apple religious zealots will understand the two notes above, but for the intelligent people reading this thread, it should be noted that if you do hide your broadcast packets, then you often might want to set your client (such as a phone) to "remember" and "reconnect"; but this has other issues - where the Apple zealots won't understand but you might understand that the "remember" is fine (unless you're worried about your phone being stolen) but the "automatic reconnect" should be turned off because that setting causes the phone to seek out the named AP.
[toc] | [prev] | [next] | [standalone]
| From | anonymous <anon@anon.com> |
|---|---|
| Date | 2024-06-01 10:58 +0200 |
| Message-ID | <032ce03406e2dfc484e94fef52899615@dizum.com> |
| In reply to | #141664 |
Andrew <andrew@spam.net> wrote in news:v3d1v2$2q7i$1@nnrp.usenet.blueworldhosting.com: > Alan Browne wrote on Thu, 30 May 2024 19:18:55 -0400 : > >> The "general" case is that it is absolutely not an Apple issue. >> SSID/BSSID's are OPENLY AND LOUDLY BROADCAST WORLDIWDE IN THE >> BILLIONS. You're 50% correct. SSID/BSSID's are OPENLY AND LOUDLY BROADCAST = 50% it is absolutely not an Apple issue. = 0% > The fact is you're defending Apple's holes, to the death, no matter > what. > > Every desperate excuse you make for the flaws in Apple's > implementation show you not understand what only Apple does that's > different here. > > Worse, you were not aware the outward facing MAC address cannot be > cloned (in almost all routers and particularly in the tested travel > routers). > > And you were not aware that the SSID is meaningless for this exploit, > other than the workaround that Apple suggested (of appending _nomac to > the SSID). > > Furthermore, you're still not aware that a "hidden broadcast" has been > a feature of nearly every router since the dawn of Wi-Fi, where the > mere act of clicking that checkbox prevents the BSSID from being > *uploaded* to the Google and Apple and Mozilla and Wigle databases, by > default. (See notes in the sig, given the Apple religious zealots > don't understand this issue). +1 > While you're frantically desperate to fabricate excuses for Apple's > vulnerabilities, you don't ever show any understanding of them. > > Notes in the sig given Apple religious zealots don't understand > anything. In years past when waiting for flights in an airport, Apple products were a favorite target for two reasons. Most Apple users are clueless about security, and there is a flaw that exists to this day permitting rogue Wi- Fi access. It's not readily apparent, but it exists.
[toc] | [prev] | [standalone]
Back to top | Article view | comp.mobile.android
csiph-web