Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]


Groups > comp.mobile.android > #141499 > unrolled thread

Surveillance Risk: Apple's WiFi-Based Positioning System

Started byCharlie <charlie@nospam.com>
First post2024-05-28 01:10 -0600
Last post2024-06-01 10:58 +0200
Articles 5 — 4 participants

Back to article view | Back to comp.mobile.android


Contents

  Surveillance Risk: Apple's WiFi-Based Positioning System Charlie <charlie@nospam.com> - 2024-05-28 01:10 -0600
    Re: Surveillance Risk: Apple's WiFi-Based Positioning System Oscar Mayer <nobody@oscarmayer.com> - 2024-05-28 17:38 -0400
      Re: Surveillance Risk: Apple's WiFi-Based Positioning System Oscar Mayer <nobody@oscarmayer.com> - 2024-05-31 14:53 -0400
    Re: Surveillance Risk: Apple's WiFi-Based Positioning System Andrew <andrew@spam.net> - 2024-05-31 17:38 +0000
      Re: Surveillance Risk: Apple's WiFi-Based Positioning System anonymous <anon@anon.com> - 2024-06-01 10:58 +0200

#141499 — Surveillance Risk: Apple's WiFi-Based Positioning System

FromCharlie <charlie@nospam.com>
Date2024-05-28 01:10 -0600
SubjectSurveillance Risk: Apple's WiFi-Based Positioning System
Message-ID<v3400s$aag$1@neodome.net>
Surveillance Risk: Apple's WiFi-Based Positioning System
<https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330>

The attack risk stems from Apple's WiFi-based Positioning System, or WPS,
which offers an API to which any device or service, Apple-made or
otherwise, can submit one or more Basic Service Set Identifiers, together
with their signal strength. 

A BSSID is a number - oftentimes unique - that serves as a WiFi access
point's MAC address. By cataloging these BSSIDs and their location, WPSes
offered by the likes of Apple and Google help other devices triangulate
their location without using power-hungry global positioning system
capabilities.

Two University of Maryland researchers report that problem with Apple's
WPS, which anyone or thing can query for free, is that it offers overly
verbose responses that can potentially be abused by remote attackers to
track any device with a BSSID, anywhere across the globe. While Google's
WPS returns a single BSSID in response to a query, Apple's returns a list
of up to 400.

The researchers' proof-of-concept attack used fabricated queries to trick
Apple's WPS into giving it extensive information about the BSSIDs it
stored.

"Applying this technique over the course of a year, we learned the precise
locations of over 2 billion BSSIDs around the world," said the report's
co-authors, Erik Rye, a University of Maryland Ph.D. student focused on
network security and privacy, and Dave Levin, a computer science professor
at the university.

The researchers said they didn't study WPSes offered by others, including
Google, although noted that Google's is less susceptible to this attack,
because it requires all users to authenticate to its WPS API, and charges
them for queries, although the fee is nominal for a small volume of
requests.

By contrast, "Apple's API opportunistically returns the geolocations of up
to several hundred more BSSIDs nearby the one requested," they said. "These
unrequested BSSID geolocations are presumably then cached by the client,
which no longer needs to request the locations of the nearby BSSIDs it may
soon encounter, e.g., as the user walks down a city street."

While that's the legitimate use case, attackers can turn such functionality
to malicious ends.

"We demonstrated that this attack could be applied to individual users,
such as travel router owners, as they move from location to location. We
also showed that WPSes could be used to find sensitive equipment, like
Starlink routers in Ukraine," the researchers said.

They shared their results in advance of publication with Apple and Google,
as well as two of the router manufacturers whose users are most at risk
from the attack: SpaceX's Starlink, and Hong Kong-based GL.iNet.

Via their attack, the researchers said they could track live movements of
devices connected to Starlink, locating military members and civilians in
Ukraine and Gaza. They could also track devices as they moved around the
world.

"The ability to track users via their access points over time using Apple's
WPS is a severe privacy vulnerability," said report co-author Erik Rye,
who's a network security researcher at the University of Maryland. "Anyone,
not just a privileged adversary like a nation-state, could execute the
attack," which could be used not just for location tracking by governments
but also for stalking or even advertising purposes.

One country underrepresented in researchers' data set was China. They
hypothesized that this black hole is likely due to Chinese laws prohibiting
the domestic collection or sharing BSSIDs. While they did count a few
thousand BSSIDs in China, they said this likely traced to "tourists or
foreigners" using devices that cataloged the BSSIDs around them.

What can be done to block this BSSID-cataloging and tracking attack? The
researchers points to four strategies: WPS service operators limiting
access to their APIs, governments passing legislation prohibiting
individuals' devices being used for geolocation purposes, users not taking
their travel modems with them at all, or best of all, having devices
randomize their BSSID on reboot or whenever they get moved.

Multiple vendors have begun making changes in response to the research.
While Apple did not immediately respond to a request for comment, the
company in March

added the ability for access point operators to opt out of its gathering of
crowdsourced location data, in line with what Google since 2016 already
offered for its WPS.

"The owner of a Wi-Fi access point can opt it out of Apple's Location
Services - which prevents its location from being sent to Apple to include
in Apple's crowd-sourced location database - by changing the access point's
SSID (name) to end with '_nomap,'" Apple said. "For example, 'Access_Point'
would be changed to 'Access_Point_nomap'"

"We're also told that they have a couple of other remediations that are due
to be in place soon," Rye said.

Starlink responded by pushing updates to its routers to stop using static
BSSIDs and to start randomizing them instead. The researchers said that
while this update process, started in 2023, appears to still be underway,
"we hope that other router manufacturers will follow their example in the
near future, and that BSSID randomization will become the norm rather than
the exception."

While GL.iNet's product security team said they plan to randomize their
routers' MAC addresses, they aren't planning to do the same with their
products' BSSIDs, the researchers reported.

[toc] | [next] | [standalone]


#141534

FromOscar Mayer <nobody@oscarmayer.com>
Date2024-05-28 17:38 -0400
Message-ID<v35is7$p89q$1@dont-email.me>
In reply to#141499
On Tue, 28 May 2024 01:10:20 -0600, Charlie wrote:

> Surveillance Risk: Apple's WiFi-Based Positioning System
> <https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330>
> 
> The attack risk stems from Apple's WiFi-based Positioning System, or WPS,
> which offers an API to which any device or service, Apple-made or
> otherwise, can submit one or more Basic Service Set Identifiers, together
> with their signal strength. 

Why would Apple design a system so incredibly horrific against privacy?

Basically you can track anyone simply by asking Apple for their location.
No permission? No problem, says Apple. Here's their location & also the
location of the nearest 400 people to that person. How's that for privacy.

Researchers find Apple's Wi-Fi Positioning System represents a serious
privacy vulnerability.
 <https://www.macworld.com/article/2343297/apple-wi-fi-network-wps-vulnerability-location-services-leak.html>

"Apple's WPS server sends up to 400 other known Wi-Fi networks that may be
in the approximate vicinity of the device as part of its crowdsourcing
location database. 

From this list, the requesting device searches for eight possible variants
and calculates its location based on this data. Apple's WPS system, the iOS
device, and the router on which the network is based operate with the
so-called BSSIDs (Basic Service Set Identification) and usually correspond
to the MAC address of the device, which is static in most cases.

The request via Apple's APIs is free, so Rye and Levin sent 30 requests per
second with 100 guessed BSSIDs. 

The information on the current static location alone is life-threatening in
the wrong hands, as it indicates the location data of the Ukrainian
military units and of refugees as they move about in the Gaza Strip.

With Apple & Google, you can add "_nomap" to your Access Point SSID.

However, Microsoft requires you to give them all your MAC addresses first!
https://account.microsoft.com/privacy/location-services-opt-out

[toc] | [prev] | [next] | [standalone]


#141665

FromOscar Mayer <nobody@oscarmayer.com>
Date2024-05-31 14:53 -0400
Message-ID<v3d6bu$2bldf$1@dont-email.me>
In reply to#141534
On Tue, 28 May 2024 17:38:16 -0400, Oscar Mayer wrote:
On 30 May 2024 21:30:37 GMT, Jolly Roger wrote:

>>>> Since even the Apple shills directly blame Apple for this privacy hole
>>> 
>>> A database of publicly-broadcasted WiFi BSSIDs is not a "privacy hole".
>>
>> Only Apple
> 
> Nope, sorry.

Nobody but you denies what even Apple doesn't deny. 

Why do you do that?

 [https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/]
 "There is one crucial difference between the way in which
  Apple and Google devices carry out this task
  and that's exactly where the privacy issue arises."

 [https://www.macworld.com/article/2343297/apple-wi-fi-network-wps-vulnerability-location-services-leak.html]
  "Researchers have discovered a crucial vulnerability in the way 
   only Apple's location services work"

 [https://www.govinfosecurity.com/surveillance-risk-apples-wifi-based-positioning-system-a-25330]
 "The attack risk stems from Apple's WiFi-based Positioning System, or WPS"

 [https://9to5mac.com/2024/05/24/apple-location-services-vulnerability/]
 "We need to understand Apple devices figure out locations differently"

 [https://securityboulevard.com/2024/05/apple-wi-fi-location-privacy-richixbw/]
 "An unrestricted Apple API endpoint allows for easy tracking."

 [https://cybernews.com/privacy/apple-beams-wifi-location-data-privacy-risk/]
 "Anyone can exploit Apple's flawed WiFi-based positioning system (WPS)*

 [https://arxiv.org/abs/2405.14975]
  "In this work, we show that Apple's flawed WPS can too easily be abused"

Why do you deny what nobody but you denies (not even Apple denies it)?

[toc] | [prev] | [next] | [standalone]


#141664

FromAndrew <andrew@spam.net>
Date2024-05-31 17:38 +0000
Message-ID<v3d1v2$2q7i$1@nnrp.usenet.blueworldhosting.com>
In reply to#141499
Alan Browne wrote on Thu, 30 May 2024 19:18:55 -0400 :

> The "general" case is that it is absolutely not an Apple issue. 
> SSID/BSSID's are OPENLY AND LOUDLY BROADCAST WORLDIWDE IN THE BILLIONS.

The fact is you're defending Apple's holes, to the death, no matter what.

Every desperate excuse you make for the flaws in Apple's implementation
show you not understand what only Apple does that's different here.

Worse, you were not aware the outward facing MAC address cannot be cloned
(in almost all routers and particularly in the tested travel routers).

And you were not aware that the SSID is meaningless for this exploit, other
than the workaround that Apple suggested (of appending _nomac to the SSID).

Furthermore, you're still not aware that a "hidden broadcast" has been a
feature of nearly every router since the dawn of Wi-Fi, where the mere act
of clicking that checkbox prevents the BSSID from being *uploaded* to the
Google and Apple and Mozilla and Wigle databases, by default. (See notes in
the sig, given the Apple religious zealots don't understand this issue).

While you're frantically desperate to fabricate excuses for Apple's
vulnerabilities, you don't ever show any understanding of them.

Notes in the sig given Apple religious zealots don't understand anything.
-- 
Note 1: The hidden broadcast won't hide the BSSID from a seasoned attacker
(such as a Google or Apple transit vehicle - depending on how its code is
written); but the mere act of hiding the SSID broadcast packet has been
proven to prevent the normal users' device (i.e., mobile phones) from
uploading your BSSID using the typical software that we are speaking about

Note 2: Since the Apple religious zealots act only out of franctic
desperation to make excuses for all Apple's vulnerabilities, it should be
noted that an intelligent person knows the difference between the upload of
the BSSID (which is a first-order issue) vs the deletion of the BSSID from
the Internet databases (which requires second-order software processing).

Note 3: There's no way the Apple religious zealots will understand the two
notes above, but for the intelligent people reading this thread, it should
be noted that if you do hide your broadcast packets, then you often might
want to set your client (such as a phone) to "remember" and "reconnect";
but this has other issues - where the Apple zealots won't understand but
you might understand that the "remember" is fine (unless you're worried
about your phone being stolen) but the "automatic reconnect" should be
turned off because that setting causes the phone to seek out the named AP.

[toc] | [prev] | [next] | [standalone]


#141675

Fromanonymous <anon@anon.com>
Date2024-06-01 10:58 +0200
Message-ID<032ce03406e2dfc484e94fef52899615@dizum.com>
In reply to#141664
Andrew <andrew@spam.net> wrote in
news:v3d1v2$2q7i$1@nnrp.usenet.blueworldhosting.com: 

> Alan Browne wrote on Thu, 30 May 2024 19:18:55 -0400 :
> 
>> The "general" case is that it is absolutely not an Apple issue. 
>> SSID/BSSID's are OPENLY AND LOUDLY BROADCAST WORLDIWDE IN THE
>> BILLIONS. 

You're 50% correct.  SSID/BSSID's are OPENLY AND LOUDLY BROADCAST = 50%

it is absolutely not an Apple issue. = 0%

> The fact is you're defending Apple's holes, to the death, no matter
> what. 
> 
> Every desperate excuse you make for the flaws in Apple's
> implementation show you not understand what only Apple does that's
> different here. 
> 
> Worse, you were not aware the outward facing MAC address cannot be
> cloned (in almost all routers and particularly in the tested travel
> routers). 
> 
> And you were not aware that the SSID is meaningless for this exploit,
> other than the workaround that Apple suggested (of appending _nomac to
> the SSID). 
> 
> Furthermore, you're still not aware that a "hidden broadcast" has been
> a feature of nearly every router since the dawn of Wi-Fi, where the
> mere act of clicking that checkbox prevents the BSSID from being
> *uploaded* to the Google and Apple and Mozilla and Wigle databases, by
> default. (See notes in the sig, given the Apple religious zealots
> don't understand this issue). 

+1

> While you're frantically desperate to fabricate excuses for Apple's
> vulnerabilities, you don't ever show any understanding of them.
> 
> Notes in the sig given Apple religious zealots don't understand
> anything. 

In years past when waiting for flights in an airport, Apple products were 
a favorite target for two reasons.  Most Apple users are clueless about 
security, and there is a flaw that exists to this day permitting rogue Wi-
Fi access.  It's not readily apparent, but it exists.     

[toc] | [prev] | [standalone]


Back to top | Article view | comp.mobile.android


csiph-web