Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
156 tokens/sec
GPT-4o
7 tokens/sec
Gemini 2.5 Pro Pro
45 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
38 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Surveilling the Masses with Wi-Fi-Based Positioning Systems (2405.14975v1)

Published 23 May 2024 in cs.CR and cs.NI

Abstract: Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world. The privacy implications of such massive datasets become more stark when taken longitudinally, allowing the attacker to track devices' movements. While most Wi-Fi access points do not move for long periods of time, many devices -- like compact travel routers -- are specifically designed to be mobile. We present several case studies that demonstrate the types of attacks on privacy that Apple's WPS enables: We track devices moving in and out of war zones (specifically Ukraine and Gaza), the effects of natural disasters (specifically the fires in Maui), and the possibility of targeted individual tracking by proxy -- all by remotely geolocating wireless access points. We provide recommendations to WPS operators and Wi-Fi access point manufacturers to enhance the privacy of hundreds of millions of users worldwide. Finally, we detail our efforts at responsibly disclosing this privacy vulnerability, and outline some mitigations that Apple and Wi-Fi access point manufacturers have implemented both independently and as a result of our work.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (37)
  1. Surveying and Mapping Law of the People’s Republic of China, 2013. https://web.archive.org/web/20170525200020/http://en.nasg.gov.cn/article/Lawsandregulations/201312/20131200005471.shtml.
  2. GL-iNet, 2023. https://www.gl-inet.com/products/.
  3. Rapport du projet de fin d’études Interception des échanges dans une connexion SSL/TLS Application à l’analyse des données de géolocalisation envoyées par un smartphone. https://fx.aguessy.fr/resources/pdf-articles/Rapport-PFE-interception-SSL-analyse-localisation-smatphones.pdf, 2012.
  4. Apple. Location Services and Privacy, 2023. https://support.apple.com/en-us/HT207056.
  5. Apple. About privacy and Location Services in iOS, iPadOS, and watchOS, 2024. https://support.apple.com/en-us/102515.
  6. Hal Berghel. Wireless Infidelity I: War Driving. Communications of the ACM, 2004.
  7. Bobzilla. On _nomap and _optout, 2016. https://wigle.net/phpbb/viewtopic.php?t=2330.
  8. Privacy Protection for Wi-Fi Location Positioning Systems. Journal of information security and applications, 2021.
  9. Jon Brodkin. Pentagon buying Starlink dishes for Ukraine after funding dispute with SpaceX. Ars Technica, 2023. https://arstechnica.com/tech-policy/2023/06/pentagon-buying-starlink-dishes-for-ukraine-after-funding-dispute-with-spacex/.
  10. Near-total internet and cellular blackout hits Gaza as Israel ramps up strikes, 2023. https://www.nbcnews.com/tech/internet/internet-blackout-hits-gaza-israel-ramps-strikes-rcna122531.
  11. Mapping the Damage From the Maui Wildfires. The New York Times, 2023. https://www.nytimes.com/interactive/2023/08/10/us/maui-wildfire-map-hawaii.html.
  12. Jun Liang (Roy) Feng and Guang Gong. Vulnerability Analysis and Countermeasures for Wi-Fi-based Location Services and Applications. https://cacr.uwaterloo.ca/techreports/2014/cacr2014-25.pdf, 2014.
  13. Three Years Later: A Study of MAC Address Randomization In Mobile Devices And When It Succeeds. Privacy Enhancing Technologies Symposium (PETS), 2021.
  14. Google. Geolocation API Overview, 2023. https://developers.google.com/maps/documentation/geolocation/overview.
  15. Google. Control access point inclusion in Google’s Location services, 2024. https://support.google.com/maps/answer/1725632.
  16. Google. Geolocation API Usage and Billing, 2024. https://developers.google.com/maps/documentation/geolocation/usage-and-billing.
  17. Location Heartbleeding: The Rise of Wi-Fi Spoofing Attack Via Geolocation API. In ACM Conference on Computer and Communications Security (CCS), 2022.
  18. Space War = Space Money? Are Commercial Actors the New Frontier for War. 2023.
  19. hubert3. iSniff GPS, 2023. https://github.com/hubert3/iSniff-GPS/.
  20. Chris Hurley. WarDriving: Drive, Detect, Defend: A Guide to Wireless Security. Elsevier, 2004.
  21. IEEE. MAC Address Block Large (MA-L), 2023. https://standards-oui.ieee.org/oui/oui.txt.
  22. Aviv Itzhak and Ur Fer. Russian-Ukraine Armed Conflict: Lessons Learned on the Digital Ecosystem. International Journal of Critical Infrastructure Protection.
  23. Hyunjoo Jin. Musk says Starlink active in Ukraine as Russian invasion disrupts internet. Reuters, 2022. https://www.reuters.com/technology/musk-says-starlink-active-ukraine-russian-invasion-disrupts-internet-2022-02-27/.
  24. A Study of MAC Address Randomization in Mobile Devices and When it Fails. Privacy Enhancing Technologies Symposium (PETS), 2017.
  25. Defeating MAC Address Randomization through Timing Attacks. In ACM Conference on Security and Privacy in Wireless and Mobile Networks (WiSec), 2016.
  26. Apple Opening Data Center in China to Comply With Cybersecurity Law, 2017. https://www.nytimes.com/2017/07/12/business/apple-china-data-center-cybersecurity.html.
  27. Alexander Mylnikov. Geo-Location API Download Section, 2024. https://www.mylnikov.org/download.
  28. openwifi.su. OpenWifi.su Dataset, 2021. http://openwifi.su/db/.
  29. radiocells.org. OpenBMap Dataset, 2021. https://radiocells.org/.
  30. Starlink’s Role in Ukraine. Journal of Defence Studies, 2023.
  31. Blue Is the New Black (Market): Privacy Leaks and Re-Victimization from Police-Auctioned Cellphones. In IEEE Symposium on Security and Privacy, 2023.
  32. IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation. In IEEE Symposium on Security and Privacy, 2023.
  33. MG Siegler. In April, Apple Ditched Google And Skyhook In Favor Of Its Own Location Databases . Tech Crunch, 2010. https://techcrunch.com/2010/07/29/apple-location/.
  34. Skyhook. Skyhook Wi-Fi Location, 2023. https://www.skyhook.com/wifi-location-solutions.
  35. Attacks on Public WLAN-Based Positioning systems. In ACM Conference on Mobile Systems, Applications, and Services (MobiSys), 2009.
  36. Why MAC Address Randomization is not Enough: An Analysis of Wi-Fi Network Discovery Mechanisms. In Asia Conference on Computer and Communications Security (ASIA CCS), 2016.
  37. WiGLE. WiGLE – All the Networks. Found by Everyone., 2023. https://wigle.net.

Summary

  • The paper demonstrates that exploiting Apple's Wi-Fi positioning system allows attackers to collect nearly 490 million BSSID geolocations from about 3 million queries.
  • It reveals the potential for mass surveillance through real-world case studies tracking movements in conflict zones, disaster areas, and refugee regions.
  • The study outlines remediation strategies, including rate limiting, BSSID randomization, and policy reforms to mitigate privacy vulnerabilities.

Surveilling the Masses with Wi-Fi-Based Positioning Systems

The paper "Surveilling the Masses with Wi-Fi-Based Positioning Systems" authored by Erik Rye and Dave Levin of the University of Maryland presents an in-depth analysis and critique of Wi-Fi-based Positioning Systems (WPSes), essentially highlighting their potential abuse in the context of mass surveillance and privacy threats on a global scale. This work shows that an unprivileged attacker can amass precise geolocation information of Wi-Fi access points (BSSIDs) worldwide by exploiting existing WPSes, primarily focusing on Apple's WPS.

The authors describe a method by which an adversary can generate a worldwide snapshot of Wi-Fi BSSID geolocations within a matter of days. The paper details how by seeding random BSSID guesses using a list of allocated OUIs, an attacker can significantly narrow down their search space, thereby efficiently exploiting WPS databases. Over the course of a year, they demonstrated that this method allowed them to compile data on over 2 billion BSSIDs.

Key Findings and Contributions

  1. Global Geolocation Collection:
    • By utilizing Apple's WPS and exploiting its design which returns locations for unqueried nearby BSSIDs, the authors were able to learn the geolocations of nearly 490 million BSSIDs from an initial set of around 3 million valid queries.
    • The paper reveals that this method could be generalized, given that around 99.6% of their OUI search space could lead to significant geolocation discoveries.
  2. Real-World Cases and Mass Surveillance Potential:
    • Using the learned data, the authors conducted several case studies:
      • Tracking in Conflict Zones: They analyzed device movements in war zones such as Ukraine and Gaza, highlighting movement insights of both military and civilian devices.
      • Effects of Natural Disasters: They tracked BSSID changes in regions affected by disasters like the Maui wildfires, showing the absence of BSSIDs as potential damage indicators.
      • Monitoring Refugee Movements: The paper observed the movement patterns from conflict regions, validating reports on refugee relocations.
  3. Longitudinal Study and BSSID Movement:
    • In a month-long experiment querying 10 million BSSIDs daily, they found that roughly 0.06% of the tracked BSSIDs moved more than 1 kilometer.
    • Specific devices, like GL.iNet travel routers, exhibited significant mobility, traveling much farther distances compared to typical residential or fixed commercial routers.
  4. Disclosures and Impact on Stakeholders:
    • The authors responsibly disclosed the findings to Apple, Google, SpaceX, and GL.iNet, emphasizing the need for proactive measures by these and other stakeholders to mitigate these privacy threats.
    • Post-disclosure, Apple implemented the ability to opt out of WPS by appending "_nomap" to SSIDs, aligning with similar moves by Google and the WiGLE database.

Implications and Recommendations

The paper highlights critical privacy issues associated with the deployment and usage of WPSes. The implications are multifaceted:

  • Practical Implications:
    • Mass surveillance capabilities showcased in the research indicate that individuals and sensitive populations (like military units) are at risk of being tracked without consent.
    • The demonstrated ability to glean insights from devices in regions with humanitarian concerns underscores the need for stringent controls and privacy measures.
  • Theoretical Implications:
    • The findings provide a deeper understanding of how large-scale databases and crowd-sourced data collection can be both a benefit and a vulnerability.
    • The research suggests new directions for secure system designs that ensure the protection of user and device privacy in geolocation services.

Forward-looking Speculations and Recommendations for Remediation

  1. Technical Controls:
    • Rate Limiting and Authentication: Implementing rate limits and requiring API keys for geolocation queries can help thwart unprivileged mass information gathering.
    • Prohibiting Unrequested BSSID Returns: Modifying WPSes to stop returning geolocations of unqueried BSSIDs would mitigate the wide-scale data collection vulnerability observed in Apple’s WPS.
  2. Adoption of Privacy Measures:
    • BSSID Randomization: Encouraging manufacturers to adopt BSSID randomization for Wi-Fi APs, similar to client-side MAC address randomization, can substantially enhance privacy.
    • User Remediation: Users can take steps such as avoiding the use of the same AP across different locations or opting for ISP-provided devices that might not have prolonged visibility in WPSes.
  3. Legal and Policy Initiatives:
    • Formalizing regulations similar to China’s geolocation data control laws can help protect citizen geolocation privacy.
    • Governments and organizations could advocate for policies that mandate privacy-preserving design principles in the operations of WPSes.

In conclusion, the paper by Rye and Levin underscores profound privacy vulnerabilities inherent in current Wi-Fi-based Positioning Systems. Through rigorous experimentation and comprehensive case studies, it demonstrates the extent to which these systems can be exploited for mass surveillance. The proposed recommendations, if implemented, can significantly mitigate these privacy threats and foster a more secure usage of geolocation technologies.

This research contributes a critical perspective to ongoing discussions on digital privacy, proposing pragmatic solutions that align technological progress with fundamental privacy rights.

File Document Download Save Streamline Icon: https://streamlinehq.com PDF File Document Download Save Streamline Icon: https://streamlinehq.com Markdown

HackerNews

  1. Surveilling the masses with wi-fi-based positioning systems (444 points, 142 comments)
Reddit Logo Streamline Icon: https://streamlinehq.com

Reddit

  1. [2405.14975] Surveilling the Masses with Wi-Fi-Based Positioning Systems (13 points, 1 comment)
  2. Surveilling the Masses with Wi-Fi-Based Positioning Systems (6 points, 4 comments)
  3. Surveilling the masses with wi-fi-based positioning systems (1 point, 1 comment)