Apple’s Wi-Fi Positioning System (WPS) allows tech-savvy individuals to map Wi-Fi access points (APs) worldwide and even track them if they are mobile. This does not even require an Apple device.
A researcher at the University of Maryland (USA) named Erik Rye managed to collect a large number of BSSIDs in this way to build a detailed picture of APs worldwide. His research shows that anyone with the right know-how can surface sensitive information in this way, for example, about locations with Internet access in conflict zones.
Apple collects data about the AP’s iPhones use to supplement location data when a GPS signal is unavailable or insufficient. The combined data from Apple phones provides a good picture of APs in a given area.
No API key needed
This is because the devices periodically send GPS coordinates to Apple, along with the relative strength of the used Wi-Fi signal they are connected to. These are identified by their Basic Service Set Identifier (BSSID). Google does this for Android devices as well but uses its own system to do so.
Unlike Google’s, Apple’s WPS API does not require a key. Third parties can freely query it without further authentication. Also, Google’s system hands out less data, and each query requires a (very) small amount of money. This makes brute forcing unattractive because despite the small amount, the cost would skyrocket due to the many attempts.
Brute-forcing BSSIDs
Because of Apple’s peculiar system, researcher Erik Rye managed to brute-force a large number of BSSIDs using a program written in Go on a Linux system. When he hit a real one, Apple’s WPS API also helpfully shared 400 neighbouring APs.
Erik Rye will discuss his research more at the Black Hat cybersecurity event, which will take place Aug. 3-8 in Las Vegas. The website DarkReading (part of the same company that is also organizing the event) has already provided some insight into the matter.
Rye’s method enabled ‘snowball sampling,’ which quickly allowed him to add BSSIDs to his newly acquired dataset. To be precise, he acquired half a billion in less than a week. This essentially gave him a world map of Wi-Fi access points courtesy of Apple. Among those locations were APs from Starlink in Ukraine and APs in Gaza. Such data has a military value that cannot be underestimated.
The owner of an AP doesn’t need to have an Apple device to forward it to Apple’s vast AP database. When a neighbouring Apple device scans for networks, that is enough to store the BSSIDs.
Note that it is not possible to connect to the networks via this method. The point is that this method can map a vast network of Wi-Fi access points, and third parties with the right tools can access that information.
Found this way
When Internet users use a mobile AP, such as in a caravan or RV, tracking them in this way is possible. As a case study, Rye was able to pinpoint the exact location of the Burning Man desert festival via APs present in a remote region of the US state of Nevada (where this type of signal would otherwise never show up).
That makes the method suitable for specific monitoring and surveillance or -just to name an example- conducting a drone attack in a place with high traffic via APs where you don’t want them.
While tech-savvy Internet users can provide their BSSID with an arbitrary value via systems such as OpenWrt, this is beyond most home users. Another method Rye suggests is to simply opt out of mobile APs. It is also possible to opt-out by adding “_nomap” to the network name. Of course, not everybody is aware of this specific type of information.
Also read: ‘Batterygate’: did Apple conceal faulty batteries with software updates?