Hacker News new | past | comments | ask | show | jobs | submit login
Why Your Wi-Fi Router Doubles as an Apple AirTag (krebsonsecurity.com)
114 points by todsacerdoti 8 months ago | hide | past | favorite | 105 comments



While it's not particularly surprising that the location of a piece of radio hardware that broadcasts a static identifier is trackable, it is pretty interesting how the location awareness and ubiquity of modern smartphones are effectively creating a massive distributed sensing network. The focus on this piece is mostly on how apple (by designing their api in a way that avoids apple computing your exact location on their servers, presumably in an attempt to _preserve_ user privacy) inadvertently gave public access to that sensing network. I'd love to read a piece that also games out what exactly a red team or attacker could do with _privileged_ access. I.e. "if somebody was able to compromise the location services servers, but not iOS, what exactly would they be able to do with that"...


> "if somebody was able to compromise the location services servers, but not iOS, what exactly would they be able to do with that"...

Aren't the locations on apple's servers end-to-end encrypted? I'm not sure what you'd be able to do with that.


Not to sound cliche, but the modern cell phone beats anything they could have imagined in Orwell's 1984


This was already a story in 2015 when Google collected the SSID and location data as well as 'accidentally' storing the actual network data from open networks [0] https://www.theguardian.com/technology/2010/may/15/google-ad...

Also surprised how many people don't know that their phones regularly try to connect to all wifi networks saved on the device, and that this unique combination which includes things like "my town mcdonald's" or whatever is enough to uniquely identify someone and usually locate them too.


>as 'accidentally' storing the actual network data from open networks [0]

What's with the scare quotes? It seems entirely plausible to me. eg. their process for capturing beacons were to put a wifi card in monitor mode, capturing any packets they see, and then filtering only for beacons. Somewhere along the way they forgot to add the filter, and as a result they were inadvertently recording all packets. Trying to imply that they were doing something nefarious makes little sense. The cars were constantly moving, so at best you got a few seconds of web browsing data before going out of range. As google should know, the value in data comes from being able to build a complete profile of someone, not knowing what one page someone visited was. Moreover, thanks to third party cookies and their embeds everywhere on the web, they don't need to drive around to capture your web browsing traffic. They can get a continuous feed just by operating their cdn/ad networks.


This had essentially nothing to do with web browsing packets, and everything to do with Google building a map of citizen bSSIDs and MAC addresses without their consent.


Many of the same objections apply. What is google going to do with a point in time snapshot of "bSSIDs and MAC addresses"? The SSIDs don't tell them anything aside from "there's a wifi router at this vague location". MAC addresses are slightly more interesting, but there's nothing you can do with a point in time capture with them. Even if you want to do evil things like stalking people, you'd need to do regular scans, not the once-a-few-years drive-by they do with the streetview cars.

Also to be clear I'm not claiming that it's fine for them to do it, or that they should continue doing it, only that the scare quotes around "accidentally" was unwarranted given the lack of evidence towards malice and lack of motive. To make an analogy, accidentally-exposed-to-the-public breaches happen all the time. You can complain about how there were lack of controls/security, but people don't typically don't use scare quotes to imply the breaches were somehow intentional.


Depending on the receiver's hardware, the information is far more dense and valuable than "vague location".


Yeah sure theoretically, but by all accounts they were using off the shelf wifi adapters, not using SDRs to make a quasi synthetic aperture radar to pinpoint the exact location of each transmitter. Moreover even if you had the exact position (eg. <1m) of each transmitter, it's unclear what they'd do with them.



Don't forget in-vehicle Wi-Fi access points, which are active in most modern cars/trucks. Plus you can't "opt out" as these are usually fixed names (you can't append "_nomap")


Since MAC address ranges are allocated to different vendors, Google and Apple could choose to not report the locations of certain vendors’ devices, such as Starlink or known transportation APs.


Bluetooth MAC address is also a means of tracking individual customer phones. If a car supports bluetooth, that's another way to track it also.


On a related note: android devices try to continuously connect to all WiFi networks they have been connected to before, no matter if you are „near“ them or not. Doesn’t even matter if the access point is broadcasting the SSID or not.

Found this out by just having the personal hot spot of an iOS device enabled and then turning on a android tablet. iOS doesn’t broadcast the SSID unless you have the settings screen of the personal hotspot open. Scary.


>Doesn’t even matter if the access point is broadcasting the SSID or not.

Source? AFAIK this behavior only gets engaged if the hotspot has a hidden SSID.

>Found this out by just having the personal hot spot of an iOS device enabled and then turning on a android tablet. iOS doesn’t broadcast the SSID unless you have the settings screen of the personal hotspot open. Scary.

This is opposite to my experience. I specifically have to enable "allow other devices to join" for non-ios devices to be able to join.


When I make a hot spot hidden, devices that previously connected to it can still do so in most implementions I've seen. That's how you work around them not supporting hidden networks.

So I'll call "Source?" on it working like you describe.


>When I make a hot spot hidden

That's a misnomer. It doesn't actually make it hidden, only transmit beacons with a blank ssid. That's why even if your network is hidden, it will show a "hidden network" option for you to manually enter the SSID[1]. Moreover, client devices that have hidden networks saved will send out probe packets with network names it has saved[2], so it can determine whether the hidden network is actually around. This is actually worse for privacy, especially if your network name is vaguely unique, because you're broadcasting this high entropy information everywhere you go.

[1] https://www.digitalcitizen.life/wp-content/uploads/2020/10/h...

[2] https://www.acrylicwifi.com/en/blog/hidden-wifi-network-secu...


Free Airport WiFi!


Wait how is this bad? If I have wifi on I'm pretty sure I want to reconnect to saved networks. You want them to only do it when near the network? By tracking the location? Isn't this much much worse for privacy? You can always turn wifi off....


I only want my devices to connect to networks which are actually there. Not try every one they have connected to before no matter if they are existing or not.


That's not what's happening.


This is a data goldmine for data brokers who have most certainly replicated the data set, but without any of the privacy measures that the researchers implemented.

On another note, I had missed that Apple recognizes the '_nomap' suffix and stops indexing/reporting its WiFI AP locations.


Would that data be considered Apple IP even though the AP addresses and locations are somewhat public information (because APs are broadcasting their addresses)?

Apple’s API might return fake “trap addresses” that it could use to trace if their API data shows up in other companies’ location databases. Like the “trap streets” used to catch map plagiarists: https://en.m.wikipedia.org/wiki/Trap_street


Is there a way to prevent this data from being used? Can I somehow not broadcast certain data over wifi or otherwise keep google and apple from using my wifi metadata without my consent?


Yes. From this article:

  > But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID).
https://support.apple.com/en-us/102515 (Search for "_nomap")

Google also supports this scheme: https://support.google.com/maps/answer/1725632

Wigle.net, too: https://wigle.net/phpbb/viewtopic.php?t=2330

Would I trust any of this? No.


It's ridiculous that it's we who have to opt out through attention-drawing configuration which has no guarantee of being respected in the future.


Or indeed the present.


I find that incredibly irksome. I'm glad they provide an opt-out mechanism, but strongly dislike that it requires me to give my Wi-Fi network an ugly name. And what if 2 vendors have different opt-out strings such that I can't choose to stay out of, say, Apple and Google's DBs at the same time?


This is already happening: Microsoft's opt-out is _optout (can appear anywhere in SSID), Google/Apple's _nomap has to be at the end so prepare for YourAPName_optout_nomap! https://superuser.com/questions/1005235/wi-fi-opt-out-micros...


The original link no longer includes the information about _optout. At least when I load the page.

https://privacy.microsoft.com/en-us/windows-10-open-wi-fi-ho...


Oh FFS. Sure, why not.


In the near future it will be required that your wi-fi SSID be <your exact address and house/apt number>_optout_notrack_nothanks_offgrid_nomap

Your address is needed so they can know exactly which place _not_ to map, of course.


That'll never be required.

But if you do it, you'll save $2 off the ad-supported Netflix tier.


I feel you and agree, but there's a good argument to be made that BSSIDs are "public information".

It's a slippery slope to walk trying to regulate that one. One example: "No public citizen, you are not allowed to monitor our frequencies without paying our corporation a subscription fee."


I understand. I have a ham radio license and I can listen in to all sorts of things sent out into the public airwaves. That's what broadcasting is.

At the same time, I write a blog for other humans to read. I'm annoyed that some companies are likely scraping it to train their LLMs. Beyond my annoyance, I don't know how far I'd want to go toward making it possible for humans to consume it but not AIs. The legal cures for that seem like they'd be worse than the disease.


Welcome to the future where our wifi network names are as ugly as browsers' User-Agent strings


I saw that, but as you point out, whether it works or not is all a trust thing.


I am thinking of starting a competing product that uses wifi APs for geo location instead of GPS satellites. I want to be a more customer friendly business than google or apple though, it'll only be opt-in. All you have to do to indicate that you have opted-in is to append "_nomap" to your AP name. /s

If I understand correctly, the research was only possible because they were able to leverage the Google and apple APIs against each other. The lesson I get from this is these companies shouldn't behave like they exist in a vacuum and when exposing data or forcing global configuration (like the AP name) they need to be more careful.


Dear friend,

I find your ideas intriguing and would like to subscribe to your _nomap geolocation service.

(Also, I note that the nomap.bot domain is available...)


>without my consent?

consent isn't needed, given that broadcasting your SSID in the open clearly fails the "expectation of privacy" test.

Also from a practical angle, what exactly are you trying to prevent? That there's a wifi router at your house?


But most people don’t intentionally “broadcast their SSID in the open”. They just want to surf wirelessly in their homes with as little hassle as possible.

Until there’s technology that lets you do that easily I think this definitely violates privacy. Especially if unique information like MAC addresses is collect, and not only the Wi-Fi name.

I wonder how MAC addresses are treated under GDPR since e.g. IP addresses are considered personal information.


When a consumer can see their neighbors' networks' SSIDs being broadcast on their own pocket computer, but somehow doesn't think that anyone else can see their own network's SSID, then:

That's magical thinking.

Magical thinking is not a privacy problem. Magical thinking is a cognition problem.


There's a surefire way to prevent this kind of thing forever: Stop broadcasting your data on the air for anyone to hear, and others will stop being able to listen to it.


THIS IS A PRIVATE COMMENT; ANYONE READING THIS COMMENT IS IN VIOLATION OF NEWJAZZ POLIS-Y AND WILL BE SUBJECT TO PUNISHMENT.


I kinda love you.


Frustrating, but true. It's our own hardware shouting its details into the wild for anyone to pick up.


Not really because they can track AP MAC addresses even when not broadcasting SSIDs. The only sure way is to use only wired networking.


So we’re at “ssid_optout_nomap” for hopefully abstaining from further mapping and password sharing.

A few Microsoft threads some may be interested in concerning _optout and the additional preventing clients from sharing WiFi passwords:

https://answers.microsoft.com/en-us/insider/forum/all/clarif...

https://answers.microsoft.com/en-us/windows/forum/all/turn-w...

https://answers.microsoft.com/en-us/windows/forum/all/preven...


This is also why I replace all of my APs when I move (new BSSIDs) and don’t put identifying information like phone numbers, names, or domains in SSIDs.


I took the opposite approach: make the SSID equal the street address. If it's going to be mapped anyways, might as well name it with a location-based name.


Disagree: That feels like a failure of defense-in-depth, handing unnecessary bonus information to an attacker while providing no actual convenience to legitimate users who already know their own street address.

For example, suppose a device on your network is compromised: The attacker instantly get a freebie for a mailing-address they could use for identity-theft/impersonation, blackmail/extortion threats, or scams pretending to be an authority figure.

If you also have something like a home security system, they'll immediately know where to go if someone wants to burgle a room full of goodies (possibly visible via camera) as soon as the owner leaves.

The reverse direction is also an issue: Suppose someone already knows your street address, and is trying to figure out which wireless network to target in order to harass/hack/burgle you.

Even if these all seem unlikely, the information leak is all downside, no benefit.


THIS! Lol knowing your in an area is one thing, knowing if it's coming from you or the neighbors window 5ft away easily is a big difference


Honestly anything other than the auto-generated SSID is going to add more entropy and make you stick out. Moreover, AFAIK they track the BSSID (ie. MAC address), so unless you also spoof that, changing the network name is not going to matter.


Pretty Fly for a Wi Fi


That's actually bad. iOS shows a "privacy warning" if you're connected to a wifi hotspot with a "common name". Presumably that's because if you have something a network with a common name saved (eg. "dlink"), your phone would try to connect to it everywhere you go, exposing your mac address.


> your phone would try to connect to it everywhere you go

Emphasis on "try", provided the original network wasn't some kind of totally unsecured open one. (And nobody would do that nowadays, right?... Right?)

IANANetworkEngineer, but from what I can find about "Evil Twin" WiFi attacks, your device ought to remember and reuse the security info from the legitimate AP. Even if the hacker mimics the SSID and MAC, they probably won't have the other secrets needed to finish tricking your device into finalizing the connection.

> exposing your mac address

This can be avoided if your device is set to randomize its MAC on each connection to an SSID or that one in particular. However there are some networks where that is undesirable, like a home network that does some assigned IPs and port-forwarding across NAT, etc.


>This can be avoided if your device is set to randomize its MAC on each connection to an SSID or that one in particular.

AFAIK only grapheneOS offers per-connection mac randomization. Windows comes close with "change daily". Regular Android has a developer setting that enables it for all networks, which causes issues like you mentioned.


I know regular Android since version 10 has a standard randomization feature, but as you say it's not as strict as per individual connection attempt, just per recognized SSID.


It was what I thought of when you said "stick out" - because I never see it, and it catches my attention each time.

(Your regions may vary!)


Why is that important to you?

(And do you change the MAC addresses of your bluetooth devices, too? Some of us do gather up bluetooth location information, as well.)


Because I don’t want my residential location moves being tracked, as the person who goes from zip code A to zip code B to zip code C is possibly a unique track.

I don’t use much bluetooth at home. Zigbee is becoming an issue, but I haven’t moved since I’ve set it up.


In the US, I would assume your employer (via payroll or “work number”, or your banks/credit cards/credit reporting agencies, or even retailers like Amazon or Walmart are selling that information.

Or the USPS when you let them know where to forward your mail to after you move:

https://www.forbes.com/sites/adamtanner/2013/07/08/how-the-p...

Edit: and of course, as kstrauser points out, voter registration records.


None of those organizations ever receive my primary residential address, only my tertiary one. Fortunately in the US you are allowed to have more than one home. Absolutely nothing with my name on it goes to where I usually sleep.

To divulge sensitive information like that is actively unsafe for certain types of people, because, as you note, almost every single vendor with whom you do business will blast it out all over the ecosystem until it shows up on SEO spam websites forever.


You realize your residential record of location is... public, you can get it pretty easily from most records offices.


This isn’t true. Only one residential record of location is. I have three. I sleep at the one on my driver’s license only a few nights per year. Some vanlife types use a post box, which is also legal.

It would be actively dangerous for people like me if we were forced to regularly sleep in a location available to the general public.


Landlords that take cash still exist.

So I'm told.


There are much easier ways to track authoritative details about a person's moves, e.g. voter registration.


Or through any of the data being sold by companies who send someone mail.


Hackers often do not vote.


Unless they legally can't, say because of a felony conviction, that seems highly unusual.


A third of the US population doesn’t vote. It’s not even normal unusual, it’s common.


It really depends on how much data one wants to create. What one is optimizing for.

I've come across some folks pretty committed to staying "effectively off-grid" - even today.


Separately (assuming US): would you actually find it surprising there would exist a subset of hackers unimpressed with the R and D parade to the point that they abstain?


Surprised, no, because I've known plenty of ahem security researchers who were contrarian just for the sake of it.


I don’t register to vote or receive any mail at my primary residence. My government paperwork all goes to my tertiary residence.

Do you really think someone who is changing their BSSIDs when they move is putting the address at which they regularly sleep unguarded into public records?


It only takes takes one Bluetooth device sitting there and shouting its name to track a move, if that's what a person wants to focus on doing.

Most of the Bluetooth devices that I am able to identify are things like televisions. When a Samsung TV moves, it's pretty likely that the people who own that TV have moved along with it.


Can't you set the BSSID? I am fairly sure hostapd exposes that knob in its config.


hostapd definitely exposes this as it was used extensively to spoof 3DS streetpass relays for a variety fun reasons, back before Nintendo shut down the service in March 2018 :(

https://github.com/danielhoherd/homepass/blob/master/Raspber...


Just set it to mine: AA:AA:AA:AA:AA:AA:AA:AA (or something like that)


You should set it to the most common bssid of your preferred anonymity set. You can look up tables of most common MAC addresses and SSIDs and pick from there.

Still, the distribution of these identifiers will vary by region, manufacturer and other factors. The best way to stay anonymous is to avoid using the wireless spectrum. You’ll never be in full control of your anonymity as long as anyone around you is broadcasting a unique identifier and your device is logging its observations of these identifiers, correlating them with GPS, and sending them to the cloud…


“Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.”

This sums up the companies’ philosophies neatly.


How is sharing the locations of 400 nearby BSSIDs better?

It's the fact that Apple spews this huge amount of info that allowed this research to happen, after all.

That’s according to two researchers at the University of Maryland, who theorized they could use the verbosity of Apple’s API to map the movement of individual devices into and out of virtually any defined area of the world.


> How is sharing the locations of 400 nearby BSSIDs better?

Apple isn't constantly computing your precise location. It's happening on device.

The fundamental problem is our devices are inadvertently broadcasting their own locations. Not that Apple is providing, in essence, a report on the public radio spectrum. (Do hidden SSIDs broadcast a BSSID?)


> Not that Apple is providing, in essence, a report on the public radio spectrum.

Of the entire world. Provided in a nice enough package that with a little patience researchers could collect the location 480 million devices.

> Do hidden SSIDs broadcast a BSSID?

They do something worse: they force devices that want to connect to them to broadcast the BSSID all the time, which allows passive listeners to track them (e.g.) across a shopping mall.


Skyhook was the original but Qualcomm calls it TPS now.

Public dbs: https://en.wikipedia.org/wiki/Wi-Fi_positioning_system#Publi...


Microsoft requires _optout, Google and Apple require _nomap.

This is ridiculous.

Some industry body like the IEEE Standards Committee should agree on a standard.


I propose `_optin`. It'd never fly, but a guy can wish.


opt in to what? I propose _trackme


I can live with that.


_optout seems like a shitty method... Opt out of what???

Knowing MS, they'll probably start recognizing _nomap sometime in late 2027.


Wait, that wasn't me opting out of every cookie banner I visit over that network?


Except those companies hate standards and will use them exclusively when it commonize their complements. (well.. Even when it does they don't necessarily do.)


I read the article but didn't get how the authors got the data. I understand that IOS/Android leak nearby Wi-Fi to Apple/Google and that was like that for years. But how I can get access to such bulk data to reproduce the map from the article?


I went on my Mac and used mitmproxy while requesting location. The API is here: https://gs-loc.apple.com/clls/wloc. It uses protobuf and you basically send a list of BSSIDs and it returns a list of BSSIDs with Long/Lat attached. My question would be: are iPhones reporting locations with nearby access points or does Apple have other means of collecting the AP locations


The authors wrote a client to ask Apple’s WiFi Positioning API for the locations of random AP addresses. Enough of the random addresses were known to Apple’s location database that it returned real location data. Apple’s API also returns the addresses and locations of 400+ other nearby APs. That enables iOS devices to do faster and offline content geolocation in the same region.

> Apple’s API will return the geolocations of up to 400 hundred more BSSIDs that are nearby the one requested. It then uses approximately eight of those BSSIDs to work out the user’s location based on known landmarks.

> In essence, Google’s WPS computes the user’s location and shares it with the device. Apple’s WPS gives its devices a large enough amount of data about the location of known access points in the area that the devices can do that estimation on their own.


This highlights the need for access points that can broadcast a random BSSID periodically similar to how handset hotspots implement. I am looking for a new WIFI 7 access point and would love to find one that does this.


in absence of a commercially available product, OpenWRT will do this on bootuo via https://github.com/janost/openwrt-wan-mac and you can schedule reboots.


When I visited the 37c3 my iPhone was always showing my location being in Leipzig instead of Hamburg (probably because the SSIDs weren't changed when the APs were moved from Leipzig to Hamburg).

:)


Does anyone know if IOS randomizes the BSSID of hotspots? I’ll need to test this out & see if this could track a known device


"Apple did not respond to requests for comment. But in late March 2024, Apple quietly tweaked its privacy policy, allowing people to opt out of having the location of their wireless access points collected and shared by Apple - by appending "_nomap" to the end of the Wi-Fi access point's name (SSID)."

Have never seen new computers out of the box that phone home more than Apple computers.

"Privacy is a fundamental human right" - Tim Cook, Apple CEO

"We don't collect a lot of your data and understand every detail about your life. That's just not the business that we are in," says Apple CEO Tim Cook, shown here at the NPR offices in Washington, D.C., on Thursday."

https://www.npr.org/sections/alltechconsidered/2015/10/01/44...

Imagine if in order to enjoy a fundamental human right one had to "opt-in".

To enjoy the right to life, append "_keepalive" to your name.

To enjoy the right to be free, not a slave, add "_master"

To enjoy the right to avoid torture, add "_notorture"

Apple marketing works. Reality distortion field.

Whatever business Apple is in, it collects a motherlode of data.


Why is this API public at all? Could Apple not just restrict access?


Why does Starlink still have Russian customers?


Those are the Ukranian spies?


Silicon Valley does not understand the concept of consent. Everything should be opt in, not opt out.


So they found 488 million vulnerable locations and the solution is that users should rename them individually?

This is Apple and Google’s vulnerabilities.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: