Apple Geolocation API Exposes Wi-Fi Access Points Worldwide

Beyond the devices that use them, Wi-Fi hubs themselves can leak interesting data, thanks to some quirks in Apple's geolocation system.

5 Min Read
An outdoor sign showing Wi-Fi availability.
Source: frantic via Alamy Stock Photo

Apple's Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.

How Apple Exposes Global APs

Have you ever wondered how your phone knows where it is in the world?

The Global Positioning System (GPS) is one tool it uses, of course, but it's not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn't ideal for such a persistent task. 

That's where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).

First, devices running Apple or Google operating systems periodically report back their locations (via GPS or cell tower triangulation) as well as the relative signal strengths coming from nearby networks (labeled by their Basic Service Set Identifiers, or BSSIDs), which gives some indication of their distance. Through this crowdsourcing, those companies develop huge databases of where APs lie around the globe.

As Rye explains, "You might not own a single Apple device but, nonetheless, your Wi-Fi access point will still end up in this system, just due to the fact that people that own Apple devices walk by your house, deliver your packages, or live next to you." 

Individual devices, then, can determine their locations by scanning for and reporting nearby Wi-Fi networks to company servers. In Apple's case, the WPS server will return the locations of those Wi-Fi networks, which the device can compare with observed signal strengths to determine its relative location. So, what's the problem?

Apple's WPS API is open and free to use. It's designed for Apple devices, but anyone can query it from a non-Apple device without any kind of authentication or API key. Using a program written in Go and running on Linux, Rye brute-force guessed a large number of BSSID numbers until he eventually hit a real one, for which the WPS API endpoint gifted him a set of other BSSIDs near to it.

"Once you start getting hits, you can do what's called 'snowball sampling' and just feed those back in, and continuously sample over and over," he explains. "Over a period of less than a week, we were able to amass about half a billion unique BSSIDs."

The process was made more efficient by a particular quirk in Apple's WPS. In response to a location query, rather than just a few nearby networks, it will voluntarily return up to 400 results.

What's the Risk?

"We were able to essentially create a Wi-Fi map of planet Earth, including some of the most remote locations: Antarctica, small islands in the middle of the Atlantic, that kind of thing," Rye says.

Among his results: a map of Starlink APs providing Internet access across war-torn Ukraine, and an evolving picture of Internet access across Gaza, potentially valuable military intelligence.

More targeted privacy attacks could involve tracking individuals as they move homes or take trips with mobile APs (say, in an RV).

"It's funny — everyone has their own case study that they want to know about," Rye says. "Somebody had asked [us] about Burning Man, which was a very easy one, because Burning Man is in the middle of nowhere. So if your access point pops up there, we know you're there for Burning Man."

What Can Be Done (and What Can't)

The observant reader might ask: If Apple and Google both have WPSs, why are we picking on only one?

Both systems use huge databases of global BSSIDs to triangulate device locations. But when an Android device queries Google's WPS API instead of replying with a long list of BSSIDs, Google's server does the triangulation and replies with the result. Thus, all that extra data is kept unexposed.

Google also requires an API key, which it uses to impose a cost on queries (at most, one cent per two requests). Insignificant for regular users, this tiny cost would prove prohibitive for attackers who need to guess an extremely large number of BSSIDs before hitting on a real one, as Rye did in his tests.

These are just two among the many possible ways Apple, access point manufacturers, or even lawmakers could improve upon AP security. And there are preventative steps individuals can take in the meantime.

"If you're a particularly technologically savvy user — running OpenWrt, or something like that — you can manually randomize your BSSID yourself. But that's beyond the scope for most folks," Rye says.

Particularly at-risk individuals can avoid travel APs altogether and adopt new APs whenever they move. And, Rye adds, "Apple has implemented an opt-out ability. If you add a '_nomap' to the end of your network's name, Apple says that that will prevent your Wi-Fi access point from ending up in their system."

Read more about:

Black Hat News

About the Author(s)

Nate Nelson, Contributing Writer

Nate Nelson is a freelance writer based in New York City. Formerly a reporter at Threatpost, he contributes to a number of cybersecurity blogs and podcasts. He writes "Malicious Life" -- an award-winning Top 20 tech podcast on Apple and Spotify -- and hosts every other episode, featuring interviews with leading voices in security. He also co-hosts "The Industrial Security Podcast," the most popular show in its field.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights