Surveilling the Masses with Wi-Fi-Based Positioning Systems

TL;DR

The paper investigates privacy risks in Wi-Fi-based Positioning Systems (WPS), showing that an unprivileged attacker can rapidly build a worldwide, longitudinal corpus of BSSID geolocations by querying Apple's WPS. The authors seed the IEEE OUI space and exploit Apple’s API to obtain the geolocations of BSSIDs and up to 400 nearby BSSIDs per hit, enabling scalable mass surveillance with minimal a priori knowledge. They construct a global dataset (over $1.125$ billion attempts with a large fraction yielding geolocations) and a year-long corpus (exceeding $2 imes 10^{9}$ BSSIDs), and demonstrate case studies in the Russia-Ukraine war, Gaza, and Maui wildfires to illustrate the real-world privacy impact of AP mobility and outages. The work proposes mitigations across WPS operators, AP manufacturers, and users—ranging from rate limiting and disallowing unrequested nearby BSSIDs to MAC/BSSID randomization for access points—and reports responsible disclosure with Apple and other vendors. Overall, the study highlights a pressing privacy risk in ubiquitous WPS infrastructure and urges concrete technical and policy safeguards to prevent broad, longitudinal tracking of individuals and sensitive locales.

Abstract

Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world. The privacy implications of such massive datasets become more stark when taken longitudinally, allowing the attacker to track devices' movements. While most Wi-Fi access points do not move for long periods of time, many devices -- like compact travel routers -- are specifically designed to be mobile. We present several case studies that demonstrate the types of attacks on privacy that Apple's WPS enables: We track devices moving in and out of war zones (specifically Ukraine and Gaza), the effects of natural disasters (specifically the fires in Maui), and the possibility of targeted individual tracking by proxy -- all by remotely geolocating wireless access points. We provide recommendations to WPS operators and Wi-Fi access point manufacturers to enhance the privacy of hundreds of millions of users worldwide. Finally, we detail our efforts at responsibly disclosing this privacy vulnerability, and outline some mitigations that Apple and Wi-Fi access point manufacturers have implemented both independently and as a result of our work.

Figures (13)

• Figure 1: An Apple device querying and receiving BSSID geolocations from the Apple WPS. The WPS is populated by other Apple devices that report their geolocations (derived from e.g. GPS) and nearby BSSIDs, which the WPS then uses as landmarks. This figure shows 3 decimal digits of precision, though Apple routinely provides up to 8.
• Figure 2: Number of BSSIDs discovered by guessing randomly among IEEE-assigned OUIs and their locally-administered versions versus the additional BSSIDs the Apple Wi-Fi geolocation API returns. Note that the $y$-axis is log-scale.
• Figure 3: Heatmap of BSSIDs discovered by guessing randomly among IEEE-assigned OUIs and their locally-assigned variants.
• Figure 4: CDF of geolocated BSSIDs versus OUI ranked by decreasing number of geolocated BSSIDs. Note that the $x$-axis is log-scale.
• Figure 5: Fraction of geolocated BSSIDs (of 10,000,000 tested) remaining each day following an initial sweep of the OUI space.