Video: Surveilling the Masses with Wi-Fi Positioning Systems by Black Hat, annotated

Hi, my name is Eric Rye, like the kind of bread. I'm a third year PhD student and probably the oldest PhD student of the University of Maryland. I am typically like a network security and privacy kind of guy, anything on the internet that's sort of sad as where I'm typically at. So with that as an intro, let's talk about Wi-Fi positioning systems or WPSes for short.

On a high level of Wi-Fi positioning system is just a system that somebody runs to allow mobile devices to geolocate themselves using Wi-Fi routers as landmarks. And while I'm going to focus exclusively on Apple's Wi-Fi positioning system during this talk, I just want to make clear at the outset that Google, Microsoft, some other companies like Skyhook all operate Wi-Fi positioning systems.

But the way that Apple's is implemented has some kind of unique quirks that make it uniquely vulnerable to type of attacks that I'll be talking about. So let's get right into what a Wi-Fi positioning system is and how it works. So imagine that this is your house with this enormous router outside your front door. And that router is constantly advertising its presence by sending out certain types of 802-11 management frames that indicate what the network name is so that it shows up in

your Wi-Fi settings. But importantly, those broadcasts are also containing a unique identifier for that access point. And the fact for that interface, an interface on that access point called a basic service that identifier or BSS ID for short. And a BSS ID is essentially just the MAC address of an interface on that Wi-Fi access point. And from time to time, if we're talking exclusively about Apple here, so from time to time, if

someone with an iPhone happens to be nearby your Wi-Fi access point and they happen to have access to high quality geolocation information because they're using a map application or maybe because the operating system just happened to pull the GPS demon. From time to time, they'll take note of that Wi-Fi BSS ID, that access points BSS ID, their own location, and they'll ship that off to Apple. Essentially what Apple is doing here, or any of the other Wi-Fi positioning system operators,

what they're doing here is creating this worldwide database where all the BSS IDs are on planet Earth as we'll see later here. And the reason that they're doing that is because later, some other devices in their ecosystem might want to geolocate themselves but might not want to use GPS. Now there's several reasons this might happen. A-A-GPS requires higher power than just scanning the 802-11 spectrum.

Some devices don't have GPS, or like my MacBook, for instance, doesn't have a GPS interface. And maybe you're inside, maybe you're in an urban canyon. There's lots of reasons why you might not be able to use GPS, but still need to know where you are. And so the way devices use the WPS to do that is they simply sample the 802-11 channels, and they take note of the BSS IDs that they over here, and they ship those off to in this case, Apple. And what Apple does, if it knows about that BSS ID that we've asked it about,

it will respond with that BSS ID's geolocation. But the way that Apple's works, the unique kind of quirk in Apple's implementation of Wi-Fi positioning system, is that in addition to the BSS ID that you requested in its location, it also returns up to 400 additional BSS IDs that are nearby that BSS ID that you asked about that are unrequested in their geolocations as well. And it ships those back to you. Your phone then does some fancy math to figure out where it's at,

trilateration using received signal strengths from those BSS IDs that Apple's told you about, and voila, the phone knows where it is now. It's objectively like a pretty cool system, right? You can use nearby Wi-Fi access points to figure out where you are without having to use GPS. Pretty neat. So just to recap how Apple's Wi-Fi positioning system works in particular, when you request a BSS ID's geolocation from it, it returns that BSS ID's geolocation if it

knows where it is, and up to 400 additional unrequested BSS IDs that happen to be nearby, just to give you a lot of landmarks to use to figure out where you're at. I just want to make clear here that this tracks the location of all access points. You might be like, well, I'm not an Apple owner, I don't care if my Wi-Fi access point isn't in the system. And indeed, it almost certainly is, right? Just living next to somebody that owns an iPhone, having a UPS man has an iPhone, having somebody who walks their dog outside of your house that has

an iPhone, will almost certainly make your Wi-Fi access point end up in this system. Prior to our paper, which my advisor and I published at IEEE Security and Privacy earlier this year, there was no public known way to opt out of this. All of this is exposed to be an unauthenticated public-based accessible API with no rate limits. So there's a pretty low power attacker here, basically anybody on the internet that can send an HDGPS request. And as we'll find out shortly,

this permits, as you can imagine, several of a variety of tags by a very low power attacker. I just want to kind of put this talk in context to other Black Hat talks, because this is not the first talk that's used Wi-Fi positioning systems to great effect. In fact, over a decade ago, there was a Black Hat arsenal talk called IceNiftyPS, which essentially just used like Kizmets to pump BSS IDs into Apples WPS to map identifiers that were nearby. My colleague and I had a talk at Black

Hat 21 about geolocating specific kinds of IPv6 addresses that have MAC addresses embedded in the lower 64 bits called IPvCU. And then finally, this talk is like the third and kind of a wine here of ways that the Apple's Wi-Fi positioning system can be used by attackers. And we'll talk about how we can enumerate Apple's WPS data and do some interesting longitudinal analyses starting right

now. So the first kind of research question that I had is how much information can we learn from Apple's Wi-Fi positioning system. And in order to talk about that, first we have to talk about MAC addresses, which I deeply enjoy, but I know some people may not. So I'll make it quick. MAC addresses are 48-bit hardware identifiers that typically burned into ROM, like when that interface is created by the manufacturer. We call the MAC address of an AP, a basic service that identifier or BSS ID.

And MAC addresses have a particular structure to them. The upper three bytes of a MAC address is called the organization, the unique identifier, OUI. And OUI is assigned by the iTripLi to a manufacturer of 802-11 interfaces. They go to the iTripLi, they say, hey, I want to make some Wi-Fi chips. And the iTripLi says, cool, here's your OUI. There's many to one relationship here. So folks like Cisco and Apple have many OUI that are assigned to them. So knowing what we know now

about MAC addresses, we can already see kind of a naive attack on Apple's Wi-Fi positioning system. They're a 48-bit identifier, so you can just start guessing 48-bit numbers, right? So you just start slinging random BSS ID to Apple, and Apple is going to be like, I don't know where those are, probably. Because 48-bits is a lot of bits. And just guessing random numbers is not a great strategy. If you want to accumulate large amounts of data from the WPS, there's over 280 trillion unique

possible BSS IDs. So you might have some success. Maybe you're luckier than I am every once in a while, but in large part you're going to be unsuccessful when you just guess random BSS IDs. So the next research question was, can we improve our guessing odds here? And indeed we can. So recall that an OUI is the upper three bytes of a MAC address, and the iTripLi assigns allocates OUI's to vendors. But only 36,000 of the possible 16 million OUI's actually have been assigned by

the iTripLi. And as chance would have it, the iTripLi publishes that list of OUI's for free on the internet for anyone to download. And so the solution here is to just start guessing random BSS IDs from within those 36,000 allocated OUI's by the iTripLi. That's an over 99% reduction in the search space, and you don't have to be Einstein to figure out that that's like a pretty good deal, right?

So instead of just guessing random BSS IDs, we start guessing random BSS IDs that are within an allocated assigned by the iTripLi OUI. And in practice, you're still going to guess wrong a lot of the time. But every now and again, you're going to happen to hit on a random BSS ID from within an allocated OUI that Apple knows about. And when you do that, you get those additional up to 400 BSS IDs

along with it. So by doing this intelligent kind of OUI-based random guessing, you end up having a lot better success. How good of success? I'm glad you asked. So we conducted an experiment in which we just guessed a couple thousand random BSS IDs within each of the allocated OUI's. And in fact, those extra 400 BSS IDs that you get back provide an incredible return on investment. The vast

majority, I want to point out here that the y-axis log scale, the vast majority of the information that you can pull out of the Wi-Fi positioning system is these additional BSS IDs that just happen to be returned with the ones that you've randomly guessed. Remember that this is like an Apple specific cork. So after a day of just random guessing, we had accumulated more than 100 million unique BSS IDs in their geolocations. And after a couple of days, we'd accumulated over half of a

billion. Where are those BSS IDs? This is the next logical question that you might ask. And as it turns out, they're like mostly where people are on planet Earth. You know, as you kind of look at the places you might call home, like, you know, the U.S. is pretty bright red as is Western Europe, South America. You can start to see like, you know, places where people don't live, right? The Amazon rainforest or the Sahara Desert. But one thing that was particularly confusing and interesting to

us at the outset of this was, you know, where are all the BSS IDs in China? We were finding some of them, but you know, not as many as we expected to since China has a population of, you know, over a billion. And after our initial research paper came out, we sort of spawned a cottage industry of people that were interested in looking at this data. And I have to give credit to those folks down there at the bottom who discovered that Apple just has a China specific Wi-Fi positioning system

that's located at a different HTTPS endpoint. It's just a different URL. It works in exactly the same way. And if you query that Wi-Fi positioning system, you can extract all these BSS IDs from China as well. And importantly, while this is a China specific Wi-Fi positioning system that Apple runs, it's globally queryable. So you can hit it here from Las Vegas if you'd like. So people often ask,

like, how do I know that you're just not hitting all the Wi-Fi in major cities? You know, what if someone's in a remote location? What if they're in Antarctica? And I said, yeah, what if they are in Antarctica? And so I looked for B-sids that were, you know, at particularly low latitudes. And all of these labels on Antarctica here are research stations on Antarctica where I have BSS IDG locations. So even in places where there's only a couple of dozen people living, Apple's Wi-Fi positioning

system captures that information as well. Pretty cool. All right, so now I want to get into a couple of attacks that, you know, knowing how Apple's Wi-Fi positioning system works and knowing how you can extract massive amounts of data from it in a pretty easy fashion, what kind of attacks can we mount here? And sort of the simplest, like smoothest brain one that you might concoct is, let's say that I'm, you know, a law enforcement official or, you know, somebody's in like an intimate partner

violent situation or something like that. And they want to, somebody wants to track a specific Wi-Fi access point over time. They know what that BSS ID is, Op. and let's say that person moves. They, you know, pick up and leave. They upscravand. Well, that attacker can simply query Apple's Wi-Fi positioning system for that BSS ID continuously and telepops up in some other location. Well, now you know where that access point is. That's sort of the most basic kind of attack you might

mount knowing how a Wi-Fi positioning system works because BSS IDs are persistent identifiers. But wait, there's more. What if, you know, instead of just targeting one specific individual whose BSS ID you know, what if you want a mount kind of like larger scale mass surveillance attacks by, you know, using all of that Wi-Fi data that you've, you've ingested. And there's a couple of different threat models that, that I'll describe here. So the first is the, is the simpler of the two.

As we, we know, and organizationally unique identifier identifies the manufacturer of a device. It's possible because an OUI has 16 million BSS IDs that are withinsided inside of that OUI. To enumerate every single BSS ID for an OUI and it's no matter of hours, it's pretty easy. You just make a lot of, a lot of requests. And so this allows to trivially dual locate all of the devices within an OUI in, you know, span of a day. And so for many OUI's, who cares? Like Cisco Systems,

everybody has a Cisco device, right? My doctor, my school, this place probably does. But what if that OUI tells you something, you know, that's interesting or privacy sensitive about the kind of device that has that MAC address? Like Starlink, right? Starlink uses this, this Tibro OUI, Tibro is more but back your backwards. You know, if we could do something like dual locate all the Starlink routers in Ukraine, that would be particularly like scary and bad, right? And so here's a

picture of all the Starlink routers in Ukraine. Yeah, whoa is right. Some of the things that kind of pop out at me initially are, you know, there's some hotspots in major cities like Kiev. That's, you know, fairly unsurprising. Got a lot of people there. You can have a lot of Starlinks probably. You know, more interesting or you can kind of make out the contours of the front lines in their war with Russia and the eastern side of Ukraine, which

is where the, the Dombuses and then as you kind of go to the southeast where Crimea is down there at the bottom, like this is the, this is like the where the front lines and the war with Russia and Ukraine are. And you can kind of see how far east they go to see how far like the, you know, where, where, just where the front lines are. And then finally, there's been, you know, some discussion about whether Starlink routers are operating like in Russian occupied territory and

it do be, we do see at least one instance of a Starlink router popping up in Russian occupied Crimea. The second kind of threat deals with the vice mobility. So, you know, while my access point at home looks like this WRT 54G that's, you know, accumulating a, a thick sheen of dust, you know, many people end up taking their Wi-Fi access points with them like this Starlink router there or, you know,

there's like a whole slew of travel routers that people try to sell that are, you know, designed for you to take with you on vacation to, or, you know, when you're RV or on your boat or whatever it may be. And so, the next research question was like how much do Wi-Fi routers move? And so what we did was we took a 10 million BS Society sample from that initial half billion and we had squared Apple's Wi-Fi positioning system every day for the, over the course of a month

to see how much of them moved. We set kind of a minimum threshold of one kilometer as like a threshold to call something a mover or not. And indeed, most Wi-Fi access points don't move very much. Only 6,000 of those 10 million moved more than a kilometer. And when they moved, they didn't really move all that far. Kind of an obedient distance traveled was between five and 10, five and 10 kilometers. So, you know, moving within a city or something like that. But when we filtered those

routers, when we looked at from our whole data set for routers that belong to vendors like GIL INET that make travel routers, we saw that a lot of them move, many of them move and when they do move, they move quite a bit further. So then again, we took a look at some interesting case studies where devices move. So we drew kind of a geobox around the Donbus region in Ukraine and also in Crimea, like where the, you know, war is actively happening. And we looked at where devices

were before they popped up in one of those locations. And so you can kind of make out some interesting things here, right? And there's a couple of hot spots from top to bottom. I think that's St. Petersburg, Moscow, Rust of Ondon and Krasnodar, which are big cities in Russia. So it's possible this is like where, you know, pre-deployment sites are, where, you know, Russian soldiers are going before they go to war and the testing their devices out, that kind of thing. Other interesting

bits that, you know, you can take out of here are like, there's a lot of dots in Western Europe. Who are those people? And you know, I don't have ground troops here. We didn't go looking to, you know, docks anybody. But these are possibly NGOs, NGO workers or, you know, you bring in foreign Legion folks or potentially volunteers on the Russian side. I don't know. Then we looked at what happens when devices just like disappear from apples by-fight positioning system. So that snapshot on the left is all of the BSSID is about 300, sorry, about 300,000

BSSIDs in the Gaza Strip about a week after the October 7th homostitacks. And then the snapshot in the middle is the BSSIDs, the same BSSIDs about a month later. And we saw about a 75% decrease in the number of BSSIDs that were in apples, wife, high positioning system of that original set. So what that means is that lots of these routers are just no longer geolocatable. This in between these two snapshots, Israel cut power to Gaza and they also, you know,

commenced their ground war. And so likely what you're seeing here is a lot of routers that went offline because they don't have power or were just destroyed. So this seems pretty bad to me. And, you know, obviously, we wanted to tell Apple and folks to try to fix this and make this right. And so this is kind of our disclosure timeline. We disclosed to Apple in December of last year. And, you know, the other question that we had is like, who do you even disclose this to? And this

affects like every router on Earth, right? And who do you tell? And so we told GLINET and SpaceX because these are two router manufacturers that feature prominently in both our paper and obviously this talk as well. So Apple reached back out to us in March and informed us that they had added some text to their location services privacy page that informs users of how they can opt out

of having their BSSIDs be in Apple's Wi-Fi positioning system. And you do that by simply adding an underscore no map to the end of your network name, your SSID. And this will cause Apple to remove you no longer have your BSSIDs in its system. We suggested some other potential remediation, like LINET, the number of queries that you get from a particular IP address, I mean, require authentication or limit the amount of additional information that you give back

when someone sends a BSSID that the Wi-Fi positioning system knows about, those extra 400, maybe limit that to 5 or 10. But as of today, Apple has not implemented any of those remediations for probably a variety of factors, but I directed them for additional comments on that. Our remediation for Wi-Fi vendors is our recommendation for remediation to Wi-Fi router vendors was to randomize their BSSIDs. So randomizing your basic service that identifiers, the MAC addresses

that are actually used when that router powers on and starts advertising will prevent all of the attacks that I talked about earlier. By randomizing the BSSID, it prevents that kind of trivial device manufacturer identification. You can no longer, you know, you can't pick out that's a Starlink router, if it's a random BSSID, for instance. And by changing that random BSSID every time that device powers back on, you prevent the kind of time and space correlation that are possible

if that BSSID is persistent. By requiring the devices to use a random BSSID and to change that BSSID, every time they power back on, this will prevent the attacks that I outlined in this talk. And thankfully, into their great credit, when I reached out to the folks at the SpaceX product security team, they informed me that they actually started doing that in the middle of our study. However, they were focused on specific types of devices, like the main Starlink router,

and they were focused on specific regions of the world. I'll leave it to the imagination where they were, you know, implementing this initially. But when I reached out to them, I showed them, you know, our analysis and the number of SpaceX or Starlink devices that we could, we could geolocate. They said, yeah, let's just do this everywhere for all the products since now, all the main routers and all the Wi-Fi extenders, all of their products randomized their BSSIDs. And as you can kind of see there on the far right, there's no longer any of those Starlink OUI

devices that you can find in Apple's Wi-Fi positioning system anymore. So this is like a good, a good effort by their product security team that I think will help the users of Starlink devices. Geolina, which makes these small form factors that Mango router is like that small, which makes these kind of travel routers. They initially told us they didn't have any plans to randomize the BSSIDs. We got some, a little bit of press after our initial academic paper came out.

And I think that helped them change their mind. And I'm happy to say that as of a couple of weeks ago, Geolina does now, in their latest software version randomizing their BSSIDs as well. So that concludes my talk, you know, just to kind of put a bow on things, all this, you know, summarize. We discovered a large-scale privacy vulnerability in how Apple's Wi-Fi positioning system

works, right? It's not unauthenticated, you know, globally accessible HTTPS endpoint that simply accepts queries of BSSIDs. And if you get, if you send a day known BSSID, it will return a whole bunch of additional information. Having that additional information will allow you A to expand that corpus of Wi-Fi geolocation data like in a very quick way. You know, like I said earlier,

we were able to build up a corpus of about half a billion BSSIDs in under a week, and their geolocations in under a week. And if you continue to de-allocate those same devices, you'll be able to do things like track those devices longitudinally as they move around. If you want to try this out yourself, there is some sample code on my GitHub that it simply accepts a BSSID as a command line parameter, and we'll show you the geolocation of that BSSID as well as the additional information

that's returned. So that concludes my talk. I'm happy to take some questions as we have time, and yeah, thanks. Oh, I was told to tell you that there's microphones there, and there, and there too. A question for you. Awesome talk, by the way. Thanks. Super red. With the data that you're collecting, have you found any value across pollinating with other sources like wiggle.net or anything like that?

Yeah, that's a good question. So actually, I mentioned that this is the second work that I've had that uses Apple Wi-Fi positioning system data. I had originally tried to use Wigel because I knew of Wigel everyone knows of Wigel, they're a great resource, but Wigel has a fairly substantial rate limit and the amount of information you can get out of Wigel is fairly low, which is why I turned to Apple's Wi-Fi positioning system. I have done some,

I did some, yes, and determining whether the geolocations that I was getting for a BSSID were close to Wigels, and indeed, like 99% of the cases they were pretty close. The thing with Wigel is like, you know, the war driver may have stumbled upon your BSSID six months ago or whatever, right? Where is this updates like once a day typically? Yeah, we go there, sure.

Hi, first of all, congratulations on the talk, and I also want to congratulate you on your efforts to disclose responsibly. Let me preface this by saying I'm a lawyer who's for 25 years has been teaching legal and regulatory aspects of cyber all the way in London. Uh-oh. So my question to you is this, in your disclosure plan, did anyone ever consider disclosing what

you found to Max Schrems in Europe so that he could use the information you've collected to persuade information commissioners around Europe, the BSSIDs are personal data and that the actions taken by Apple and others should be regulated as such. I'm going to show my ignorance here, and I don't know who or what that is, but Max Schrems is a who, he was a law student who sued Facebook more than once and ended up voiding the privacy shield arrangements with Europe twice.

I think that my response probably answers your question and that no, I did not, but certainly certainly interested to talk to you after in the rapid numbers that I think if you'd like. I guess broadly speaking, just to follow up, did a little closer to home, and when you looked at the ethical, when you did the ethical review for your project, to what extent were you challenged to what extent did you have to answer questions about potential impact on individual data subjects,

individual living beings, the data you were collecting? Right. I mean, we went through the standard sort of institutional review board stuff, the process that you go through at most major American universities that you know asked us questions about, you know, is this person identified with information, that kind of thing, which I don't know that the jury is like out on, I was as come to a conclusion on that. I mean, I certainly think that you can make a case that, you know,

based on seeing people's, the SSIDs moving from their house to other locations. I mean, many cases that might uniquely identify them, yeah. Thank you for your work. Yeah, thank you. Thanks. Thanks. I don't know who's next to you. So much to just start talking and I'll look that way. So how would that be for things like mobile hotspots? Yeah, I'm glad you asked, because I even like anticipated this question. Right, right, right. This is sort of, sort of answers your question.

Devices that move around a lot do not end up in this positioning, in the Wi-Fi positioning system. There's a couple of reasons for that, right? A, they're going to get like observed at a bunch of different locations. And Apple's going to know, or whoever the Wi-Fi positioning system operator is going to know that like this is not a stable landmark. It has to be stable for at least in my kind of empirical testing at my house. The device has to be stable for a period of at least three days

and maybe up to a week before it like actually shows up. And then the same thing is true on the backside of things. So if I unplug my router and then I just like query the system every day for about a week, it will disappear somewhere in there after a couple of days. Yeah, because it's like, it's asking, you know, it's waiting to see if like other devices report that device is there, right? I mean, it's all based on whether, you know, an iPhone says that my router is there. And if

it only decides to take it out after it's, you know, not been reported for a while. We have time for one more question. I'm just curious if you know what what are potential side effects of opting out of Apple's No-USB because I'm thinking of other things in myself, but I don't want to break anything that I might need in the future. Yeah, I don't. I mean, hey, I don't think that a lot of

people are going to because it requires you to like scroll to seven-eighths of the way down a huge page to find that information on Apple's, you know, location services privacy page, which you wouldn't be at unless you were looking for this kind of information. I guess the one thing that I would say is that, you know, it identifies you as someone who's privacy, you know, conscious or maybe sensitive. So that could be interesting for people just like looking at your SSID, but I don't,

I mean, if everybody opted out of this, obviously like the system wouldn't work, right? But I just don't think they're going to see opt opt opt out in those kind of numbers that it would affect like the actual performance of the system would be my guess, yeah. Thank you. Thanks.