Researchers at the University of Maryland have written a paper that warns Apple's Wi-Fi Positioning System (WPS) could be used to track groups of people and even individuals, while military assets could also be traced.
"This work identifies the potential for harm to befall owners of Wi-Fi APs (access points), particularly those among vulnerable and sensitive populations, that can be tracked using WPSes," the paper warns. What's more, this can also affect people who don't own Apple devices — simply having an Apple device come within transmission range is enough.
Apple isn't the only company that runs a WPS with Google and Skyhook being just two examples. But it's the way that Apple's WPS works that is problematic, the paper suggests.
Particularly chatty
Picked up by KrebsOnSecurity, the paper was authored by Erik Rye, a PhD student at UMD and, and Dave Levin, associate professor. It explains that a WPS can be used to allow devices like iPhones to get location data without using their power-hungry GPS radio, instead getting it from logged Wi-Fi access points. The system knows where access points are thanks to the location data provided by other devices, and approximate location data can then be handed out to yet more devices based on their signal strength in relation to these access points. It's all very clever, but there's a problem. Apple's system also provides data on hundreds of WPSes, and it's this leak of data that can be used to track people.
"In Apple's version, you submit BSSIDs to geolocate, and it returns the geolocation it believes the BSSID is at," Rye explains. "It also returns many more (up to 400) that you didn't request that are nearby. The additional 400 were really important for our study, as they allowed us to accumulate a large quantity of geolocated BSSIDs in a short period of time. Additionally, Apple's WPS is not authenticated or rate limited and is free to use."
The researchers were able to compile a database of 490 million access points all around the world as a result, and that's enough data track devices — and people.
"Because the precision of Apple’s WPS is on the order of meters, this allows us to, in many cases, identify individual homes or businesses where APs are located," the paper explains. The researchers warn that the data would theoretically allow them to identify people "down to individual names, military units and bases, or RV parking spots."
Amazingly, the report suggests that this data could be used for all manner of things, not just tracking individuals or groups of people. One example given was the assessment of damage following an attack by tracking the lack of existing WPS access points that were known to have previously been operational in the area.
The researchers say that Apple is aware of the situation and they understand that work is underway to change the WPS behavior moving forward.
Update: Apple has since responded to the issue. Apple has made some changes server-side to reduce the vulnerability, and it will be rolling out further mitigations later this summer. If people want to opt-out, Apple has provided steps on how to do so in an official support guide.
More from iMore
