Email or username:

Password:

Forgot your password?
Brad Rubenstein “:verified:”

Good Lord.

Every WiFi network access point that has ever been in range of an iPhone has its network name (SSID) and GPS location (taken from the iPhone) stored and used by Apple.

Apple introduced a way to opt out in March 2024 - you must append the string "_nomap" to your SSID.

krebsonsecurity.com/2024/05/wh

(h/t @briankrebs )

57 comments
Brad Rubenstein “:verified:”

Incidentally that means, so long as your access point broadcasts its WiFi network name, you are also broadcasting (to everyone who can hear it) whether you've opted out. It's not just between you and Apple.

Not to mention that changing your SSID disconnects everything using it.

It just sucks all around.

@briankrebs

tw000

@BradRubenstein @briankrebs I haven't seen it mentioned yet, but I guess they have to disambiguate Corporate or large WiFi networks by BSSID and MAC? Add another thing to the stack of "I'll dig into this when I get some time."

Brad Rubenstein “:verified:”

Thought experiment:

So, just supposing one finds oneself able to RCE into a machine in that happens to have a wifi card, just have it scan and list the access points in its vicinity.

That will give you everything you need to ask Apple (via its API) for the set of all the nearby access points, to calculate fairly precise GPS coordinates of that box, along with the ability to watch that set change over time to see what comes and goes.

But why would anyone want such a thing? I have no idea.

@briankrebs

Thought experiment:

So, just supposing one finds oneself able to RCE into a machine in that happens to have a wifi card, just have it scan and list the access points in its vicinity.

That will give you everything you need to ask Apple (via its API) for the set of all the nearby access points, to calculate fairly precise GPS coordinates of that box, along with the ability to watch that set change over time to see what comes and goes.

The Secretbatcave

@BradRubenstein @briankrebs The name used for it in location circles is WPS en.m.wikipedia.org/wiki/Wi-Fi_

There are a bunch of open APIs that allow navigation. I think Google had a semi public API at some point until a country took the@ to court for unlawful packet capture.

For phone makers it allows them to provide location services with a super low power budget. (GPS eats battery and you’re normally scanning for WiFi anyway)

DELETED

@BradRubenstein @briankrebs that’s exactly what apple uses it for: geo locating devices that do not have gps radios.

Amy ☣

@BradRubenstein@infosec.exchange @briankrebs@infosec.exchange How hard would it be to trace where someone's been based on what access points a device has accessed or saved? Or even seen from their phone? Like, would it be possible for one to figure out someone has visited an abortion clinic if there's a history of their phone seeing access points that are near the clinic?

Manawyrm | Sarah

@BradRubenstein @briankrebs That's nothing new, this has been the case for the last 20 years?

Community-run WiFi mapping projects exist, even Mozilla has such a database (MLS).

still can't work out who i am

@BradRubenstein @briankrebs this is the same shit that Google did with mapping isn't it

Stephen Paulger

@BradRubenstein everyone that can hear it includes Wigle users. Wigle has mapped 1301 _nomap networks. Many of them are from before though.

wigle.net/search?ssidlike=%25_

Soheb

@BradRubenstein @briankrebs I'm also aware of Google having a similar thing, but at least they have the decency to tell you they're collecting it in their privacy policy.

I remember reading about this years ago and being in utter disbelief at the opt out solution provided by Apple.

It just reinforced to me that both Apple and Google are similar and the fact that the smartphone market only has two main players means we've ultimately lost as consumers.

Brad Rubenstein “:verified:”

Per the Krebs article, they are a bit different in that Google will take a BSSID and return a location, but Apple will take a BSSID and return hundreds of nearby BSSIDs (so the client can determine its location, but also so an interloper can watch how that set changes over time).

@soheb @briankrebs

Dom @geektoybox

@BradRubenstein @briankrebs Reading the article says it's Android/Google too. Just to be fair...

Brad Rubenstein “:verified:”

The article points out that the the Apple API (but not the Google API) leaks a large set of local BSSIDs, affording a surveillance that Google does not.

@geektoybox @briankrebs

bouriquet

@BradRubenstein @briankrebs I would rather have Apple store that information vs Google.

Eli the Bearded

@BradRubenstein @briankrebs It's worse. Apple and Google use "_nomap" but Microsoft uses "_optout" (they explicitly say "anywhere" in name), so now you have "_optout_nomap", 13 of 32 available characters of the name stolen.

learn.microsoft.com/en-us/arch

Stu

@elithebearded @BradRubenstein @briankrebs is this yet another case of a stupid idea, implemented by multiple vendors, eventually having to come together to agree to a standard? And blow sunshine up our arse in the process, like they're doing us a privacy solid?

Matthew Miller

@elithebearded @BradRubenstein @briankrebs

Well, even worse: me choosing to inconvenience myself with that nonsense _doesn't actually address the actual problem in any way_. It's like telling people climate change is their fault for not doing enough recycling.

Viss

@BradRubenstein @briankrebs im kinda surprised that people are surprised by this.

nobodhy remembers the whole 'skyhook' thing from before iphones had gps? because this is exactly how they used to triangulate phones before they had gps. basically industrial wardriving.

now they just have the phones do the wardriving for them.

BrianKrebs

@Viss @BradRubenstein Actually the researchers referenced the Skyhook work and have a section explaining how their stuff complements previous research.

Chris Murphy

@Viss @BradRubenstein @briankrebs It is kinda interesting that people are surprised, given this kinda use of BSSID data has been done for probably a couple of decades. I expect the current concern is the scale of the data and the number of people relying on WiFi now, making it a bigger privacy issue than it was 20 years ago.

Hacker Memes

@BradRubenstein @briankrebs lest we forget google getting done for wardriving in their streetview cars over 10 years ago. bbc.com/news/technology-240472

Garrett Wollman

@i0null @BradRubenstein @briankrebs Having known about this for many years I simply skipped the middleman and made the SSID be the same as my street address.

David

@BradRubenstein @briankrebs I’d love to develop a new approach to SSIDs: have a second pre-shared key used to generate a dynamic pseudorandom SSID by an algorithm similar to that used for TOTPs, except higher entropy. Call them TOTSSIDs, perhaps.

Brian

@BradRubenstein @briankrebs I have to change MY SSID to opt out. Basically I’m being inconvenienced to opt out of their decision to map WiFi networks.

caranmegil🍵drinker

@BradRubenstein@infosec.exchange @briankrebs@infosec.exchange "Oh gee wiz! You should have not had the name you want, but the name we want for you to not map it. It's clearly your fault."

Sterling

@briankrebs @BradRubenstein
Any way to view this map...i.e. to see what it captured in my hood?
@AG100pct_nomap

kaelef

@BradRubenstein @briankrebs iOS, Android, Windows, and macOS all do this. The difference is that Apple chose to share the location of nearby WiFi routers with the phone to let it calculate its own location rather than doing the calculations for the phone as Google is doing. The researchers rightly point out ways this can be abused, but rest assured every wireless base station is being tracked by somebody, and this has been true for ages.

Allpoints

@BradRubenstein @briankrebs I'd like to propose those with the hardware and tech skills to support it spin up an additional SSID named FuckApple. Maybe if a few thousand of those IDs spin up globally they'll notice. It's Apple so they won't care but why not?

Nate Bartram

@BradRubenstein @briankrebs Genuine question from an idiot who doesn't know how these things work: would a hidden SSID make any difference?

TerrorBite :veripawed3:

@nateb @BradRubenstein @briankrebs Hidden SSIDs aren't broadcast, but if there's traffic on the network then the BSSID of the network is still detectable, even if the human-readable SSID isn't known. Apple are going to be more interested in the BSSID than the SSID for their purposes because it's more unique and random than the names humans come up with. Your BSSID also can't be changed, since it's just the access point's hardware MAC address.

George Girton

@BradRubenstein I already named my network Nuclear Storage Fscility that ought to be warning enuf 👀🍸🙀

Wade Roberts

@BradRubenstein @briankrebs an interesting test is to see how long Apple Maps takes to update the location of a .11 AP when it’s repositioned. Took a month when I last had to relocate.

phryk 🏴

@BradRubenstein Pretty sure Google has been doing the same thing for like… 15 years?

Not saying it ain't bad, but sadly this is not a new problem by any measure. :/

// @briankrebs

デイヴ

@BradRubenstein @briankrebs Looking forward to the day where Apple will provide a way to opt out of its global face recognition indexing database by wearing a "_nomap" sticker on your forehead…

Brad Rubenstein “:verified:”

I don't see why they can't just parse my robots.txt t-shirt.

@deivudesu

Allen Very Serious Versfeld

@BradRubenstein @briankrebs Yeah, so does Google. Been doing it since at least 2011. It's part of Location Services, meant to supplement GPS. Fortunately you can use the same opt-out.

tomshardware.com/news/Google-M

Should have seen the chaos it caused for me in google maps when I moved home and took my router with me...

Kote Isaev

@BradRubenstein Holly Hedwig Kiesler! Glad I did never had iPhone or iPad!
If I had, It means I would not be able to use a politically-charged name for WiFi network without this _nomap garbage...

JP

@BradRubenstein @briankrebs lol that's the same silly bullshit move google pulled when they pulled wifi information for gmaps

JP

@BradRubenstein oh I meant specifically the "change your SSID so we don't map it" (which goog also pulled circa '08~'10? sometime, I forget)

but yeah it's a double-whammy clusterfuck. shit like this getting to prod (apparently?) without anyone internally going "uh hold on a minute..." is one of the biggest gripes I have about apple as a whole

definitely going to feature this in one of my upcoming writing pieces

Mumpaminkel

@BradRubenstein @briankrebs Is that not common knowledge since over a decade (not the opt out)?
Wait until you hear what they do with 360° cameras on cars...

dusoft

@BradRubenstein @briankrebs who is going to add ridiculous _nomap to their wifi name? Probably nobody and hard to call that a way to opt out.

webfussel

@BradRubenstein @briankrebs Ehm, what the crap Apple. I won't change my SSID just because you're a really annoying octopus. How is that even legal in the slightest?

Doug 🌈🇨🇦 :verified:

@BradRubenstein @briankrebs
There must be some way to use this to totally fuck up apples data

Daniel AJ Sokolov

@BradRubenstein That's not what @briankrebs is reporting. He says it's the BSSID. Which is worse, because you can't change it as easily as the SSID.

Brad Rubenstein “:verified:”

@newstik

It's confusing, I know. One opts out of collection of the BSSID by changing the SSID. (It's on Apple and Google to honor the SSID _nomap suffix - but the whole idea is silly).

Ted.h

@BradRubenstein @briankrebs

The issues around this were discussed more than a decade ago in the IETF's geopriv working group. @coopdanger was one of the chairs at the time, and the utter insanity of expecting home users to change their SSIDs to get this privacy was well-explored. That Apple is only now adding this fig leaf of a "better than nothing" solution would be hilarious if it weren't so stupid and sad.

Go Up