 Good Lord. Every WiFi network access point that has ever been in range of an iPhone has its network name (SSID) and GPS location (taken from the iPhone) stored and used by Apple. Apple introduced a way to opt out in March 2024 - you must append the string "_nomap" to your SSID. https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/ (h/t @briankrebs ) 57 comments
@BradRubenstein @briankrebs I haven't seen it mentioned yet, but I guess they have to disambiguate Corporate or large WiFi networks by BSSID and MAC? Add another thing to the stack of "I'll dig into this when I get some time." @BradRubenstein @briankrebs The name used for it in location circles is WPS https://en.m.wikipedia.org/wiki/Wi-Fi_positioning_system There are a bunch of open APIs that allow navigation. I think Google had a semi public API at some point until a country took the@ to court for unlawful packet capture. For phone makers it allows them to provide location services with a super low power budget. (GPS eats battery and you’re normally scanning for WiFi anyway) @BradRubenstein @briankrebs that’s exactly what apple uses it for: geo locating devices that do not have gps radios. @BradRubenstein@infosec.exchange @briankrebs@infosec.exchange How hard would it be to trace where someone's been based on what access points a device has accessed or saved? Or even seen from their phone? Like, would it be possible for one to figure out someone has visited an abortion clinic if there's a history of their phone seeing access points that are near the clinic?  @BradRubenstein @briankrebs That's nothing new, this has been the case for the last 20 years? Community-run WiFi mapping projects exist, even Mozilla has such a database (MLS). @BradRubenstein I fail to see your point? Firefox does this, Windows does this, it's just normal at this point? @BradRubenstein @briankrebs this is the same shit that Google did with mapping isn't it @BradRubenstein everyone that can hear it includes Wigle users. Wigle has mapped 1301 _nomap networks. Many of them are from before though. @BradRubenstein @briankrebs I'm also aware of Google having a similar thing, but at least they have the decency to tell you they're collecting it in their privacy policy. I remember reading about this years ago and being in utter disbelief at the opt out solution provided by Apple. It just reinforced to me that both Apple and Google are similar and the fact that the smartphone market only has two main players means we've ultimately lost as consumers. Per the Krebs article, they are a bit different in that Google will take a BSSID and return a location, but Apple will take a BSSID and return hundreds of nearby BSSIDs (so the client can determine its location, but also so an interloper can watch how that set changes over time).  @BradRubenstein @briankrebs Reading the article says it's Android/Google too. Just to be fair... The article points out that the the Apple API (but not the Google API) leaks a large set of local BSSIDs, affording a surveillance that Google does not.   @BradRubenstein @briankrebs It's worse. Apple and Google use "_nomap" but Microsoft uses "_optout" (they explicitly say "anywhere" in name), so now you have "_optout_nomap", 13 of 32 available characters of the name stolen.  @elithebearded @BradRubenstein @briankrebs is this yet another case of a stupid idea, implemented by multiple vendors, eventually having to come together to agree to a standard? And blow sunshine up our arse in the process, like they're doing us a privacy solid?  @tehstu @elithebearded @BradRubenstein @briankrebs I think it was done so that nobody would bother.  @elithebearded @BradRubenstein @briankrebs Well, even worse: me choosing to inconvenience myself with that nonsense _doesn't actually address the actual problem in any way_. It's like telling people climate change is their fault for not doing enough recycling.  @BradRubenstein @briankrebs im kinda surprised that people are surprised by this. nobodhy remembers the whole 'skyhook' thing from before iphones had gps? because this is exactly how they used to triangulate phones before they had gps. basically industrial wardriving. now they just have the phones do the wardriving for them.  @Viss @BradRubenstein Actually the researchers referenced the Skyhook work and have a section explaining how their stuff complements previous research. @Viss @BradRubenstein @briankrebs It is kinda interesting that people are surprised, given this kinda use of BSSID data has been done for probably a couple of decades. I expect the current concern is the scale of the data and the number of people relying on WiFi now, making it a bigger privacy issue than it was 20 years ago.  @BradRubenstein @briankrebs lest we forget google getting done for wardriving in their streetview cars over 10 years ago. https://www.bbc.com/news/technology-24047235.amp  @i0null @BradRubenstein @briankrebs Having known about this for many years I simply skipped the middleman and made the SSID be the same as my street address. @BradRubenstein @briankrebs I’d love to develop a new approach to SSIDs: have a second pre-shared key used to generate a dynamic pseudorandom SSID by an algorithm similar to that used for TOTPs, except higher entropy. Call them TOTSSIDs, perhaps. @BradRubenstein @briankrebs I have to change MY SSID to opt out. Basically I’m being inconvenienced to opt out of their decision to map WiFi networks. @BradRubenstein@infosec.exchange @briankrebs@infosec.exchange "Oh gee wiz! You should have not had the name you want, but the name we want for you to not map it. It's clearly your fault." @briankrebs @BradRubenstein @BradRubenstein @briankrebs iOS, Android, Windows, and macOS all do this. The difference is that Apple chose to share the location of nearby WiFi routers with the phone to let it calculate its own location rather than doing the calculations for the phone as Google is doing. The researchers rightly point out ways this can be abused, but rest assured every wireless base station is being tracked by somebody, and this has been true for ages.  @BradRubenstein @briankrebs I'd like to propose those with the hardware and tech skills to support it spin up an additional SSID named FuckApple. Maybe if a few thousand of those IDs spin up globally they'll notice. It's Apple so they won't care but why not? @BradRubenstein @briankrebs Genuine question from an idiot who doesn't know how these things work: would a hidden SSID make any difference?  @nateb @BradRubenstein @briankrebs Hidden SSIDs aren't broadcast, but if there's traffic on the network then the BSSID of the network is still detectable, even if the human-readable SSID isn't known. Apple are going to be more interested in the BSSID than the SSID for their purposes because it's more unique and random than the names humans come up with. Your BSSID also can't be changed, since it's just the access point's hardware MAC address. @BradRubenstein I already named my network Nuclear Storage Fscility that ought to be warning enuf 👀🍸🙀 @BradRubenstein @briankrebs an interesting test is to see how long Apple Maps takes to update the location of a .11 AP when it’s repositioned. Took a month when I last had to relocate.  @BradRubenstein Pretty sure Google has been doing the same thing for like… 15 years? Not saying it ain't bad, but sadly this is not a new problem by any measure. :/ // @briankrebs @BradRubenstein @briankrebs Looking forward to the day where Apple will provide a way to opt out of its global face recognition indexing database by wearing a "_nomap" sticker on your forehead…  @BradRubenstein @briankrebs Yeah, so does Google. Been doing it since at least 2011. It's part of Location Services, meant to supplement GPS. Fortunately you can use the same opt-out. https://www.tomshardware.com/news/Google-Maps-Wi-Fi-Location-SSID,14000.html Should have seen the chaos it caused for me in google maps when I moved home and took my router with me...  @BradRubenstein Holly Hedwig Kiesler! Glad I did never had iPhone or iPad! @BradRubenstein @briankrebs lol that's the same silly bullshit move google pulled when they pulled wifi information for gmaps @BradRubenstein oh I meant specifically the "change your SSID so we don't map it" (which goog also pulled circa '08~'10? sometime, I forget) but yeah it's a double-whammy clusterfuck. shit like this getting to prod (apparently?) without anyone internally going "uh hold on a minute..." is one of the biggest gripes I have about apple as a whole definitely going to feature this in one of my upcoming writing pieces @BradRubenstein @briankrebs Is that not common knowledge since over a decade (not the opt out)? @BradRubenstein @briankrebs who is going to add ridiculous _nomap to their wifi name? Probably nobody and hard to call that a way to opt out. @BradRubenstein @briankrebs Ehm, what the crap Apple. I won't change my SSID just because you're a really annoying octopus. How is that even legal in the slightest?  @BradRubenstein @briankrebs  @BradRubenstein That's not what @briankrebs is reporting. He says it's the BSSID. Which is worse, because you can't change it as easily as the SSID. It's confusing, I know. One opts out of collection of the BSSID by changing the SSID. (It's on Apple and Google to honor the SSID _nomap suffix - but the whole idea is silly).  The issues around this were discussed more than a decade ago in the IETF's geopriv working group. @coopdanger was one of the chairs at the time, and the utter insanity of expecting home users to change their SSIDs to get this privacy was well-explored. That Apple is only now adding this fig leaf of a "better than nothing" solution would be hilarious if it weren't so stupid and sad. |
Gregory's Server
Incidentally that means, so long as your access point broadcasts its WiFi network name, you are also broadcasting (to everyone who can hear it) whether you've opted out. It's not just between you and Apple.
Not to mention that changing your SSID disconnects everything using it.
It just sucks all around.
@briankrebs