Privacy Implications of Tracking Wireless Access Points

Brian Krebs reports on research into geolocating routers:

Apple and the satellite-based broadband service Starlink each recently took steps to address new research into the potential security and privacy implications of how their services geolocate devices. Researchers from the University of Maryland say they relied on publicly available data from Apple to track the location of billions of devices globally—including non-Apple devices like Starlink systems—and found they could use this data to monitor the destruction of Gaza, as well as the movements and in many cases identities of Russian and Ukrainian troops.

Really fascinating implications to this research.

Research paper: “Surveilling the Masses with Wi-Fi-Based Positioning Systems:

Abstract: Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple’s WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise
locations of over 2 billion BSSIDs around the world.

The privacy implications of such massive datasets become more stark when taken longitudinally, allowing the attacker to track devices’ movements. While most Wi-Fi access points do not move for long periods of time, many devices—like compact travel routers—are specifically designed to be mobile.

We present several case studies that demonstrate the types of attacks on privacy that Apple’s WPS enables: We track devices moving in and out of war zones (specifically Ukraine and Gaza), the effects of natural disasters (specifically the fires in Maui), and the possibility of targeted individual tracking by proxy—all by remotely geolocating wireless access points.

We provide recommendations to WPS operators and Wi-Fi access point manufacturers to enhance the privacy of hundreds of millions of users worldwide. Finally, we detail our efforts at responsibly disclosing this privacy vulnerability, and outline some mitigations that Apple and Wi-Fi access point manufacturers have implemented both independently and as a result of our work.

Tags: , , ,

Posted on May 29, 2024 at 7:01 AM21 Comments

Comments

K.S. May 29, 2024 7:38 AM

Technological solution is required for this blatant abuse of privacy. We already have per-SSID randomly generated MACs, it is time to also have per-MAC randomly generated SSIDs.

K.S. May 29, 2024 7:43 AM

All this data is already public, you can use wwwDOTwigleDOTnet to search. Not sure if they respect _nomap. Both Google and Apple claim to respect _nomap, but I am skeptical that they don’t collect this data anyways.

Not really anonymous May 29, 2024 8:11 AM

This is really only a problem for mobile base stations. Fixed stations need to advertise their existence to be used. Using them as landmarks instead of say a picture of your house (which Google probably has), doesn’t provide more information.
Mobile base stations are different, but there is already support for changing mac addresses, so that if you move one a significant distance powered off, you can make it hard to correlate the multiple places it is used with each other.

From here to the future May 29, 2024 9:23 AM

@Bruce
@ALL

I bring this into historical archaeology talks from time to time because People need to think of the physical problem of radio security in a different and much much earlier context.

The Great Light of Alexandria being a historic build of some immensity from before two and a quarter millennium ago is an indicator that mankind has been thinking about navigation by electromagnetic(EM) radiation for many thousands of years, from where simple lights or flashes would turn an eye in the dark on it’s quest to return to home.

https://en.m.wikipedia.org/wiki/Lighthouse_of_Alexandria

It was a marvel of technology of it’s time, and would push the abilities of most modern men if not equipped with specialist knowledge and tools. The light was over a hundred meters high and could be seen at sea upto fifty kilometers away depending on the ship you were on. It was a simple beacon for all to see, to bringing them to safe harbour. But as with all safety systems within it lay the ability of great harm that is still ongoing even today with Russian jamming of essential navigation systems on which the lives of millions rest everyday.

As such the great light is a point in history that can be seen as “known” that mankind had the knowledge and technical sophistication to do “Radio Navigation”. Knowledge and technology that led step by step in lockstep through to the Battle of the Beams in WWII where things changed from angular measurement for navigation through to the much more precise time measurement, that provides the fundamental basis of modern satellite radio navigation systems we take for granted today.

It is important to know the history of these navigation systems because they tell us much in the way of issues that happen with any EM communications network. Which in reality are fundamental for all todays systems and especially to do with security of such systems.

That is do not think as WiFi or bluetooth or any other radio data system as just a communications network, because they are all implicitly navigation networks as well. To do so all you need is one or more of angle, time or phase of the signals to determine quite accurate position and all that goes with it.

Think of them as pinned flags on a map or chart each with it’s own identification and how a course or journey can be plotted and navigated by them. Even those that are highly mobile like mobile phones broadcast their position with great accuracy such that the network of base stations can work.

Now think how such systems can be attacked, what there vulnerabilities are to jamming, false identification, replay attacks, beam bending and much more.

It’s a side very few think about and even less see how it applies to all EM communications systems even those in wires, waveguides and optical fibers.

From here to the future May 29, 2024 9:41 AM

@K.S.

“We already have per-SSID randomly generated MACs, it is time to also have per-MAC randomly generated SSIDs.”

Sorry it’s not a solution or even a stop gap these days.

If I know you are there to start with with only two receivers that are time synchronized I can find the position to within a few centimeters in the microwave frequencies and simply note the SSID you transmit and then send it over another data network to all interested parties.

At the turn of the century the equipment to do this cost hundreds of thousands of dollars, because of the premium of “specialist market”. Now however the cost is almost “pocket cash”. Of a few hundred dollars of bits you bolt together, a couple of Software Defined Radios(SDRs) and cheap single board computers and open source software.

Hobbyists are using such systems to get better position information on aircraft that use ADS-B signalling in case it becomes encrypted in the near future.

From here to the future May 29, 2024 10:13 AM

@Not really anonymous
@ALL

“This is really only a problem for mobile base stations.”

No it’s a problem for all systems that transmit an EM signal that can be received at two or more points (see my comment to @K.S. above).

Even if the data is fully encrypted and changes with every transmission the transmitters can all be told apparat thus tracked.

Back in WWII there were attempts to identify transmitters and operators in various ways. Whilst the story of “fist signature” being perhaps the first out of eye sight bio-metric is known to the less technically inclined public, the fingerprinting of transmitters is less well known.

Transmitters being as much “mechanical” as they are “electrical” they have “defects” that show up in the signal they transmit.

If a defect can be measured remotely and most can, then the individual transmitter can be identified.

Yes all communications systems have the equivalent of bio-metrics by which they can be identified at various levels.

Some years ago on this blog it was pointed out that modern passports are transmitters and the argument about security through encryption was a false one. As each country manufactured passports in a sufficiently unique way that effectively identified the national issuer of the passport as well as the “crest on the front”. Also as the manufacturing of parts like the chips inside change quite quickly with “competitive tendering” the likely issue date of the passport gets it’s own fingerprint.

It was pointed out that the passport fingerprint could be read at sufficient distance from your pocket to a door frame as you pass through it. Thus even terrorists could set up a system that would identify foreign nationals and say blow up a bomb.

The thing is if the bomb is remotely detonated the passport scanning system can in effect be hidden because “Occam’s Razor” would point to a “finger on the button” for investigators.

K.S. May 29, 2024 10:23 AM

@From here to the future

While you are 100% correct, what I recommend would not be effective against a passive connected sensor. That is not the problem I am trying to address. What I am trying to make less effective is infrequently updated database providing comparable benefits to what can be achieved with persistent monitoring. While my proposal will not be effective against targeted surveillance, it will be effective in preventing mass surveillance of this kind.

Not really anonymous May 29, 2024 11:48 AM

Under a reasonable threat model relevant to the data being collected by phone providers, only mobile base stations are threatened. If your threat model is being targetted by missiles or being arrested for running a base station, or you are on a secret base and people are running around with insecure phones and the adversary doesn’t have access to the cell location data but can use this location data to figure out where a base is, then someone with a fixed location might need to worry about this. In the vast majority of the cases, that someone is running a wifi base station isn’t a secret, nor is where it is located. And you normally can’t draw many conclusions from that. If you find a base station in different locations over time, you may be able to draw interesting conclusions from that.

Mexaly May 29, 2024 12:21 PM

It’s not WiFi, but I just assume my IMEI is my surveillance identity.
If I wanted to resist, I’d team up with some sympathizers and start shuffling burner phones around.
Garbage in.

lurker May 29, 2024 2:28 PM

@K.S.
“Technological solution is required for this blatant abuse of privacy.”

No, a social solution is already available. Don’t use routers with WPS. But, your average punter doesn’t know what this means, and likely doesn’t care. Same as the Airtag “problem” discussed on a recent thread: Don’t walk around everwhere with WiFi, Data, BT, always switched ON.

An May 29, 2024 2:42 PM

Yes, ideally all wifi APs should have an option for MAC address randomization. But bringing mobile APs into sensitive areas is more of a policy and policy enforcement issue.

Wifi is inherently problematic from a privacy (and some aspects of security) perspective. This is why, among other things, I turn my car wifi completely off, and have an automation to turn wifi off on my phone when I leave home. But the vast majority of APs are stationary, and their location isn’t a security issue, and not really even a strong privacy issue.

The more prevalent and significant issue is wifi clients (stations) that ping the SSIDs of APs they’ve been associated with historically. Especially without MAC address randomization at the station, but even with, it’s possible to correlate multiple SSIDs to a station, essentially forming a partial locational (social) graph.

From here to the future May 29, 2024 3:19 PM

@Mexaly
@ALL

“It’s not WiFi, but I just assume my IMEI is my surveillance identity.”

It’s one of them.

There are atleast two numbers that can easily be used, one is in effect the serial number or MAC number of the actual phone / tablet / device SIM slot as seen by the network.

The second is to do with the “Subscriber Identity Modual”(SIM) that once was a full sized smart card but now is only a little bigger than the area needed for the gold contacts. For various reasons it’s not one number and is quite complicated to explain unless you know the ins and outs of ISDN and SS7 (don’t go there for less than $250k a year in the US or €100K in EU and Six weeks annual holiday because you’ll need it).

You can be tracked by both, and if you SIM swap you will cause a list to be formed as a tree diagram of all the other phones/devices and SIMS that have had contact with each other and when and where. As such lists have quite a monetary value with “agencies” be they debt collectors, law enforcement, or other government agencies for many nations. Similar lists of all the call/text numbers both sent and received are likewise valuable. Some of these “contact trees” could take a real forrest of paper to print out.

So starting with the IMEI for GSM devices or MEID for CDMA devices.

It is the “International Mobile Equipment Identity”(IMEI) in most documentation you will come across and it acts as a supposedly “unique identifier” for your phone, tablet or device across the “Over The Air”(OTA) interface that is the radio endpoint at your leaf node of the GSM network. In the US the GSM service was originally provided by T-Mobile and AT&T Wireless, with a handful of other smaller carriers.

In the less used “Code Switched Multiple Access”(CDMA) networks it is called the “Mobile Equipment Identification”(MEID). In the US CDMA was provided by Verizon, Sprint, Cricket, and other smaller carriers.

Supposedly the IMEI is not just unique but immutable as it again supposedly helped prevent “Call dialing fraud”. Both supposably “built hard in” at the factory. The reality Chinese manufactured phones for both GSM and CDMA networks can have the numbers changed easily with a small programming device or a *num code typed in at the dial pad.

One selling point of built hard in numbers was that as no two devices would have the same IMEI or MEID, it would makes them a very useful tool for tracking lost or stolen cell phones. But few stolen phones ever got tracked down unless the US assumed a terrorist was using it in which case somebody was subject to “We kill by metadata” and some of their bits might be found around a smoking crater. The major use appears to be by law enforcement hunting suspects and debt collectors seeking a fortune.

These days with multi-SIM phones you have an IMEI for every slot a SIM can go in. So reality is the IMEI is the serial number of a SIM slot not a mobile or device.

So the second number is associated with the SIM this is more long-winded to explain so I’ll leave it out. Called the “International Mobile Subscriber Identity”(IMSI). Like the IMEI the IMSI is a fifteen digit number and it is programmed onto the SIM chip by the service providers agent and in theory it is not mutable but there can be multiple SIMs that have the IMSI in due to loss and damage etc.

Two other associated numbers are the

“Integrated Circuit Card Identifier”(ICCID) that can be viewed as the SIM chip serial number generally it is a 20 digit number, that is assigned to the hardware chip of each SIM card by the chip manufacturer. It is not directly linked to the mobile phone number so if you move your mobile number to another provider or SIM then the ICCID will obviously change.

And finally the “Mobile Station International Subscriber Directory Number”(MSISDN) and it is one of your dialable mobile numbers and as you can roam it includes the UN ITU international country code

To some extent you can be tracked and surveilled by all these numbers either directly or indirectly due to the way the mobile networks work and ISDN and SS7 on their connection to the International PSTN trunks or backhauls.

From here to the future May 29, 2024 3:31 PM

@K.S.
@ALL

“What I am trying to make less effective is infrequently updated database providing comparable benefits to what can be achieved with persistent monitoring. While my proposal will not be effective against targeted surveillance, it will be effective in preventing mass surveillance of this kind.”

If your intent is to “slag the database” then yes having a high turnover on MAC SSID would achive this.

However it could not be “random”, it needs to be “random looking” but like a “rolling key code” as used in car locks.

That way an app on your laptop, smart device, or mobile would not need to be reprogramed manually every day etc depending on the frequency you change them.

vas pup May 29, 2024 4:32 PM

Scammers love impersonating these 5 major brands to steal your money
https://news.yahoo.com/finance/news/scammers-love-impersonating-5-major-133653431.html

“The Federal Trade Commission drilled down on the data and reported that Best Buy’s Geek Squad, Amazon, and PayPal are at the top of the list for the most-impersonated, iconic companies based on complaints received in 2023.

Yet the dollars lost were the highest when the scammers pretended to be from Microsoft and Publishers Clearing House, according to the FTC’s latest report.

consumers reported losing $60 million in Microsoft-related impersonation scams last year and $49 million in scams where crooks impersonated Publishers Clearing House, according to the FTC data. The data is based on reports to the Consumer Sentinel Network. The network received 7,000 complaints about scammers impersonating Microsoft and 7,000 complaints about scammers who claimed to be from Publishers Clearing House.

By contrast, the network received 52,000 consumer reports about impersonation scams that pretended to be from Best Buy or Best Buy’s Geek Squad. Consumers who lost money reported $15 million in total losses.

The Best Buy Geek’s Squad scam often involves emails that remind you to pay several hundred dollars to renew a service that you never had in the first place.

Microsoft impersonation reports are generally classified as tech support scams, according to the FTC, and Publishers Clearing House impersonation scams are generally fall into the category for scams involving prizes, sweepstakes, and lotteries.

In a tech support scam, another Troy woman, an 83-year-old, told local police in May that a pop-up message appeared on her computer. She was told to call the provided phone number for that was supposedly from Microsoft Security to unlock her computer.

The Microsoft impersonation scams start with a fake security pop-up warning on your computer with a number to call for “help.” Of course, you’re calling the scammers.

“If you get this kind of pop-up window on your computer, don’t call the number,” the FTC warns.

“Real security warnings and messages will never ask you to call a phone number.”

Nordstrom is a rather unusual gift card request by scammers. Nearly 7 out of 10 people who reported paying a scammer with gift card said they were instructed to buy other well-known brands: Apple gift cards, Target gift cards, eBay gift cards, Walmart gift cards and Amazon gift cards.

Nearly 9 out of 10 people who reported paying a scammer with an app or service, according to the FTC, said they were instructed to use PayPal, Cash App, Zelle, Venmo, and Apple Pay.

Often, scammers will tell you that there’s only one way to pay to resolve a situation. But that’s often a big red flag that you’re dealing with a scammer. Never wire money or pay by gift card or use a payment app when someone calls out of the blue.

Don’t trust the Caller ID information because scammers know how to spoof real numbers.

What’s important for consumers to realize is that most scams involve trying to catch you off guard, frighten you into thinking that you must act quickly to prevent something even worse from happening, or they might trick you into fearing missing out on something good, such as some big prize. Some scammers say you only have 24 hours to collect that prize.

The FTC offers a list of ways to avoid getting caught by an impersonation scam. One key tip: Never move your money to “protect it” when someone says they’ve supposedly spotted fraud or criminal activity on one of your accounts. In these scams, you might sometimes be asked to share verification codes. Don’t share it.

Last year, the FTC consumer network received 4,000 consumer complaints involving those impersonating the Bank of America with $8 million in losses reported. The network received 3,000 complaints about scams where con artists impersonated Well Fargo with $11 million in reported losses.”

ResearcherZero May 29, 2024 6:22 PM

Many of the tracking methods for mobile terminals were put forward when many of the terminals were still only at the concept phase. Those tracking methods work exceptionally well, individually or as a group, or groups moving in unison.

Many methods of analysis that are quite old remain very effective, given the large
number of available identifiers today.

They are all points moving in time across the face of a sphere, and thus can be located in time and space. Mobile handsets are even assigned a unique identifier by their operating systems, and apps collect all that data and happily transmit it to 3rd parties. This capability is part of the SDKs that are used in app development.

Apps are very noisy and relentlessly transmit a wide range of information.

Every device in the surrounding area is also scanning and noisily transmitting.

steven May 31, 2024 12:26 PM

@Not really anonymous,

Fixed stations need to advertise their existence to be used.

No, they don’t. Most routers allow their ESSID to be hidden. In that case, the clients will probe for it, which might be worse for privacy: they’ll broadcast it in cleartext even when not near the access point, which makes it easier to track them. But that’s just a design flaw, and could be fixed; in principle, we could use encryption and zero-knowledge methods everywhere, such that eavesdroppers would learn nothing of value (except via RF fingerprinting and brute-force-guessing attacks). One could probably do it today by programmatically rotating SSIDs daily, but it’d be a pain in the ass without widespread client support. And, of course, if my apartment is the only place on earth with a new 64-hex-character ID replacing the old one every 24 hours, I’m not really blending in.

From here to the future May 31, 2024 1:50 PM

@steven
@ALL

“And, of course, if my apartment is the only place on earth with a new 64-hex-character ID replacing the old one every 24 hours, I’m not really blending in.”

Even if you were not you’ld still not blend in that much…

The problem is how do two stations link up.

Does the In-Station Beacon or does the Out-station?

Either way one or the other has to periodically broadcast a unidirectional signal at close to full power.

But how do you know you are receiving the correct station amongst potentially many (think one in every apartment in a skyscraper)?

It means you gave to do what looks like the impossibility of doing both. That is not only do you have to transmit a unique signal to prevent this type of eavesdropping it has to also be a very recognisable thus predictable code for the receiver to recognise.

The solution is to uses a long ID with a changing code appended and this gets encrypted by a shared key.

The problem is unless you take care it will not work as you will get static patterns build up.

Look at it as using say a 128bit wide block cipher in ECB mode. If you use an ASCII ID if longer than 16charecters then a block of ciphertext will be static. Even if it’s only 15charecters then even if you use the full range of the last byte you will only get a ciphertext that has a loop of 256 cipher blocks.

In effect you need to make a substantial fraction of the bits of the first block change and apparently change randomly so the ciphertext changes randomly. For the same reasons as “The Avalanche Criterian”.

Subsequent blocks can be changed by putting the cipher in an appropriate kind of chaining-mode.

There are issues such as accidental collisions where plaintext ID1 under encryption key EK1 ciphertext matches the ciphertext of ID2 under EK2. Without having some kind of plaintext checksum this can happen more often than people might expect.

Those are the obvious problems there are others to do with randomness and Encryption Key selection.

Most routers will be embedded devices with near zero entropy at turn on. Unless a properly designed “Random Number Generator”(RNG) is designed the checksum of the plain text will act as a distinguisher for a brut force search due to what is in effect a key from a very limited key-space size.

As you can see from this simple list there are many issues that the majority of programmers will be totally unaware of.

ResearcherZero June 4, 2024 2:38 AM

A ternary timing covert channel.

“The secret data are a disposable random MAC address generated by the IEEE 802.11 station as part of the probe request frame while scanning the network.”

‘https://www.mdpi.com/2076-3417/13/14/8000

Leave a comment

Blog moderation policy

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.