Apple's Location Service Vulnerability Potential for Troop Tracking
TapTechNews May 25th news, the security blog KrebsonSecurity released a blog post this month, stating that there is a loophole in Apple's location service, and by stealing the WPS database, the movement of troops can be located .
Related background knowledge
Although mobile phone location mainly depends on satellite positioning, in urban areas, the dense high-rise buildings will make it difficult for mobile devices to receive the weak signal of the satellite, so mobile devices will rely on the Wi-Fi-based positioning system (WPS) in such scenarios.
The WPS uses a global database of nearly 500 million Wi-Fi routers. Most importantly, this is not only the public routers they can actually access, but also all the BSSIDs they can see, which also includes many Wi-Fi routers in households.
Devices cannot access your router, but they can detect the router and query the database to find out the exact location of the router. These databases are created by cars driving around, which use a variety of methods to track their own positions and collect BSSIDs, and then match them with these positions.
TapTechNews note: The BSSID set by the manufacturer is different from the SSID selected by the user. Simply put, it can be regarded as the MAC address of the wireless network card in the router.
Both Apple and Google have their own WPS databases, and the methods they use are basically the same. Detect nearby BSSIDs, measure the strength of each signal, and then compare these data with the WPS database to find out the location of the mobile device.
Google's positioning method
Android phones will record the BSSID it can see and its signal strength, and send the data to the Google server. The server uses the WPS database to calculate the position of the phone and send it to the phone.
Apple's positioning method
Apple's WPS also accepts a list of nearby BSSIDs. Instead of calculating the position of the device based on the observed access points and the received signal strength, Apple returns the geographical locations of up to 400 BSSIDs through the API, and then uses about 8 BSSIDs to determine the user's position based on known landmarks.
In essence, Google's WPS can calculate the user's position and share it with the device. Apple's WPS provides its device with enough data about the location of known access points in the area, and the device can make its own estimate.
Apple's positioning method loophole
Researchers at the University of Maryland said that they can use the lengthy function of Apple's API to draw a movement map of a single device entering and leaving almost any designated area in the world.
The pair of researchers at the University of Maryland said that they spent a month at the beginning of the study continuously querying the API and asking for the location of more than one billion randomly generated BSSIDs.
Among these randomly generated BSSIDs, only about 3 million are known by Apple's Wi-Fi geolocation API, but Apple also returned the locations of an additional 488 million BSSIDs that have been stored in its WPS through other queries.
Researchers said that by zeroing or geofencing other smaller areas indexed by Apple's location API, they can monitor how Wi-Fi access points move over time.
This problem may be a big problem in practical terms. The team can locate the area of the Russia-Ukraine conflict and can confirm the location and movement of the Starlink devices used by the Ukrainian and Russian armies.
TapTechNews attaches the reference address