Apple geolocation API exposes Wi-Fi access points worldwide

Apple’s Wi-Fi Positioning System (WPS) can be used to map and track Wi-Fi access points (APs) around the globe. But in a presentation at Black Hat 2024, University of Maryland researcher Erik Rye will demonstrate how he mapped hundreds of millions of APs in a matter of days, without even needing an Apple device or any kind of permissions along the way.

How Apple Exposes Global APs

Have you ever wondered how your phone knows where it is in the world?

The Global Positioning System (GPS) is one tool it uses, of course, but it’s not a perfect one. It becomes less effective when the device loses a clear line to the sky, and it consumes a good deal of power, which isn’t ideal for such a persistent task. 

That’s where the Wi-Fi Positioning System comes in. WPS works a bit like GPS, if you substitute the satellites with Wi-Fi access points (APs).

First, devices running Apple or Google operating systems periodically report back their locations (via GPS or cell tower triangulation) as well as the relative signal strengths coming from nearby networks (labeled by their Basic Service Set Identifiers, or BSSIDs), which gives some indication of their distance. Through this crowdsourcing, those companies develop huge databases of where APs lie around the globe.

As Rye explains, “You might not own a single Apple device but, nonetheless, your Wi-Fi access point will still end up in this system, just due to the fact that people that own Apple devices walk by your house, deliver your packages, or live next to you.”

Individual devices, then, can determine their locations by scanning for and reporting nearby Wi-Fi networks to company servers. In Apple’s case, the WPS server will return the locations of those Wi-Fi networks, which the device can compare with observed signal strengths to determine its relative location. So, what’s the problem?

Apple’s WPS API is open and free to use. It’s designed for Apple devices, but anyone can query it from a non-Apple device without any kind of authentication or API key. Using a program written in Go and running on Linux, Rye brute-force guessed a large number of BSSID numbers until he eventually hit a real one, for which the WPS API endpoint gifted him a set of other BSSIDs near to it.

“Once you start getting hits, you can do what’s called ‘snowball sampling’ and just feed those back in, and continuously sample over and over,” he explains. “Over a period of less than a week, we were able to amass about half a billion unique BSSIDs.”

To read the complete article, visit Dark Reading.