FYI/A: Why Your Wi-Fi Router Doubles as an Apple AirTag

https://krebsonsecurity.com/2024/05/why-your-wi-fi-router-doubles-as-an-apple-airtag/

In late March 2024, Apple quietly updated its website to note that anyone can opt out of having the location of their wireless access points collected and shared by Apple — by appending “_nomap” to the end of the Wi-Fi access point’s name (SSID). Adding “_nomap” to your Wi-Fi network name also blocks Google from indexing its location.
.....
“You may not have Apple products, but if you have an access point and someone near you owns an Apple device, your BSSID will be in [Apple’s] database,” he said. “What’s important to note here is that every access point is being tracked, without opting in, whether they run an Apple device or not. Only after we disclosed this to Apple have they added the ability for people to opt out.”

OpenWRT's BSSID "randomly generating" MAC addresses in the advanced settings of the wireless network come to the rescue :slight_smile:

2 Likes

This is nothing new. This has been the case for at least a decade. Phones use a fusion of (at least) 3 systems to get precise location data: GPS, cellular tower triangulation, and wifi network proximity. Devices without GPS and cellular are also able to get reasonably good location data in many places by using the databases of wifi network proximity.

Since your wifi network is stationary, it doesn't really reveal anything interesting -- it's not like tracking your movements with an airtag -- not the same thing at all. Randomly generating wifi BSSIDs doesn't 'fix' the issue (especially because it's not really an issue). This is also not really an OpenWrt topic... the article talks about appending a string to the end of the SSID -- this can be done on any wifi device and doesn't require any special techniques.

3 Likes

Guess BSSID randomization is still good to have especially for those travel router owners as mentioned by the researchers:

https://www.cs.umd.edu/~dml/papers/wifi-surveillance-sp24.pdf

11. Conclusion
In this work, we demonstrated the large-scale privacy
threat presented by Apple’s WPS. A remote, unprivileged
adversary, possessing only the knowledge of which parts of
the MAC address space have been assigned by the IEEE, can
quickly build a corpus of hundreds of millions of geolocated
BSSIDs, spanning all seven continents and extending to even
the most remote corners of the Earth.
The ability to obtain this worldwide view of Wi-Fi
AP distribution is a privacy vulnerability. Because people
often move with their AP, querying a WPS for the same
BSSIDs over time reveals when routers—and by proxy their
owners—move. We demonstrated that this attack could be
applied to individual users, such as travel router owners,
as they move from location to location. We also showed
that WPSes could be used to find sensitive equipment, like
Starlink routers in Ukraine.
There are practical steps to take to limit this vulnerability. WPS operators can limit access to their APIs, governments can legislate that their citizen’s devices not be used
as geolocation landmarks, and users wary of tracking can
be sure to not use the same AP at multiple locations.
However, the most robust solution to this problem is to
implement the same privacy protections that were implemented in mobile devices in Wi-Fi APs. BSSID randomization at each boot, or when the device changes locations
prevents user tracking even in a world in which WPS
operators permit open access to their APIs.

1 Like

Ahhhh....good news because about ~10 years my AP is using the SSID appendix "_nomap" ...and yes, I know: All the twenty APs around me don't ;- )

Wouldn't it be better to add "_nomap" to your SSIDs, or even better: Do both measures?

One question about randomly generated BSSIDs: How "good" aka randomly are the OpenWrt generated MACs?

...but it helps to spread the word about the Apple AND Google opt-out in a network and/or security and/or privacy interested multiplier "influencer" group

3 Likes

Well, _nomap does not work at scale as you observed. And does not protect against accidental wardriver.
Addresses are random across full possible address space , /lib/functions/system.sh (base-files) plainly uses /dev/random in place of the flash partition offset to "extract" MAC address.

2 Likes

Also worth noting that MS currently doesn't recognize _nomap; their string is _optout and it can be anywhere in the ssid. so current best practice is probably appending _optout_nomap.

As for not working at scale, "Rye also praised the product security team at SpaceX for moving to address this issue quickly and implement BSSID randomization in their products.

"They had begun having some of their products implement BSSID randomization during our study in 2023, but sped up the implementation on all of their Starlink devices after we spoke to them," he said. "It's worth noting that this vulnerability wasn't caused by SpaceX (they have no control over what Apple or Google does), but they dealt with it promptly and the right way nonetheless."

"It's our position that BSSID randomization is the most robust defense against being tracked by a WPS, as generating a random identifier every time the device boots (or moves locations) will make it appear as a completely different device in a WPS.""

3 Likes

Gaylord Fockers... Microsoft is undermining existing "standards"......as usual ;- )

1 Like

Just a note, if an "accidental wardriver" manages to keep locating you on travel, you have a more serious issue.

Interestingly, according to this commit on base-files: wifi: add random MAC support for wifi-iface :

Add support for randomly generating a MAC address for a wifi-iface
instance by setting macaddr to random
When set to random, a new locally administered unicast MAC address
is generated and assigned to the iface everytime it is (re-)configured

The option is there in the open, question is more if it has to be promoted in security guide of wifi config wiki or the default flipped.

1 Like

Does this tracking also apply to iPhones when operating as a hotspot?

Maybe, but that's out of scope for this forum because it's not related to OpenWrt.

"* Constructive criticism is welcome, but criticize ideas, not people."

I knew someone would have that idea that my comment was not welcome. That's why I never comment here.

Actually when we have guests with iPhones, this is relevant since they are connecting to my OpenWrt router.

To be clear, I didn't criticize you. I simply said that your question was out of scope for this forum.

The original question you asked was the phone operating as a hotspot. this is different than a guest phone joining a wifi network that is running OpenWrt (or for that matter, any firmware). That said, the same thing applies, but generally the guests joining your network are not adversarial and trying to track you. They know where you are since you have presumably invited them into your home and allowed them to connect to your wifi. The issue described in the OP and linked article is about the idea that someone could use the location services database to track wifi hotspots and their locations, thus potentially using this as a mechanism to track where people have gone when they move homes.

And the same goes for pretty much any stationary network (if OpenWrt is involved or not), regardless of the question of the potential tracker being your guest or some unknown entity nearby. Every phone with WLAN capability these days has integrated GPS/ GLONASS/ Galileo capability (and dedicated GPS modules are under 10 bucks), so it always knows where it (and in extension where you are) anyways. While BSSID triangulation can improve the precision of the location, it doesn't open new privacy concerns by itself (we can talk about how Apple/ Google and friends are gathering this information (and what they record in alongside), but that's another can of worms and distinct from MAC based geolocation techniques).

Or to look at it differently, what purpose would it serve you to remove the street number from your house?

  • as long as your neighbours still have it prominently on their houses
  • as long as your potential attacker still has GPS and mapping software on their phone

Randomizing MAC addresses for mobile clients does make sense, as that may make it harder for shops and others to track you and/ or to generate movement profiles by combining the data from many sources - and this may extend to using OpenWrt as a travel router (although that's already a different use case, as the travel router often is less mobile than your phone - and if you have to provide log in data of any kind to gain network access (hotel, Wifi voucher, etc.), the tracking happens nevertheless, regardless of the MAC addresses involved.

2 Likes

The article dramatizes tracking as in black helicopters.

2 Likes

Thanks for the hint.
It's not enabled by default.