Researchers from the University of Maryland revealed serious security and confidentiality issues in Apple’s and Starlink’s Geolocation systems. The study uncovered that the data collected and shared by these companies could be exploited to track the locations of billions of devices globally.
Apple gathers data on the precise location of all Wi-Fi access points visible to its devices, allowing them to determine location without constantly accessing GPS. Similarly, Google operates a similar system by recording Wi-Fi access identifiers such as MAC addresses (BSSID).
Unlike Google, Apple provides geolocation for up to 400 nearby BSSID, enabling Apple devices to pinpoint their location based on known access points. This data allowed researchers to track individual devices worldwide by requesting information on over a billion randomly generated BSSID and obtaining data on 488 million access points.
The researchers utilized this data to track the movements of Starlink satellites, as each device is equipped with its own Wi-Fi access point that is automatically indexed by nearby Apple devices with geolocation services.
In response to the study’s findings, Starlink released software updates that randomize BSSID devices, making tracking more difficult. Researchers observed a decrease in the number of Starlink devices whose locations could be determined using the Apple system.
Apple also took action by updating its privacy policy, allowing users to opt-out of data collection by adding “_nomap” to their network name. The researchers stressed the importance of additional measures to prevent abuse of Apple’s API, such as limiting query speeds, to protect user confidentiality.
The identified vulnerabilities highlight the need for enhanced security and confidentiality measures in geolocation systems to safeguard users from potential threats and misuse.