nemozone

Recent research from the University of Maryland has unveiled alarming privacy vulnerabilities in Apple's Wi-Fi-based Positioning System (WPS). This system, designed to help devices determine their location by utilizing nearby Wi-Fi access points, has been shown to allow unprivileged attackers to track devices globally, raising serious concerns about user privacy.

The Vulnerability Uncovered

The study, led by researchers Erik Rye and Dave Levin, reveals that attackers can create a comprehensive database of Wi-Fi Basic Service Set Identifiers (BSSIDs) within days. By exploiting the limited MAC address space, they geolocated over 2 billion BSSIDs worldwide in just one year. This capability poses a significant risk as it enables mass surveillance without the need for prior knowledge of the target's location.

How It Works

Apple's WPS operates by having mobile devices report the MAC addresses of nearby Wi-Fi access points along with their GPS coordinates to a central server. This data allows other devices to estimate their location without relying on GPS. However, the researchers found that the system's design permits querying any MAC address, which returns its geolocation if it exists in the database. This loophole can be exploited for various malicious purposes.

Real-World Implications

The implications of this vulnerability are profound. The researchers provided several case studies highlighting potential misuse:

• War Zones: Tracking devices in conflict areas such as Ukraine and Gaza could expose military movements and the locations of displaced individuals.
• Natural Disasters: During events like the Maui fires, monitoring geolocations of Wi-Fi access points can reveal critical infrastructure impacts.
• Targeted Tracking: Individuals could be stalked or monitored through their personal devices or access points.

Recommendations for Enhanced Privacy

In light of these findings, the researchers proposed several measures to mitigate privacy risks:

• Rate Limits and API Keys: WPS operators should implement restrictions on how frequently data can be queried and require API keys for access.
• MAC Address Randomization: Wi-Fi access point manufacturers should adopt randomization techniques similar to those used for client devices.
• User Practices: Users are advised to change access points when moving locations and limit usage duration to prevent cataloging in WPS databases.

Following the disclosure of these vulnerabilities, Apple has introduced an option for users to opt out of WPS by adding “_nomap” to their SSID. Additionally, SpaceX is rolling out updates to randomize BSSIDs on Starlink routers.

Conclusion

The research from Maryland University underscores an urgent need for improved privacy measures in Wi-Fi-based positioning systems. The ability to track devices globally through BSSID geolocation presents significant risks, particularly for individuals in sensitive or vulnerable situations. As technology continues to evolve, so too must our approaches to safeguarding user privacy against emerging threats.

Citations: [1] https://cyberinsider.com/apples-wi-fi-based-positioning-system-is-a-privacy-nightmare/

Apple's Find My Network Exploited in nRootTag Attacks for User Tracking

A new attack, dubbed nRootTag, has been discovered that allows malicious actors to leverage Apple's Find My network to track devices without requiring root privileges. This method turns Bluetooth-enabled devices into covert trackers, similar to Apple AirTags, with alarming efficiency.

How nRootTag Works

The nRootTag attack exploits Apple's vast Find My network, which consists of over a billion Apple devices. Unlike previous methods that required root privileges to modify Bluetooth Low Energy (BLE) advertising addresses, nRootTag circumvents this restriction by using precomputed key searches. The attack involves the following steps:

1. Acquiring a Device's BLE Address: The attacker obtains the target device's Bluetooth advertising address through local queries or by sniffing nearby advertisements.
2. Generating a Matching Public/Private Key Pair: Instead of altering the advertising address (which needs root privileges), nRootTag searches for a cryptographic key pair that naturally matches the address.
3. Broadcasting “Lost” Messages: The compromised device begins advertising a public key as if it were a lost AirTag. This prompts nearby Apple devices to report its location to Apple's servers.
4. Extracting the Location from Apple Cloud: The attacker uses a hashed public key to request encrypted location reports from Apple Cloud and then decrypts them using the private key.

This attack is remarkably efficient and stealthy, operating across Linux, Windows, and Android systems. Evaluations have shown a success rate exceeding 90% in under three minutes. Attackers can track various devices, including desktops, laptops, smartphones, and IoT devices, at a low cost that doesn't increase with the number of devices being monitored.

Abuse Scenarios

Several malicious entities could exploit nRootTag for various purposes:

• Spyware and Adware Developers: To track users for behavioral profiling.
• Nation-State Actors: To conduct surveillance operations.
• Cybercriminals: To run large-scale botnets for extortion and phishing.
• Legitimate Apps: Shopping, streaming, or social media apps with Bluetooth permissions could implement nRootTag without raising suspicion.

Mitigation and Protection

While Apple's Find My network includes unwanted tracking alerts, nRootTag can evade these by modifying the “Status” field in lost messages. This makes it difficult for victims to detect the tracking, especially for stationary devices like desktops, TVs, and gaming consoles.

A possible mitigation would be for Apple to restrict Find My network participation to devices using only random static addresses, as originally specified in its protocol. On the user side, it's crucial to be cautious about Bluetooth permissions granted to apps, particularly those that do not explicitly need Bluetooth functionality.

Citations: [1] https://cyberinsider.com/apples-find-my-exploited-in-nroottag-attacks-for-user-tracking/