How Your Wi-Fi Router Is Leaking Your Precise Location to Apple

TLDR: Researchers have discovered that Apple’s Wi-Fi Positioning System (WPS) can be exploited to geolocate almost any Wi-Fi access point globally by querying its BSSID. An attacker can use this to track the movement of specific devices or perform mass surveillance by enumerating BSSIDs within known manufacturer OUI ranges. This research highlights a critical privacy flaw in how mobile operating systems treat persistent network identifiers as public data.

Most of us treat our BSSID as a semi-private piece of information, something that might show up in a local scan but remains largely invisible to the outside world. That assumption is dead wrong. The research presented at Black Hat 2024 by Erik Rye from the University of Maryland exposes a massive, unauthenticated, and rate-limit-free API that turns the world’s Wi-Fi routers into a global tracking grid. If your router is broadcasting, it is likely already indexed in a database that allows anyone with an internet connection to pinpoint your physical location.

The Mechanics of the Leak

The vulnerability lies in how mobile devices, specifically iPhones, maintain their location services. When an iPhone scans for nearby Wi-Fi networks, it doesn't just use them to connect to the internet. It sends the BSSIDs of those visible access points to Apple’s servers. Apple uses this data to build a massive, crowd-sourced map of where every Wi-Fi router on the planet is located.

The flaw is that this database is queryable. If you know the BSSID of a router, you can send a specially crafted HTTP request to Apple’s WPS endpoint. If the system has seen that BSSID before, it returns the precise geographic coordinates of the access point. Even worse, the API returns up to 400 additional, unrequested BSSIDs that were seen in the same vicinity. This allows an attacker to map out entire neighborhoods or office buildings with a single query.

For a researcher or a pentester, this is a goldmine for reconnaissance. You are not just getting a location; you are getting a list of every other device in the area. The official research code demonstrates how trivial it is to automate these lookups.

# Example of querying the WPS API for a specific BSSID
python3 bssid-geolocator.py --bssid 00:11:22:33:44:55

From Targeted Stalking to Mass Surveillance

The impact of this disclosure goes far beyond simple geolocation. Because BSSIDs are persistent identifiers, they function as a tracking beacon. If you know the BSSID of a target’s home router, you can monitor that BSSID over time. If the router moves—perhaps because the target took their travel router on a trip—you can track that movement across the globe.

The research also highlights a more dangerous technique: OUI-based enumeration. Since the first three bytes of a MAC address identify the manufacturer, an attacker can target specific hardware. If you are interested in tracking Starlink users, you can focus your queries on the OUI ranges assigned to SpaceX. By iterating through the remaining 24 bits of the BSSID, an attacker can systematically discover and geolocate thousands of Starlink routers in a specific region. This is exactly how the researchers were able to map the presence of Starlink routers across the frontlines of the Russia-Ukraine war.

Real-World Implications for Pentesters

During a physical security assessment or a red team engagement, this technique changes the game for reconnaissance. You no longer need to be within range of a target’s Wi-Fi to know where they are or to map their infrastructure. If you can identify a target’s BSSID through social engineering or a previous engagement, you have a persistent, remote tracking mechanism.

This falls squarely into the OWASP A01:2021-Broken Access Control category. The API lacks any form of authentication or rate limiting, allowing for the mass exfiltration of location data that was never intended to be public. When you are scoping an engagement, consider the privacy footprint of the hardware you are testing. If the client is using hardware that doesn't support BSSID randomization, they are effectively broadcasting their location to anyone who knows how to ask.

Defensive Strategies

If you are working with a blue team, the fix is straightforward but requires vendor cooperation. The most effective defense is BSSID randomization. If a router changes its BSSID every time it reboots, the persistent tracking link is broken. We saw this in action with SpaceX, which, after being presented with this research, implemented BSSID randomization across their product line.

For end-users, the only current defense is to opt out. Apple has introduced a mechanism where appending _nomap to the end of your SSID will signal their location services to ignore your router. While this is a step in the right direction, it is a manual, opt-in process that does nothing for the millions of routers that will never be updated.

The reality is that we have built a global, real-time tracking system based on the assumption that Wi-Fi hardware would remain static and anonymous. That assumption has failed. As researchers, we need to start treating network identifiers with the same level of sensitivity as we treat IP addresses or GPS coordinates. If you are deploying hardware, check if your vendor supports BSSID randomization. If they don't, you are essentially handing a map of your infrastructure to anyone who knows how to send an HTTP request.