Black Hat USA: Wi-Fi tracking flaw puts the ‘BS’ in BSSID
LAS VEGAS — Geolocation services for a number of popular mobile hardware vendors can be used to perform widescale Wi-Fi network monitoring, according to a presentation Tuesday at the Black Hat conference here.
Researcher Erik Rye of the University of Maryland said that a feature known as a Basic Service Set Identifier (BSSID) can be used to pinpoint and, in some cases, track user activity and location details.
The problem, Rye explained, lies not within the format itself, but rather in the way that it is used by vendors to aid with positioning systems.
Similar to a MAC address, the BSSID serves as unique identifier given to each wireless access point (such as a home router). Major vendors including Apple, Google, Microsoft, and Starlink all use the BSSID data to help locate a device via triangulation.
Apple in particular makes heavy use of the data. In some cases a device can be sent as many as 400 BSSID strings in a single query.
“They’re doing that because sometimes later on devices in the same ecosystem will want to locate but don’t want to use GPS,” Rye explained.
The problem, said Rye, comes when a threat actor is able to randomly guess a BSSID and thus pull up the physical location of the device, as well the people using it.
In theory, attackers guessing BSSIDs is next to impossible. The 48-bit string of characters in each address means tens of billions of possibilities. What Rye found, however, was that the number of in-use addresses is, in fact, much smaller.
One string within the BSSID identifier, the OUI was designed to specify a specific operator (such as the hardware vendor) and must be formally awarded to a company by the IEEE. Thus far, only 36,000 OUIs have been handed out.
This, in turn, cuts down the number of possible identifiers and makes the process of guessing a BSSID daunting but manageable. Now, an attacker could run automated scripts and, once a BSSID is guessed, gain not one but as many as 400 nearby, valid IDs.
From there the theoretical attacker (or surveillance state) could perform some basic tracking of the access points. While this is not particularly useful in the case of your average home router, it becomes much more intriguing on devices that change location, such as travel routers and mobile platforms like SpaceX’s StarLink network.
For example, Rye was able to track the activity of StarLink access points in the Ukraine, providing a picture of how the population is moving and the current general state of the conflict in that country.
In other cases, the researchers came upon some surprising discoveries. While BSSID locations were found on all seven continents (including Antarctica), one part of the world was surprisingly barren.
“We were finding some in China, but not nearly as many as we were expecting,” Rye explained.
“It turns out Apple makes a different WPS API for China.”
In total, the team was able to geolocate more than 2 billion access points over the course of the 2023 calendar year.
There are some limitations to the tracking possibilities, however. Getting assigned a BSSID requires the access point stay active in one location for at least three to seven days. This means that mobile hotspots and smartcars would almost never qualify the way a travel router or a boat-mounted access point might.
For privacy-conscious users, the story does have a happy ending. Rye said that after being contacted, the researcher team, vendors including Apple, SpaceX, and GL.inet agreed individually to take measures such as randomizing their BSSID assignments and limiting the number of access points that can be returned in a single query.
Those changes are all said to have gone live in the first half of 2024.