Privacy Please
Tune into "Privacy Please," where hosts Cam and Gabe engage with privacy and security professionals around the planet. They bring expert insights to the table and break down complicated tech stuff everyone can understand.
Privacy Please
S5, E213 - Unmasking the Privacy Threats of Wi-Fi Positioning Systems
Ever wondered about the hidden privacy risks lurking in your everyday Wi-Fi connections? In this episode, Cameron and Gabe discuss the hidden risks of Wi-Fi based positioning systems. They highlight a paper by Eric Rye and David Levine that explores the privacy risks associated with these systems. The paper discusses case studies where sensitive information about troop movements and refugee migrations was revealed through these systems. The conversation emphasizes the need for a larger conversation about the widespread use of these systems and the potential privacy implications.
Source: https://arxiv.org/abs/2405.14975
Credit: https://www.linkedin.com/in/erik-rye/ & https://www.linkedin.com/in/dave-levin-658b2564/
All righty then. Ladies and gentlemen, welcome back to another episode of Privacy, Please. I'm here with Gabe Gumbs. Cameron Ivey I don't know why I said that backwards. Cameron Ivey, here with Gabe Gumbs.
Speaker 2:Is it still Monday?
Speaker 1:Nope, nope, monday passed you by. It did. Yeah, hopefully everybody had a wonderful Memorial Day weekend. Gabe, how was yours? You get a relaxing weekend, pretty decent. Unabentful, yeah, nothing. Yeah, hopefully everybody had a wonderful memorial day weekend. Gabe, how was yours? You get relaxing pretty decent yeah nothing, um nothing special.
Speaker 2:Honestly, you know it's uh, I'll take, I'll take a three-day weekend anytime all the time, in fact every time all this?
Speaker 1:absolutely yeah for it should be 40 week, jakes.
Speaker 2:Yeah is that on the ballot this november? Because if that's not on the ballot, I don't really care about the rest of this stuff. I'm a one issue, voter, and that's my one issue four day work week. Is that one issue per year, or what? Every four years?
Speaker 1:I'm not even four years maybe it's an issue a day, if we're being honest, more like an issue a day, it's okay, you know, speaking of uh before we roll into our topic real quick, it makes me think about have you been getting texts from random local, like people running for governor or just like there'll be like a picture of them and then it'll be like sorry to bother you, and then it's like a whole page talking about voting for them and stuff. Have you been getting those too? I have out voting for them and stuff.
Speaker 2:Have you been getting those too?
Speaker 2:I have, and this is the first year I've ever gotten these, which I don't know what to make of that because, like, my number has been the same for like forever, right and uh, and this year I started getting them and I ignore them, of course, right, I equally find it fascinating who they're reaching out to, right, like, and some of the messages they're sending.
Speaker 2:Um, I very intentionally don't, don't, uh, it would be difficult from uh, from just a observing me from the outside, to really understand all of my leanings, although not the most difficult, I'm pretty, I'm pretty straightforward about like, especially on this show, even like the things, yeah, the things that grind my gears and the things that I appreciate. So you can, you can, you can definitely extract from those things, but I'll tell you what I'm getting at, though, is man, their, their information is so bad. It's like I'm not the guy you really want. Trust me on this. Like I'm not the guy you're looking for. You're looking for a different guy with that message I'm not the guy you're looking for, you're looking for a different guy with that message.
Speaker 2:I'm not the guy. I'm not the guy and they're at it. I'm not the guy, and if they knew me, they'd know Donat.
Speaker 1:Nobody at us. All right, so, Gabe. The hidden risks of Wi-Fi-based positioning systems.
Speaker 2:Yes. So I came across a paper this week you know it's one of the nice things about the long weekends is you get some time to catch up on things and it's a paper from two gentlemen, eric Rye and David Levine. They're both at the University of Maryland yeah, University of Maryland. Eric yeah, university of Maryland. Eric's also with MITRE. Folks listening to the show are intimately familiar. He's a security engineer at MITRE also and it's a hell of a great paper.
Speaker 2:The paper covers the risk associated with Wi-Fi-based positioning systems and we've all encountered them, I'm certain, wi-fi-based positioning systems. You know it's similar to Google Wi-Fi location services, apple location services, microsoft location services. They combine Wi-Fi and GPS specifically like the strength of Wi-Fi signals. Even so, you know your proximity and telemetry, that it gives off to those things to kind of really determine your location, like pinpoint your location, and they were highlighting some of the many privacy risks associated with these systems. I thought it was a hell of an interesting read. In fact, I reached out to both Chalm and Sir. If you're listening, we'd love to have you on the show to dig into this a bit more, but it's a fascinating read.
Speaker 2:Right before COVID hit and I started a little bit of similar-ish research. I will only say similar-ish because these guys are doing amazing work here and I was just kind of putzing around because I was walking around town and I noticed an ungodly number of access points in like Bluetooth devices, just kind of like clogging the airways everywhere around me, and so I purchased an extra pineapple router For those not familiar, it's a rogue wireless access point. You know, I've got a portable battery pack, all the good stuff, and I was going to load it up into my backpack and go walk around downtown and and collect some more information and just, you know, see if I could make sense of what I was seeing, maybe just map it out, plot it out, all that good stuff. Well, then hit like a week after I got all the equipment and so, you know, everything shut down. So I never actually went through with this, but you know, I say it out loud, I should.
Speaker 2:This paper, in particular, though, takes kind of what I observed on an extremely small scale of of all of these devices, just kind of pinging and and calling back, and and I was trying to get a, you know, just a handle on, well, what is around me and what all the things but these gentlemen were pointing out the many many again call them privacy and security challenges associated with these types of systems. Yeah, yeah.
Speaker 1:There's a lot.
Speaker 2:Wi-Fi-based systems, yeah.
Speaker 1:What's your biggest concern with this? What's the first thing that comes to your mind?
Speaker 2:So in the paper they highlight some of the case studies, and one of them they're tracking movements inside of conflict zones, right Inside of war-torn areas like Ukraine and Gaza. Yes, yes. They were able to monitor folks, revealing sensitive information about troop movements and refugee migrations. I think my biggest challenge, as it is with so many of the security and privacy challenges that we talk about, is the unwashed masses. I think are not aware that they're all being exposed to this.
Speaker 2:When you talk about the largest, most widely used Wi-Fi-based positioning systems out there, you're talking apple, microsoft yeah that's like everyone, that's like everything right, like if you've got an android phone or you have, uh, an iphone. That pretty much covers a lot of territory. My concern is just you know, there's equally, you know, we heard some stories earlier this year, late last year, of different government agencies of ours purchasing data from data brokers. Oh yeah, so a data broker goes around collecting this information and then selling. It is bad, it's just bad enough. We do not need more data brokers. Somebody get Jeff and Heidi on the case, if anyone sees any new data brokers.
Speaker 2:Somebody get Jeff and Heidi on the case. If anyone sees any new data brokers pop up with any WPSs, right, we need Heidi and Jeff on the case. But what we learned from what was happening is our own governments can circumvent, establish not just norms and precedent, but rules by just buying the data legally from data brokers, as opposing to having to, you know, go get that data themselves. I'm worried just about how pervasive this problem is, because it's everyone, everyone's got a phone. It's everyone that worries me the most.
Speaker 1:Does the government not have different? This might be a stupid question, but don't they have better stuff than we do? Or is that just an assumption?
Speaker 2:That's an open statement, so I'll answer it by saying maybe.
Speaker 1:Anyone who's?
Speaker 2:worked for the government will definitely argue they don't. They're like what have you?
Speaker 2:seen the equipment we're running around with. It's really bad equipment. But both of those statements are true, though there's definitely better technology let me rephrase that maybe more accurate technology available. It is plausible, quite plausible, and in fact in some cases I can definitely speak to. It's definite that it exists. Speak to, it's definite that it exists.
Speaker 2:But again, how much of that can be used and for what purposes and by whom? Right, and how many different agencies may have it and etc. And how do you want and how does one get access to it and how do you have checks and balances controls in place? But again, if a data broker, simply we're offering this data, then then it doesn't matter that only you know, uh, that that system is only accessible by this one unit of this one three-letter agency. Right, like this becomes like anyone wants this here. It is Right. And, more importantly, these things all exist in consumer technologies. And so even if you argue the government doesn't have access to it, well, that's not less than three mega corporations that are very much in the business of selling our data that does have access to it.
Speaker 2:I don't particularly like that either and from the research that these guys here conducted.
Speaker 1:It suggests that well hell, anyone can get their hands on right, which is scary yeah, it's problematic so, just to kind of like wrap this part of things up, what are some of the things that? What are some of the things that we should look into or look, ask questions about when it comes to this stuff? Obviously, I'm going to do a broadcast on this to kind of give us a little more in-depth information. But, gabe, from your point of view, what would you kind of summarize with some of your takeaways from this article?
Speaker 2:I think the number one takeaway is what we're doing right now is we've got to engage in a conversation first and foremost about this. There's a lot of technology advice that we can start throwing around, but given just how widespread this is, it almost requires a much larger conversation amongst everyone. Right, Like, everyone's got a phone, Most people are using these services. But let's put a bow on this. Let's see if we can't get our hopefully new friends Eric and Dave on the show, and we'll dive into it more with those boys.
Speaker 1:Absolutely, we'll definitely tag them when we post this episode, so hopefully they'll see it.
Speaker 2:We'll have them. Hopefully we'll have them on.
Speaker 1:We'll have them on but thanks, gabe um, and stay tuned for the um, for the rest of the show, and we appreciate you guys. All righty, then. Ladies and gentlemen, welcome to the blog cast edition of episode. Thanks for sticking around, let's go ahead and dive right in. All right? Whoa, you're crazy.
Speaker 1:Anyways, the hidden risks of Wi-Fi based positioning systems. A call for enhanced privacy measures. In today's hyperconnected world, our mobile devices are indispensable for navigation and finding our way in new cities, but a recent study conducted by Eric Rye and Dave Levin from the University of Maryland reveals a chilling reality about these conveniences. Conveniences, sorry for the hard kuh, sorry for the hard kuh. Wi-fi-based positioning systems, also known as WPS, particularly those operated by Apple, pose significant privacy risks that could lead to massive surveillance on a global scale. Let's talk about the first section here Unveiling the surveillance. Unveiling the surveillance. Huh, capabilities of Wi-Fi positioning systems. Huh, capabilities of Wi-Fi positioning systems.
Speaker 1:Now, the paper titled Surveilling the Masses with Wi-Fi-Based Positioning Systems uncovers how, seemingly, wps can be exploited to track the movement of devices in collected Wi-Fi BSSID geolocations worldwide. By simply utilizing the density of MAC addresses, the spaces, and without any prior knowledge, the researchers managed to collect over 2 billion BSSID locations globally. This method reveals not just the scale of data collection, but also the ease with which it can be executed Case studies that are highlighting the impact of these things. Let's dive in. The researchers presented several case studies demonstrating the types of privacy invasions enabled by Apple's WPS Tracking movements in conflict zones. Devices moving in and out of war-torn areas like Ukraine and Gaza were monitored, revealing sensitive information about troop movements and refugee migrations.
Speaker 1:The next one is natural disasters. The study tracked the effects of natural disasters, such as the devastating fires in Maui, showing how many devices, and possibly their owners, vanished from the map likely destroyed by the disaster, from the map likely destroyed by the disaster. These examples starkly illustrate the dual use of technology in both aiding our daily lives and potentially invading our privacy. Yeah, it's a huge crazy no-no. So the next section involuntary participation in surveillance. This is huge. A particularly alarming aspect of this technology is that the device owners might not even know they are part of this global tracking network. Devices automatically report nearby Wi-Fi access points without the owner's explicit consent. This means simply by being in the vicinity of an operational Apple device, your device's location could be tracked and stored.
Speaker 1:Some of the recommendations for enhancing this privacy, recognizing the profound implications of their findings, ryan Levin proposed several recommendations for WPS operators and Wi-Fi access point manufacturers to enhance the privacy of users. These include limiting the density of data collection, implementing stricter access controls and providing users with clear opt-out options. They also suggest that the devices not only indiscriminately contribute data to positioning systems, advocating for a model where user consent and transparency are prioritized. Some of the ethical considerations and responsible disclosure. The study was conducted with an awareness of the ethical implications and findings were responsibly disclosed to companies like Apple and Google. This proactive approach aims to mitigate potential harms before they become widespread, demonstrating a commitment to ethical standards and research.
Speaker 1:What does the path forward look like? This groundbreaking research serves as a wake-up call for both technical users and providers. It underscores the need for stricter privacy protections and transparency in how location data is collected and used. As we continue to rely on digital technologies for convenience and connectivity, we must also advocate for and implement solutions that safeguard our privacy. It's up to us. In conclusion, while WPSES provides invaluable services, the potential for abuse is significant. It is imperative that all stakeholders, from technology companies and end users, engage in a dialogue about privacy and take active steps to protect against invasive surveillance practices. Only through concerted effort can we ensure that our technological advancements do not come at the cost of our privacy.
Speaker 1:Ladies and gentlemen, that is the end of the blogcast and the end of the show. Thank you so much for tuning in and thank you so much to Rye and Levin for their research. Hopefully we'll have them on the show. We shall see. But if you have any questions, comments, shoot them my way and don't forget to like, share and subscribe. We'll see you guys next week. Cameron Ivey over and out.