From Newsgroup: comp.sys.mac.advocacy

Tyrone wrote:

d. You and I differ greatly in understanding privacy tracking tools

Yes, because you think tracking something (that rarely moves anyway AND is not
associated with me AT ALL) is somehow tracking me. It is not.

Here's the key thing we need to do to gain an appreciation for privacy.

I suggest anyone else who thinks a BSSID is "just a number" begin to
separate the object being tracked from the person being inferred.

This is a very common but very incorrect assumption:
"If the thing being tracked isn't me, then I'm not being tracked."

That is factually wrong, and the academic research we have been citing
makes that abundantly clear.

We need to take the time to understand how modern tracking systems work. Because there are layers of complexity involved that interplay together.

The privacy risk in Apple's WiFi Positioning System is not what most think
it is. The core issue is not whether the scanning device is tracked.

The core problem is that the WiFi access point itself becomes a traceable object because Apple publishes its GPS coordinates in a global database.

I've proved it's trivial to obtain the entire WPS database for the mere
cost of modifying the public FOSS scripts and a few GB of disk space.

Apple's WPS stores billions of BSSIDs along with their latitude and
longitude. Anyone can query those coordinates. If a BSSID moves, its
movement can be tracked. If that BSSID is inside a car, an RV, a backpack,
a travel router, a MiFi hotspot, or even a home router that gets relocated, then the person carrying it is tracked indirectly.

This is exactly what the University of Maryland paper "Surveilling the
Masses with Wi-Fi-Based Positioning Systems" demonstrated. The researchers tracked cars, delivery vehicles, people, and sensitive facilities simply by watching BSSIDs move in Apple's database. No user device needed to be compromised. The BSSID itself is the tracking beacon.

It was trivial for me to reproduce their results.
a. I created sequential (or random) valid BSSIDs
b. I looked them up and found where they were located
c. That gave me the next nearest 400 BSSIDs also

From that list, I could expand outward (if I felt like it, and I do not).
Which is exactly what the researchers said could be done (read the paper).

Once I have a BSSID of interest, I could track its movements.
Which I proved was trivial (where I set movement at 100km distance).

Again, that's exactly what the researchers said could be done.
And I did it.,

Apple's system is so different from everyone else's system that it was
trivial for me, a nobody, to do it - using open source code out there.

This is the primary, documented, peer-reviewed risk. It does not depend on speculation about Apple's internal behavior. It is observable, measurable,
and repeatable. Anyone with a script can look up the GPS coordinates of any BSSID in the database and monitor its movement over time.

Separately, it is also true that Apple receives the location of the device
that reports nearby BSSIDs, because that is how the database is built. That
is a different issue, and Apple does not publish that data publicly. But it shows that both the reporting device and the BSSID itself become part of Apple's location infrastructure.

The important point is that the BSSID does not need to be "associated with
you" for this to reveal your movements. If the BSSID moves with you, then tracking the BSSID is tracking you. That is the core finding of the
academic research, and it is the part that cannot be dismissed.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian wrote:

Apple's system is so different from everyone else's system that it was trivial for me, a nobody, to do it - using open source code out there.

One perfectly reasonable disagreement is that Chris repeatedly disputed
my personal ad hoc characterization that it is "trivial" to get the location
of up to 400 APs near any given AP in Apple's highly insecure but very public WPS database.

That's fine as adults can disagree on effort given differing skill sets.
a. Chris repeatedly claimed it was not trivial
b. I easily proved that it was excessively trivial

Too trivial, in fact.
Anyone can do it.

To prove that this is trivial, even as Chris clearly opined that he felt it wasn't trivial (where trivial is in the eyes of the beholder, I guess),
here is what I've modified just today to convert the raw integer values
Apple stores in its highly insecure but very public WPS database to the typical decimal values we plug into our GPS location devices.

None of us knew how Apple saved the location of our APs until recently.
02:aa:a0:e3:5f:38 3245891571 -9381494140 32.45891571 -93.81494140
00:18:f8:c1:4a:65 3245990371 -9381384277 32.45990371 -93.81384277
44:1c:12:99:23:58 3245911026 -9381490325 32.45911026 -93.81490325
44:1c:12:99:23:5b 3245911026 -9381489562 32.45911026 -93.81489562
44:1c:12:99:23:5d 3245911407 -9381490325 32.45911407 -93.81490325
44:1c:12:99:23:5e 3245912170 -9381490325 32.45912170 -93.81490325
06:aa:a0:e3:5f:38 3245893096 -9381491088 32.45893096 -93.81491088
72:13:01:01:99:9a 3245925521 -9381433868 32.45925521 -93.81433868
72:13:01:01:99:9d 3245924758 -9381433868 32.45924758 -93.81433868
etc.

After digging deeper (see other posts), I've confirmed Apple is simply
storing our personal data to 8 decimal places, but without the decimal
point. So all the conversion of Apple's raw values to GPS are off a bit.

That is, Apple's wide-open yet highly insecure WPS database stores
latitude and longitude as integers representing the real coordinate
multiplied by 100,000,000 (i.e., multiply by one hundred million).

I think mainly, since we're using Windows tools to get Apple privacy data, that we simply needed to UNDERSTAND better what it is that Apple is allowing everyone on the planet, no matter who they are, to access.

I agree with everyone who says the precision for the decimal location
in Apple's highly insecure but all-too-public easily accessed WPS database
is likely far higher than it needs to be for simply locating an access point.
9a:0f:6f:18:7c:00 3246034622 -9381387329 32.460346 -93.813873
a2:0f:6f:18:7c:00 3246035003 -9381387329 32.460350 -93.813873
a6:0f:6f:18:7c:00 3246034622 -9381386566 32.460346 -93.813866
2a:ad:18:fc:8b:1f 3246102142 -9381381988 32.461021 -93.813820
where all four of those in Shreveport, LA map to the same 100-meter area.
0.0008deg latitude ~ 89 meters
0.0010deg longitude at that latitude ~ 92 meters

Apple's WPS (Wi-Fi Positioning System) database appears to be
storing our personal BSSID locations using fixed-point integer
encoding where
Latitude is apparently stored as an integer ~ lat * 1e8
Longitude is stored as an integer ~ lon * 1e8

Hence Apple's WPS database stores coordinates with 8 decimal places:
1e-8 degrees of latitude ~ 1.1 millimeters
But the real-world accuracy of Wi-Fi geolocation is nowhere near that.
So the location of each individual BSSID is probably within ~10 meters.

When you look up your own AP in Apple's database, if you get the
raw numbers, all you need to do to convert Apple's stored value back
into a normal GPS coordinate, you just divide by 100,000,000.

Here's the modified python script that just divides by 100 million
the raw data that Apple stores about us in its highly insecure public
WPS database.

#!/usr/bin/env -S uv run --script
# -*- coding: utf-8 -*-

# C:\app\os\python\apple_bssid_locator\apple_bssid_locator.py
# Queries Apple WPS database for GPS:BSSID location pairs
# Implementation based on https://github.com/hubert3/iSniff-GPS
#
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC --all
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC --map
#
# Changelog:
# v1p0 20251205 - Initial version
# v1p1 20251214 - Added logging to results.txt
# v1p2 20251215 - Timestamped results.txt to avoid overwrites
# v1p3 20251219 - Limited output to 6 decimal places
# v1p4 20251219 - Added raw integer output alongside converted decimals
# v1p5 20251222 - Fixed raw to decimal conversion (divide by 100 Million)

import argparse
import requests
import webbrowser
import AppleWLoc_pb2

def parse_arguments():
parser = argparse.ArgumentParser()
parser.add_argument("bssid", type=str, help="display the location of the bssid")
parser.add_argument("-m", "--map", help="shows the location on google maps", action='store_true')
parser.add_argument("-a", "--all", help="shows all results returned, not just the requested one", action='store_true')
args = parser.parse_args()
return args

def format_bssid(bssid):
return ':'.join(e.rjust(2, '0') for e in bssid.split(':'))

def query_bssid(bssid, output_file="results.txt"):
apple_wloc = AppleWLoc_pb2.AppleWLoc()
wifi_device = apple_wloc.wifi_devices.add()
wifi_device.bssid = bssid
apple_wloc.unknown_value1 = 0
apple_wloc.return_single_result = 0 # request ALL results
serialized_apple_wloc = apple_wloc.SerializeToString()
length_serialized_apple_wloc = len(serialized_apple_wloc)

headers = {'User-Agent':'locationd/1753.17 CFNetwork/889.9 Darwin/17.2.0'}
data = b"\x00\x01\x00\x05"+b"en_US"+b"\x00\x13"+b"com.apple.locationd"+b"\x00\x0a"+b"8.1.12B411"+b"\x00\x00\x00\x01\x00\x00\x00" + bytes((length_serialized_apple_wloc,)) + serialized_apple_wloc
r = requests.post('https://gs-loc.apple.com/clls/wloc', headers=headers, data=data)

apple_wloc = AppleWLoc_pb2.AppleWLoc()
apple_wloc.ParseFromString(r.content[10:])

# Build dictionary of results
results = {}
with open(output_file, "w") as f:
for wifi_device in apple_wloc.wifi_devices:
if wifi_device.HasField('location'):
raw_lat = wifi_device.location.latitude
raw_lon = wifi_device.location.longitude
lat = raw_lat * 1e-8
lon = raw_lon * 1e-8
mac = format_bssid(wifi_device.bssid)
results[mac] = (lat, lon, raw_lat, raw_lon)
# Write both raw integers and converted decimals (8 decimal places)
f.write(f"{mac}\t{raw_lat}\t{raw_lon}\t{lat:.8f}\t{lon:.8f}\n")

print(f"Saved {len(results)} entries to {output_file}")
return results

def main():
args = parse_arguments()
print("Searching for location of bssid: %s" % args.bssid)
results = query_bssid(args.bssid)

# Determine which BSSIDs to process
bssids_to_process = results.keys() if args.all else [args.bssid.lower()]

found = False
for bssid in bssids_to_process:
if bssid in results:
lat, lon, raw_lat, raw_lon = results[bssid]
if lat == -180.0 and lon == -180.0:
continue # Skip entries that were not found
if found:
print()
print(f"BSSID: {bssid}")
print(f"Raw latitude integer: {raw_lat}")
print(f"Raw longitude integer: {raw_lon}")
print(f"Latitude (degrees): {lat:.8f}")
print(f"Longitude (degrees): {lon:.8f}")
if args.map:
url = f"http://www.google.com/maps/place/{lat:.8f},{lon:.8f}"
webbrowser.open(url)
found = True
if not found:
print("The bssid was not found.")

if __name__ == '__main__':
main()

# end of C:\app\os\python\apple_bssid_locator\apple_bssid_locator.py
--
We need to work together to help Apple understand that it is morally,
ethically & legally reprehensible to not allow us to opt out of WPS.
--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Marian <marianjones@helpfulpeople.com> wrote:

Marian wrote:

Apple's system is so different from everyone else's system that it was
trivial for me, a nobody, to do it - using open source code out there.

One perfectly reasonable disagreement is that Chris repeatedly disputed
my personal ad hoc characterization that it is "trivial" to get the location of up to 400 APs near any given AP in Apple's highly insecure but very public WPS database.

That's fine as adults can disagree on effort given differing skill sets.
a. Chris repeatedly claimed it was not trivial
b. I easily proved that it was excessively trivial

Too trivial, in fact.
Anyone can do it.

Let's remind ourselves of what your original claim was:

Let's just say California wanted to find all the people who moved from
California to Florida who retired to ask them to pay their 401K taxes.

It would be trivial, using Apple's WPS system, to find everyone in any
given county in Florida who recently moved there from California.

It's been two weeks since I challenged you to compete this "trivial" task.

TBF you have done more than I thought you would. However, it is nowhere
near being able to trace any californian who may have moved to florida for
the purposes of chasing them for taxes solely by their router.

It's quite clear that:
a) it is not trivial
b) you've proved nothing new

As a side note, it is quite hypocritical of Donald to claim that MAC
addresses are private information which identifies people directly and then
to post hundreds of real ones all over usenet. Why would he choose to
violate people's privacy like that?


--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.sys.mac.advocacy

Chris wrote:

Too trivial, in fact.
Anyone can do it.

Let's remind ourselves of what your original claim was:

Your call if you wish to remain civil and discuss this at an adult level.

What happened on my side was:
a. I'm aware of WPS (google, mozilla, WiGLE, etc.)
b. All of whom respect my opt-out wishes for privacy
c. Yet, I recently read the paper by Eric Rye about Apple's WPS system
(bolstered by summaries from the likes of Brian Krebs and others)

Suffice to say:
1. I was appalled at the shocking privacy implications of Apple's WPS
2. Which is different from all the others in shocking insecure ways
3. So, I tested out Apple's WPS database by modifying FOSS scripts
(and writing a few of my own, e.g., to compare location changes)

After spending *years* opting out of WPS databases, I almost had a heart
attack when I found I was in Apple's WPS DB, for all the world to see.

I don't have any special coding skills, but I was able to do almost
everything the reviewers claimed could be done, which I characterized as trivial to do.

The fact I did it, is legitimate proof that it's trivial to do, in fact.
Which is the one of the most scary parts of all, is it not?

What's even more scary is the mere fact I'm in the database, even though I followed every Apple public directive to opt out, means Apple does not
follow their own privacy policy.

That's legally, ethically & morally wrong, in my humblest of opinions. Currently, I'm trying to get Apple to reverse that decision.

If/when I'm successful, I will have protected the privacy of millions.

Let's just say California wanted to find all the people who moved from
California to Florida who retired to ask them to pay their 401K taxes.

It would be trivial, using Apple's WPS system, to find everyone in any
given county in Florida who recently moved there from California.

It's been two weeks since I challenged you to compete this "trivial" task.

I already proved it, Chris.
I provided you with they code, in fact.

So even you can prove it to yourself.
The fact you don't understand the proof doesn't mean it's not trivial.

And besides, it's a red herring for you to make me prove that I can do what
is OBVIOUS anyone can do with the data, and which the papers said they
could do.

Your only goal is to defend Apple to the death, no matter what, using the
first inanely absurd excuse that you can think of to defend Apple's WPS.

What you're asking me is to track people I have no intention of tracking.
Just be3cause you're desperate to defend Apple to the death, no matter
what.

That's not what adult discourse is all about, Chris.
a. It is trivial.
b. Everyone who ran the code knows it's trivial.

For you to claim otherwise, likely means you haven't run the code yet.
Run it.

Then tell us what you think of it.

TBF you have done more than I thought you would. However, it is nowhere
near being able to trace any californian who may have moved to florida for the purposes of chasing them for taxes solely by their router.

Ah, but it is.
You think I can't run my own code, Chris?

I can start with my own BSSID, for example.
And then radiate outward from there.

It's trivial.
Anyone who ran they code knows that.

Run the code.
Then tell us it can't do what it does.

It's quite clear that:
a) it is not trivial
b) you've proved nothing new

As a side note, it is quite hypocritical of Donald to claim that MAC addresses are private information which identifies people directly and then to post hundreds of real ones all over usenet. Why would he choose to
violate people's privacy like that?

Well, if you think the code, which is trivial to run, is not trivial to
run, then you're simply proving a different point than whether or not it's trivial.

Even Apple didn't deny my claims (in my emails to their VP & back).
Neither did Brian Krebs (of Krebs Security) nor Mozilla Security.

Certainly the researchers and the articles about it didn't deny this.

Only you deny that it can be easily done.
a. Just you.
b. Nobody else.

Since nobody but you claims that it can't be easily done, all you're really telling us is that no adult conversation is possible with people like you.

Your only goal is to defend Apple to the death, no matter what, using the
first insanely absurd excuse that you can think of to defend Apple's WPS.

For you to claim otherwise, likely means you haven't run the code yet.
Run it.

Then tell us what you think of it.
--- Synchronet 3.21a-Linux NewsLink 1.2