Skip to main content

BSSID Randomization

· 3 min read
Alex Radocea

How Does WiFi Location Positioning & Tracking Work?

All Apple Smartphones and Laptops as well as Google Devices passively collect Access Point Names (the SSID) and their hardware address (the BSSID), and they then tag it with the GPS location. With billions of customers, tech giants have been able to build databases that contain the physical position of almost every access point in the world.

Researchers from the University of Maryland published that the privacy features in the public APIs were insufficient to protect the privacy of individuals. See the paper from Erik Rye, Dave Levin for the details: "Surveilling the Masses with Wi-Fi-Based Positioning Systems"

Krebs On Security has a through review of the issue: "Why Your Wi-Fi Router Doubles as an Apple AirTag"

What Is the Impact On Privacy?

When traveling, access points will reveal their updated location to the general public, who can query the APIs and trick them to reveal location information. It also means that this feature could be used to stalk someone if knowing the SSID and BSSID of their router, to find their new location after they move homes for example. Apple and Google have since added some hardening to help mitigate the attack but the risks still largely remain.

What does this data look like?

The BSSID and SSID data is not private and available in Beacons and Probe Responses, which end up in the data used by Apple and Google to collect positioning information.

image

What is BSSID Randomization?

BSSID Randomization is assigning a random MAC address to the Access Point.

Why Enable BSSID Randomization?

When this happens, the position databases no longer link an access point between locations. The databases can not be queried with only the SSID Name, so the position of the AP will be protected.

Why _nomap Isn't Enough ?

Apple and Google have added a feature, where if the SSID name has "_nomap" appended in the name, they will not include it in their database. This does not prevent companies that want to collect this information from collecting it anyway. It's also unrealistic for users to change their SSID name because they have to reconfigure all of their devices, which is a non-starter for most people with busy lives.

How to Enable BSSID Randomization with SPR ?

In the 3.13 release we have added a UI option to randomize the MAC address on startup. This supports both APs and interfaces working as wireless clients for internet uplink. It will assign a random address using the specified locally administered OUI bit. A user can also pick a common OUI from common-place routers to cloak with instead.

image