Wi-Fi-based Positioning Systems (WPSes) are used by modern mobile devices to learn their position using nearby Wi-Fi access points as landmarks. In this work, we show that Apple's WPS can be abused to create a privacy threat on a global scale. We present an attack that allows an unprivileged attacker to amass a worldwide snapshot of Wi-Fi BSSID geolocations in only a matter of days. Our attack makes few assumptions, merely exploiting the fact that there are relatively few dense regions of allocated MAC address space. Applying this technique over the course of a year, we learned the precise locations of over 2 billion BSSIDs around the world. The privacy implications of such massive datasets become more stark when taken longitudinally, allowing the attacker to track devices' movements. While most Wi-Fi access points do not move for long periods of time, many devices -- like compact travel routers -- are specifically designed to be mobile. We present several case studies that demonstrate the types of attacks on privacy that Apple's WPS enables: We track devices moving in and out of war zones (specifically Ukraine and Gaza), the effects of natural disasters (specifically the fires in Maui), and the possibility of targeted individual tracking by proxy -- all by remotely geolocating wireless access points. We provide recommendations to WPS operators and Wi-Fi access point manufacturers to enhance the privacy of hundreds of millions of users worldwide. Finally, we detail our efforts at responsibly disclosing this privacy vulnerability, and outline some mitigations that Apple and Wi-Fi access point manufacturers have implemented both independently and as a result of our work.

翻译：基于Wi-Fi的定位系统（WPSes）被现代移动设备用于通过附近Wi-Fi接入点作为地标来获取自身位置。在本研究中，我们证明苹果公司的WPS可被滥用以造成全球范围内的隐私威胁。我们提出一种攻击方法，使得非特权攻击者能够在短短数天内收集全球Wi-Fi BSSID地理位置的大规模快照。该攻击仅基于少量假设，主要利用了已分配MAC地址空间中密集区域相对较少这一事实。通过长达一年的技术应用，我们获取了全球超过20亿个BSSID的精确位置。当此类海量数据集进行纵向分析时，其隐私影响更为严峻，使得攻击者能够追踪设备的移动轨迹。虽然大多数Wi-Fi接入点长期处于固定位置，但许多设备（如便携式旅行路由器）本身就是为移动设计的。我们通过多个案例研究展示了苹果WPS可能引发的隐私攻击类型：通过远程无线接入点定位，我们追踪了出入战区（特别是乌克兰和加沙）的设备移动、自然灾害（特别是毛伊岛火灾）的影响，以及通过代理进行特定个体追踪的可能性。我们为WPS运营商和Wi-Fi接入点制造商提出建议，以增强全球数亿用户的隐私保护。最后，我们详细说明了负责任地披露该隐私漏洞的工作，并概述了苹果及Wi-Fi接入点制造商已独立实施或基于我们研究结果采取的部分缓解措施。