Wi-Fi-based Positioning System, how to avoid

A lot of users requires randomized BSSIDs. We decided to implement this asap.

Here is a discussion of how the WPS leaks your location.

This issue definitely comes from Apple and Google's design flaws. Smartphones (as well as other similar devices) report location of your AP by BSSID and send to their databases. These databases don't have restrictions for API queries. So an attacker can check the location based on BSSID and know where you are. In a travel router scenario, they will know how do you travel.

While an attacker may not know to whom one BSSID belongs, this has created a threat indeed.
We believe Apple and Google will do some fix asap but from AP vendor's viewpoint, here is what you can do to enhance your privacy.

  1. In your SSID, add _optout_nomap to tell Apple, Google and Microsoft not to track the location of this wifi network.
  2. Hide your SSID. You don't want surrounding people know your SSID.
  3. Use randomized SSID manually, before we implement this in the UI. We will publish some method to do this.
  4. You can turn off your phone's location service, which may not be the choice of most of the people.

After you stop the phone tracking your location for 1 or 2 weeks, your data may be deleted from their database. We are not sure how long this will happen but hopefully this is the case.

5 Likes

Hahahahaahahahahaha.
Please tell me that this isn't the real solution provided by the big players. What the heck :rofl:

This isn't working as a security trick, btw.
Hiding your SSID won't work if someone is scanning the network. The SSID will be broadcasted by the connected device on every connection attempt. So it's more security by obscurity.

1 Like

Unfortunately this is.

They should just have an option in the wifi connection options to do this.

1 Like

Wow, GL, you are better every day. That’s why I like you :blush:

That’s called “evil corporations” :rofl:

  • Hide SSID will be more secure, but not as effective as someone can think (Alpha adapter for example)
  • SSID and BSSID should be randomised automatically each reboot. Changing it based on. time can cause connection issues.
  • Another phones will still send this information

But how will devices save a connection to a wifi network if both SSID and BSSID are randomized. It could work if some algorithm is used to generate them and some app (on the client device) is able to adjust the wifi-settings accordingly on the client devices.

Security vs. Convenience

Choose one.

Having to connect manually could be a security issue itself. That's why I am wondering about the client-side. I do believe it would be good if the router app could assist with doing just that.

Basically, it should be a toggle to choose what to be randomised. In most cases, it will be enough to randomise BSSID.

BUT! For security reasons, if it is travel router, it is highly recommended to randomise both, especially if you connect to shady networks.

You don’t need it. Randomisation will be done each reboot. It is not like every five minutes.

@alzhao Is this implemented for MT3000 too?

Yes. For all active models.

3 Likes

XE300, E750, SFT1200 active?