Your smartphone constantly checks available Wi-Fi nodes, looking to reconnect with any that you’ve used before. You can see it happening, and it’s very convenient (though vulnerable to spoofing and “evil twin” attacks).
But as PC Mag reports, what you don’t see is that your smartphone also uploads identifying details about your router to giant databases maintained by Apple, Google, and others. These databases benefit you (and everyone else) by fine-tuning your device’s GPS location skills. We’re here to explain why you might not want to participate and show you how to opt out.
What Is a Wi-Fi Positioning System?
When you ask your mapping app for a route, it uses GPS to figure out your starting point, and to show your progress along the route. But GPS alone can be slow, so your smartphone supplements it with data from a Wi-Fi Positioning System (WPS). In an informative blog post, a Kaspersky researcher explains, “WPS is what enables you to see your location almost immediately when you open a map app. Relying on ‘pure’ GPS data from satellites would take a few minutes.”
Apple maintains a WPS database built on data from iPhones, iPads, and Macs. Google has its own WPS database, relying on the profusion of Android devices. Those are the two big ones.
When your smartphone, in its constant search for available Wi-Fi, encounters a new hotspot, it sends the router’s BSSID to the appropriate database, along with signal strength and a few other data points. What’s a BSSID? Well, you’re probably familiar with the term SSID, which is the name you give your Wi-Fi network. Multiple hotspots can have the same SSID, but the BSSID is unique, based on the router’s MAC address.
The WPS system aggregates all reports for a given BSSID and derives its best guess as to the router’s location. If the router stays put long enough (several days to a week), it gets added to the database. Plotted on a map, the database would look like a host of overlapping circles. When your phone queries the system requesting location data, it sends data for all the routers in range. The WPS, in effect, finds the intersection of the corresponding circles and says, “There you are!”
What’s Wrong With WPS?
Common wisdom about choosing an SSID for your home network suggests avoiding anything too close to a nearby hotspot name and keeping personal data out of the name. Using your address might seem clever, but it’s not. Anybody passing in range of the router sees your SSID. You don’t want to also give them your exact location.
But there’s the rub. Anyone with sufficient tech skills can get free API-based access to the WPS databases. Even if your SSID is GetOffMyLawn or NoFreeWeb4U, a tech-savvy ne’er-do-well can parlay the SSID and general location into BSSID access. And with the BSSID, they can get your exact location.
According to PC Mag, while that’s not a big deal in general, picture a situation where you’re forced to move to a new location to escape a cyberstalker. If your stalker previously captured your router BSSID, all they need do is sit back and wait for that BSSID to reappear in the system. You’re exposed.
If you’re a hotshot executive traveling the world with your personal mobile hotspot, you could also be subject to unwanted tracking. It’s true that the hotspot’s BSSID typically won’t reappear in the system until it’s been immobile for a few days, but why take chances?
Satellite internet terminals like Starlink use Wi-Fi and can be located through a WPS. Such terminals are also often used in war zones and other sensitive areas. Researchers at the University of Maryland demonstrated the danger by mapping Wi-Fi BSSIDs in Ukraine and Gaza. Now that’s alarming.
How to Opt Out
If learning about the possible dangers has you worried, or if you’re just enthused about every possible enhancement to your privacy, it’s easy enough to opt out. Both Apple and Google have agreed to ignore routers with SSIDs having a certain format. Specifically, if the router name ends in “_nomap” they ignore it.
To make that change, you’ll have to dig into your router’s settings, a process that starts by determining the router’s IP address. It’s not difficult. Press Windows-R to open the Run dialog, enter CMD, and press Enter. In the resulting command prompt, enter the command IPCONFIG. The address you want is labeled Default Gateway, and chances are very good that it is 192.168.1.1 – now open a browser window and enter the found IP address into the Address Bar.
Exactly what happens next depends on what kind of router you have. You’ll need a username and password to access router settings. If you draw a blank, turn the router over. Sometimes the credentials are printed on a sticker on the back or bottom of the router. No sticker? Consult the internet to find the default credentials for your router model. If all else fails, check in with your ISP’s tech support.
Some modern routers don’t support browser-based access to settings, relying instead on a smartphone app. In such a case, trying to access settings in your browser will probably bring up a QR code that you can use to get the app.
Whether in the browser or an app, your next task is to find the entry that controls the SSID. This may be labeled SSID, Network Name, or something similar. Once you’ve found it, simply add “_nomap” to the existing name. If the name gives away your location, consider changing it completely, leaving the “_nomap” ending. While you’re changing your router settings, consider choosing a new Wi-Fi password as well. And if you logged into the settings by using default credentials, well, that’s a big security hole. Change those credentials to something unique and store them in your password manager.
Now comes the fun part. For every laptop, every smartphone, and every smart home device, you will have to tweak the settings to use the new SSID and (if you changed it) the new password. Yes, there’s some work involved, but it’s a good security exercise, and you’ll wind up knowing exactly how many devices are sucking memes and data through your Wi-Fi router.
—
Photo Credit: lucadp / Shutterstock.com