_nomap Please
Recently, I learned a bit about Wi-Fi Positioning Systems (WPS) that are used by major players like Apple and Google. These systems commonly use nearby Wi-Fi access points (APs) and their received signal strength indicator (RSSI) to locate a device. This technology is built into most flagship devices today and opting out usually means losing the ability for your device to know its own location 1.
Owners of APs are able to opt-out of being tracked by appending _nomap to the end of their network’s name (SSID). Apple, Google, Mozilla, and some independent crowd-sourced projects like beaconDB, the self-described public domain wireless geolocation database, all support this suffix for opting out. This is, however, not a universal standard and some other major players like Microsoft, who enjoys their individuality, do not support this.
To opt out of tracking, the big M asks that you visit their opt-out page and provide the MAC address of the hardware that advertises your Wi-Fi signal. While I am unsure if this is Microsoft exercising their discretion or being more transparent than other providers, they note that if “a request seems problematic, it may not be added to the block list” so there might be times where you request an opt-out and have that request denied.
Interconnected Highway Sidewalk
This would not be a true major-players/FAANG/big-tech/MAANG/acronym-of-the-month blog post if Amazon was not involved. Amazon, walking in lockstep with its big-tech brethren, introduced Amazon Sidewalk (pun-intended) to the U.S. in late 2019.
Amazon Sidewalk enables certain Amazon (and their subsidiaries) devices (Sidewalk Gateways) to act as bridges 2 that use a portion of their bandwidth 3 to send data for devices compatible with Sidewalk (Sidewalk Endpoints). These endpoints will then use the Sidewalk Network Service operated by Amazon to deliver packets of information to various application servers which may be owned by Amazon or by a third party. You can review Amazon’s whitepaper on Sidewalk for more in-depth information
Similar to Apple’s AirTag, Sidewalk is powered by Bluetooth (and 900 MHz LoRa), but it is especially impressive with a range of up to half a mile. I also thought it would be worthwhile to note that this is the same network that powers the AirTag’s rival - the Tile tracker.
Amazon has noted that their network covers more than 90% of the U.S. population, and this can be confirmed if you look at their public coverage map.
Per this help article I found, opting out of Sidewalk seems quite easy for end users - though I am unsure if opting out means your own endpoint devices would also not be able to use the Sidewalk network
Where’s the Chaos?
It has already been shown that these crowd-sourced geo-location systems can be misused by bad actors in Surveilling the Masses with Wi-Fi-Based Positioning Systems by Erik Rye and Dave Levin. In this paper, they explore how datasets like these can be misused by “merely exploiting the fact that there are relatively few dense regions of allocated MAC address space.” 4
Earlier this year, we also saw the nRootTag compromise found by George Mason University researchers that enables stealth tracking of Bluetooth devices by making them broadcast themselves as lost AirTags to nearby Apple devices.
Closing Thoughts
This post simply aggregated useful bits of information I found on this topic while looking into it, and there were far more pieces of information I wanted to tie in, but at that point this would become a case study.
I don’t think there is inherently a problem with systems like these. I find them incredibly interesting and useful for end-users, but we cannot ignore the security implications that come with widespread, interconnected systems like these. While writing this post, an article (and accompanying video) was released detailing how Flock Safety’s widespread camera system had a number of devices open to the internet and how this posed not only significant privacy and security risks, but psychological ones as well.
While these systems are not uniquely American, I’ve continuously heard this sentiment expressed: “What would our forefathers think of this?”
Apple and Google have tied this into their Location Services and Location Accuracy offerings, respectively. Apple seems a bit more restrictive as turning off Location Services means that your device loses its ability to locate itself entirely, but with Google/Android’s Location Accuracy you seem to be able to turn it off and still retain the ability for your device to locate itself…albeit more inaccurately. ↩︎
They’re officially referred to as Amazon Sidewalk Gateways or Sidewalk Bridges ↩︎
Up to 500MB per account per month and 80Kbps upload speed ↩︎
arXiv:2405.14975 [cs.CR] | Surveilling the Masses with Wi-Fi-Based Positioning Systems - Erik Rye, Dave Levin | ↩︎