Researchers from the University of Maryland have revealed significant privacy and security concerns related to the way Apple and Starlink geo-locate devices. Their study found that Apple’s Wi-Fi Positioning System (WPS) collects and publicly shares precise locations of Wi-Fi access points. This allows devices to determine their location without constantly relying on GPS. However, the researchers discovered that by querying Apple’s system, they could track movements and identify locations of military personnel in conflict zones, specifically in Ukraine and Gaza.

Global mapping: The team, led by Associate Professor David Levin and Ph.D. student Erik Rye, used Apple’s data to map over two billion Wi-Fi access points globally, with notable absences in China, central Australia, and parts of Africa and South America. By focusing on specific conflict zones, they identified Starlink terminals, revealing movements of Russian and Ukrainian troops, and tracked changes in Gaza during the Israeli-Hamas conflict.

Starlink updates: Starlink, owned by SpaceX, responded by implementing software updates to randomize the BSSID (a unique identifier for Wi-Fi access points) of their devices to enhance privacy. Despite these updates, Levin and Rye’s findings showed a significant decrease in trackable Starlink devices, indicating the changes were effective.

Apple has also addressed the issue by updating its privacy policy in March 2024, allowing users to opt-out of location data collection by adding “_nomap” to their Wi-Fi access point’s name. This change came after the researchers highlighted the lack of opt-out options.

Bottom line: The researchers caution that their findings present risks for vulnerable populations, such as those fleeing abusive relationships, and urge Apple to implement further safeguards to prevent misuse of its location data. They also noted that mobile hotspots, which randomize BSSIDs, do not pose the same privacy risks as static Wi-Fi access points.