Skip to main content

Apple and YOUR privacy.


Apple know's your Wifi SSID and where it's located.
You may say, no news here because I authorized it in my iPhone.

Yes, ok.. but did you authorize Apple to know MINE too?

Ok.. you're confused.. I'll explain:
every time you use google maps on your iPhone or any other application
which uses the location service, you are sending Apple your GPS position along with 
the Wifi mac adresses of the networks
(access points) your phone sees.
So, let's say, you didn't authorize Apple to know where you are but someone else has.
Now picture that someone else passing by near your house.
As soon as that someone uses the location service, Apple will know the position of your wifi access point.
I wonder how this passed totally under the radar of "privacy aware" organizations.
It won't be long till someone will exploit this and the pandora box will be opened.

A proof: one of my access points mac addresses is in Apple database. I don't have a 3G or 3Gs iPhone and I've never authorized Apple to map my access point location.
But if I check with my iPod Touch and google maps, while I'm connected to that access point, Apple gives me my position and in a pretty accurate way.
Of course if I switch to another access point in my network, or if I change the mac address of the same access point, Apple doesn't know "yet" where I am.

At least until someone, passing by my house will use the "location" services.

This behaviour is TOTALLY against the law, at least here in Europe.

Feel free to spread the word about this "issue", and please link back to this article.

Comments

  1. It's certainly shifty, though I imagine they'll keep on doing it and just argue that your network is publicly visible and accessable, therefore has no expectation of privacy.

    Not saying that's a goodthing, but I suspect it's how it will all go down.

    Note: I've no idea of the specifics of local law where you are.

    ReplyDelete
  2. You may be right. But it should be the same with photography! I can just go and shoot pictures of people without their consent. Even google maps had to hide people faces.
    Because that puts someone in some place at some date and time.
    It should be the same with wifi mac addresses.

    ReplyDelete
  3. Also my door or my car plate are publicly visible.

    What if someone maps the location of car labels?

    What do you think will happen?
    A riot.

    Wifi mac address and SSID are visible (sometimes) that doesn't mean anyone can know where an access point is.

    Same for cars: you can't know where a car is based on it's plate.

    And you can't make a map of were a car plate is in a single date/time.

    It's exactly the same thing.

    This behaviour is illegal.
    Period.

    ReplyDelete
  4. Are you sure they are not using the IP address to know your location ?
    When ISP register IP adress they give locations of the IP adress.
    when using DSL, the location is the location of the nearest pop which in dense area is nearby your location.
    Are you sure they are not using this ?

    ReplyDelete
  5. 100% sure.

    They are using the access point mac address.

    ReplyDelete
  6. Yeah, I agree with you 100%. Whether it's strictly legal or not aside, it opens doors to a whole world of problems down the road; particularly given it's mac addresses being recorded, without consent.

    Makes me cringe too. All those wifi finder apps that are constantly scanning and geotagging access points for users, just one guy going for a drive would provide Apple with physical locations and mac addies of every network along the way, without his even attempting to join them.

    ReplyDelete
  7. Hi Zibri,

    I guess it is an issue of GMaps. I'll try ASAP to sniff GMaps internet traffic off my Android Magic Smartphone.

    Cheers Zibri!

    ReplyDelete
  8. P.S.

    Your article just published on my FB wall

    ReplyDelete
  9. Gmaps is a little different.

    This is what happens when you use gmaps on the iPhone:

    1) The iPhone contacts Apple sending your gps position and the wifi mac addresses it sees (on an https connection).

    2) Apple answers with the position (if they have it).

    3) The iPhone asks gmail for the map based on the coordinates Apple gave it and/org cell tower id.

    Note: that last one method is the one used on PC and on android too.
    I don't care if google know the gps position of cell towers, I care if they know the gps position of a wifi access point mac address.

    ReplyDelete
  10. Zibri, you're entirely incorrect. Apple does not get this information from iPhones that send them the MAC addresses of nearby routers when using CoreLocation. Apple licenses this information from a company called Skyhook that drives around in various towns and cities with trucks that index MAC addresses and log their exact GPS locations.

    When you use an iPod touch and use CoreLocation while connected to a Wi-Fi network, it will report all of the MAC addresses of base stations it sees around it and will connect to some server and grab the GPS coordinates of those locations.

    See http://en.wikipedia.org/wiki/Skyhook_Wireless

    ReplyDelete
  11. Now the news has spread even outside the iPhone world...

    http://www.theregister.co.uk/2010/04/22/google_streetview_logs_wlans/

    ReplyDelete
  12. Magari l'hai già letto...

    http://www.repubblica.it/tecnologia/2010/05/15/news/guai_per_google_street_view_ha_registrato_dati_wi-fi_privati-4087621/

    ReplyDelete

Post a Comment

Popular posts from this blog

TP-LINK Configuration file encrypt and decrypt.

Here we go! TP-Link is another company that thinks that security by obscurity could ever work. If you "backup" the configuration from most TP-Link routers, you will get a .BIN file which is "encrypted". Use this utility below, to decrypt it (so you can edit it) and encrypt it again. Have fun. Drop files here or

Your own CORS ANYWHERE proxy on CLOUDFLARE

Hello again! Many of you probably hate as I do CORS because it hinders the very nature of internet, which is SHARING. There are some services to circumvent this commercial  restriction, one of these is the famous "cors anywhere". So yesterday I decided to make my own and allow you to make your own in only 2 minutes. To do so you just need a cloudflare account (can be set up in 1 minute). The you can upload my worker on it and have your personal very fast cors proxy! So, enough talk, just head to:  https://github.com/Zibri/cloudflare-cors-anywhere The is also a demo online at: https://test.cors.workers.dev Enjoy! Zibri

Powerline Ethernet fun and secrets.

Many 200 Mb/s powerline adapters nowadays are based on the INTELLON 6300 chipset. Despite what can be thought looking at them, they are all using the same hardware and firmwares. I heard many people with Netgear XAV101 or Linksys PLK 200 or PLE 200 having problems after firmware updates and many other people with other brands having much more problems because of lack of support or configuration/upgrade utilities. So let me explain a few things I learnt studying them. Many of 200 Mb/s powerline ethernet adapters follow the "HomePlug AV" standard. (85 Mb adapters use HomePlug 1.0 standard which is completely different). This standard uses ethernet broadcast packets using the HomePlug AV protocol. The interesting thing is that their firmware is made of two different parts: a .PIB file (Parameter Information Block) and a .NVM file (the code itself). In the P.I.B. there are many interesting things: The branding (mac address, device name, etc) and the tone map. I test...