A couple of days ago, Brian Krebs shared information about some current location-based service functionality that is kind of lurking below the surface.
Some companies position privacy as a key value proposition of their products and services. But that may not always be as true as advertised. A couple of days ago, Brian Krebs (Krebs on Security) shared information about some current location-based service functionality that is kind of lurking below the surface.
The Wi-Fi positioning system (WPS) is similar to GPS, except it uses internet access points (APs) instead of satellites. Apple and Google devices regularly report back their locations even if they do not have location services open.
Using this data, the companies are able to develop huge AP databases of all the locations around the world. This even affects people who do not have Apple or Google devices, seeing as they are invariably surrounded by others who do.
Although Apple's Wi-Fi Positioning System API is designed for Apple devices, anyone can query it from any device without authentication or even an API key.
University of Maryland computer researcher Erik Rye used a program written in Go on Linux to guess a large quantity of BSSID numbers until he finally got a real hit. At that point, the WPS API endpoint gave him another set of BSSIDs.
"Once you start getting hits, you can do what's called 'snowball sampling' and just feed those back in, and continuously sample over and over."
Using the BSSIDs collected from this process, Rye was able to create essentially a “Wi-Fi map of planet earth,” but actual hackers could use the information for malicious purposes, such as targeting individuals, collecting potentially valuable military information, and more.
Unlike with Apple, the researcher noted that Google does not return these requests with BSSIDs, it keeps the extra data unexposed and requires an API key to access information which has a paywall that discourages bad actors from trying to breach it, as they’d have to pay around 2 cents per query, which would add up quickly with the amount of queries required to collect enough data to be useful.
The broader issue here is around the consumer-informed collection, use and disclosure (or lack thereof) of data. One thing that stood out to us at FireTail, given our work in API security, was how much of this data was exposed via APIs in ways likely never foreseen by the legitimate users of the system.
But here’s the thing… bad actors don’t play by your rules. Just in the way that you can’t build authorization checks into your client app because bad actors go straight to the backend API, you can’t assume that people who find data in your API will be as forthcoming in their disclosures as the researchers here.
Overall, the one thing you can do for your API security is to get full visibility into your API landscape so you can inventory all of your endpoints and keep track of any vulnerabilities. After all, if you can’t see it, you can’t secure it.
To learn more about API security and see how FireTail can help with your API security posture, schedule a free demo with FireTail today.