Your smartphone constantly checks available Wi-Fi nodes, looking to reconnect with any that you’ve used before. You can see it happening, and it’s very convenient (though vulnerable to spoofing and “evil twin” attacks). What you don’t see is that your smartphone also uploads identifying details about your router to giant databases maintained by Apple, Google, and others. These databases benefit you (and everyone else) by fine-tuning your device’s GPS location skills. We’re here to explain why you might not want to participate and show you how to opt out.What Is a Wi-Fi Positioning System?When you ask your mapping app for a route, it uses GPS to figure out your starting point, and to show your progress along the route. But GPS alone can be slow, so your smartphone supplements it with data from a Wi-Fi Positioning System (WPS). In an informative blog post, a Kaspersky researcher explains, “WPS is what enables you to see your location almost immediately when you open a map app. Relying on ‘pure’ GPS data from satellites would take a few minutes.”Apple maintains a WPS database built on data from iPhones, iPads, and Macs. Google has its own WPS database, relying on the profusion of Android devices. Those are the two big ones.When your smartphone, in its constant search for available Wi-Fi, encounters a new hotspot, it sends the router’s BSSID to the appropriate database, along with signal strength and a few other data points. What’s a BSSID? Well, you’re probably familiar with the term SSID, which is the name you give your Wi-Fi network. Multiple hotspots can have the same SSID, but the BSSID is unique, based on the router’s MAC address.
The Best Wi-Fi Routers We’ve Tested
The WPS system aggregates all reports for a given BSSID and derives its best guess as to the router’s location. If the router stays put long enough (several days to a week), it gets added to the database.Plotted on a map, the database would look like a host of overlapping circles. When your phone queries the system requesting location data, it sends data for all the routers in range. The WPS, in effect, finds the intersection of the corresponding circles and says, “There you are!”
(Credit: Eric Rye/Black Hat/PCMag)
What’s Wrong With WPS?Common wisdom about choosing an SSID for your home network suggests avoiding anything too close to a nearby hotspot name and keeping personal data out of the name. Using your address might seem clever, but it’s not. Anybody passing in range of the router sees your SSID. You don’t want to also give them your exact location.But there’s the rub. Anyone with sufficient tech skills can get free API-based access to the WPS databases. Even if your SSID is GetOffMyLawn or NoFreeWeb4U, a tech-savvy ne’er-do-well can parlay the SSID and general location into BSSID access. And with the BSSID, they can get your exact location.That’s not a big deal in general, but picture a situation where you’re forced to move to a new location to escape a cyberstalker. If your stalker previously captured your router BSSID, all they need do is sit back and wait for that BSSID to reappear in the system. You’re exposed.If you’re a hotshot executive traveling the world with your personal mobile hotspot, you could also be subject to unwanted tracking. It’s true that the hotspot’s BSSID typically won’t reappear in the system until it’s been immobile for a few days, but why take chances?
(Credit: Eric Rye/Black Hat/PCMag)
Satellite internet terminals like Starlink use Wi-Fi and can be located through a WPS. Such terminals are also often used in war zones and other sensitive areas. Researchers at the University of Maryland demonstrated the danger by mapping Wi-Fi BSSIDs in Ukraine and Gaza. Now that’s alarming.How to Opt OutIf learning about the possible dangers has you worried, or if you’re just enthused about every possible enhancement to your privacy, it’s easy enough to opt out. Both Apple and Google have agreed to ignore routers with SSIDs having a certain format. Specifically, if the router name ends in “_nomap” they ignore it.
Recommended by Our Editors
To make that change, you’ll have to dig into your router’s settings, a process that starts by determining the router’s IP address. It’s not difficult. Press Windows-R to open the Run dialog, enter CMD, and press Enter. In the resulting command prompt, enter the command IPCONFIG. The address you want is labeled Default Gateway, and chances are very good that it is 192.168.1.1, as shown in the screenshot below.
(Credit: Microsoft/PCMag)
Now open a browser window and enter the found IP address into the Address Bar. Exactly what happens next depends on what kind of router you have. You’ll need a username and password to access router settings. If you draw a blank, turn the router over. Sometimes the credentials are printed on a sticker on the back or bottom of the router. No sticker? Consult the internet to find the default credentials for your router model. If all else fails, check in with your ISP’s tech support.Some modern routers don’t support browser-based access to settings, relying instead on a smartphone app. In such a case, trying to access settings in your browser will probably bring up a QR code that you can use to get the app.
(Credit: Apple/PCMag)
Whether in the browser or an app, your next task is to find the entry that controls the SSID. This may be labeled SSID, Network Name, or something similar. Once you’ve found it, simply add “_nomap” to the existing name. If the name gives away your location, consider changing it completely, leaving the “_nomap” ending. While you’re changing your router settings, consider choosing a new Wi-Fi password as well. And if you logged into the settings by using default credentials, well, that’s a big security hole. Change those credentials to something unique and store them in your password manager.Now comes the fun part. For every laptop, every smartphone, and every smart home device, you will have to tweak the settings to use the new SSID and (if you changed it) the new password. Yes, there’s some work involved, but it’s a good security exercise, and you’ll wind up knowing exactly how many devices are sucking memes and data through your Wi-Fi router.
Like What You’re Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
About Neil J. Rubenking
Lead Analyst for Security
When the IBM PC was new, I served as the president of the San Francisco PC User Group for three years. That’s how I met PCMag’s editorial team, who brought me on board in 1986. In the years since that fateful meeting, I’ve become PCMag’s expert on security, privacy, and identity protection, putting antivirus tools, security suites, and all kinds of security software through their paces.Before my current security gig, I supplied PCMag readers with tips and solutions on using popular applications, operating systems, and programming languages in my “User to User” and “Ask Neil” columns, which began in 1990 and ran for almost 20 years. Along the way I wrote more than 40 utility articles, as well as Delphi Programming for Dummies and six other books covering DOS, Windows, and programming. I also reviewed thousands of products of all kinds, ranging from early Sierra Online adventure games to AOL’s precursor Q-Link.In the early 2000s I turned my focus to security and the growing antivirus industry. After years working with antivirus, I’m known throughout the security industry as an expert on evaluating antivirus tools. I serve as an advisory board member for the Anti-Malware Testing Standards Organization (AMTSO), an international nonprofit group dedicated to coordinating and improving testing of anti-malware solutions.
Read Neil J.’s full bio
Read the latest from Neil J. Rubenking
