XPost: misc.phone.mobile.iphone
From: marianjones@helpfulpeople.com
Given no WPS database is as insecure as Apple's GPS database, I followed
exactly what the researchers suggested so that now I can easily collect the
entire Apple WPS GPS database for the mere cost of 120GB of storage space.
Yes. It's that trivial to get every single GPS location of every single
access point in Apple's highly insecure and very public WPS database.
Apple's implementation is so fundamentally flawed, that this is trivial!
If it's trivial for me to do, think about what the bad guys can do.
Yet, Chris repeatedly claimed it was NOT trivial.
Hence, to prove to Chris (and others) how trivial it is to replicate why
researchers were appalled that Apple has no restrictions on access, below
is basically a single-line change to the FOSS code used to query the db.
I modified the FOSS code so that it returns up to 400 GPS:BSSID pairs with
every query now. This slight modification enables me to easily & perfectly
reproduce the published research. Bare in mind I have no special coding
skills. That's the really scary part of how poorly this is implemented.
#!/usr/bin/env -S uv run --script
# -*- coding: utf-8 -*-
# C:\app\os\python\apple_bssid_locator\apple_bssid_locator.py
# Queries Apple WPS database for GPS:BSSID location pairs
# Implementation based on https://github.com/hubert3/iSniff-GPS
#
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC --all
# Usage: apple_bssid_locator.py 11:22:33:AA:BB:CC --map
#
# Changelog:
# v1p0 20251205 - Initial version
# v1p1 20251214 - Added logging to results.txt
# v1p2 20251215 - Timestamped results.txt to avoid overwrites
# v1p3 20251219 - Limited output to 6 decimal places
# v1p4 20251219 - Added raw integer output alongside converted decimals
# v1p5 20251222 - Fixed raw to decimal conversion (divide by 100 Million)
import argparse
import requests
import webbrowser
import AppleWLoc_pb2
def parse_arguments():
parser = argparse.ArgumentParser()
parser.add_argument("bssid", type=str, help="display the location of the
bssid")
parser.add_argument("-m", "--map", help="shows the location on google
maps", action='store_true')
parser.add_argument("-a", "--all", help="shows all results returned, not
just the requested one", action='store_true')
args = parser.parse_args()
return args
def format_bssid(bssid):
return ':'.join(e.rjust(2, '0') for e in bssid.split(':'))
def query_bssid(bssid, output_file="results.txt"):
apple_wloc = AppleWLoc_pb2.AppleWLoc()
wifi_device = apple_wloc.wifi_devices.add()
wifi_device.bssid = bssid
apple_wloc.unknown_value1 = 0
apple_wloc.return_single_result = 0 # request ALL results
serialized_apple_wloc = apple_wloc.SerializeToString()
length_serialized_apple_wloc = len(serialized_apple_wloc)
headers = {'User-Agent':'locationd/1753.17 CFNetwork/889.9 Darwin/17.2.0'}
data = b"\x00\x01\x00\x05"+b"en_US"+b"\x00\x13"+b"com.apple
locationd"+b"\x00\x0a"+b"8.1.12B411"+b"\x00\x00\x00\x01\x00\x00\x00" +
bytes((length_serialized_apple_wloc,)) + serialized_apple_wloc
r = requests.post('https://gs-loc.apple.com/clls/wloc', headers=headers,
data=data)
apple_wloc = AppleWLoc_pb2.AppleWLoc()
apple_wloc.ParseFromString(r.content[10:])
# Build dictionary of results
results = {}
with open(output_file, "w") as f:
for wifi_device in apple_wloc.wifi_devices:
if wifi_device.HasField('location'):
raw_lat = wifi_device.location.latitude
raw_lon = wifi_device.location.longitude
lat = raw_lat * 1e-8
lon = raw_lon * 1e-8
mac = format_bssid(wifi_device.bssid)
results[mac] = (lat, lon, raw_lat, raw_lon)
# Write both raw integers and converted decimals (8 decimal
places)
f.write(f"{mac}\t{raw_lat}\t{raw_lon}\t{lat:.8f
\t{lon:.8f}\n")
print(f"Saved {len(results)} entries to {output_file}")
return results
def main():
args = parse_arguments()
print("Searching for location of bssid: %s" % args.bssid)
results = query_bssid(args.bssid)
# Determine which BSSIDs to process
bssids_to_process = results.keys() if args.all else [args.bssid.lower()]
found = False
for bssid in bssids_to_process:
if bssid in results:
lat, lon, raw_lat, raw_lon = results[bssid]
if lat == -180.0 and lon == -180.0:
continue # Skip entries that were not found
if found:
print()
print(f"BSSID: {bssid}")
print(f"Raw latitude integer: {raw_lat}")
print(f"Raw longitude integer: {raw_lon}")
print(f"Latitude (degrees): {lat:.8f}")
print(f"Longitude (degrees): {lon:.8f}")
if args.map:
url = f"http://www.google.com/maps/place/{lat:.8f},{lon:.8f}"
webbrowser.open(url)
found = True
if not found:
print("The bssid was not found.")
if __name__ == '__main__':
main()
# end of C:\app\os\python\apple_bssid_locator\apple_bssid_locator.py
--
The goal is for all of us to help Apple understand it's morally, legally
and ethically reprehensible for Apple's WPS design to remain this bad.
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
