Apple’s tracking technology, AirTag, has encountered a critical issue, revealing the locations of Starlink dishes worldwide, including in sensitive areas. Apple’s tracking system, which differs from Google’s Wi-Fi Positioning Systems (WPS), can map the locations of various devices by capturing the MAC addresses of multiple devices in close proximity. This broad approach, while effective for locating AirTags anywhere globally, has now revealed the vulnerabilities of other technology, such as Starlink’s satellite dishes.
A study undertaken by researchers at the University of Maryland has leveraged Apple’s BSSID sharing feature, uncovering the locations of some 488 million devices, which inadvertently included Starlink satellite Internet equipment. The research was able to pinpoint nearly all locations, with the notable exceptions of deserts, rainforests, and China due to the lack of devices in these areas.
To address the security concern, Starlink has initiated a software update that randomizes the router’s BSSID. The update began rolling out early in 2023 for the main router, with subsequent updates for WiFi repeaters, and is now being deployed across the entire Starlink network region by region. This effort is intended to combat the potential misuse of location data captured before these security measures were put in place.
It is particularly noteworthy that the study mapped devices within conflict areas, pointing out the presence of Starlink dishes in hot zones such as Ukraine. There has been a considerable dispute around Starlink’s satellite Internet kits due to their strategic importance in conflict scenarios. In specific instances, SpaceX has limited the functionality of these dishes, for instance, to prevent their use in drone attacks, citing concerns about possible retaliation.
Nevertheless, SpaceX’s CEO, Elon Musk, has acknowledged the resilience of Starlink’s communication system in Ukraine, which remains operational amidst Russian efforts to jam communication channels. He stated that SpaceX allocates “significant resources” to combat Russian jamming tactics, which have succeeded in disrupting other systems, leaving Starlink as the sole service still active in the region.
As a response to the findings of this security flaw, Apple has discreetly released an update that permits users with the necessary knowledge to opt out by appending a “_nomap” suffix to their WiFi SSID name. The researchers involved in this study, including UMD’s Associate Professor David Levin, have suggested that Apple should impose stricter limitations on the API access, potentially by rate-limiting queries to prevent the accumulation of such vast data sets in the future.
In conclusion, this incident highlights the need for continuous vigilance and enhancement of security features in connected devices. While technological advancements bring immense benefits, ensuring the privacy and safety of users must always be a top priority, necessitating the collaborative efforts of tech companies to protect against exploitation and unintended consequences.
