iPhone's Wi-Fi Positioning System spoofed using laptop
The Wi-Fi Positioning System (WPS) used by Apple's iPhone and iPod Touch and other mobile devices can easily be supplied with false information that makes the mobile think it's somewhere other than its true location. Researchers at the Swiss Federal Institute of Technology Zürich have found that all you need is a laptop, a Wi-Fi access point transmitter and a database of Wi-Fi access point locations.
The MAC address of an active Wi-Fi access point is continuously announced. WPS works by the client detecting the MAC addresses of nearby access points and comparing the cluster of found addresses with a database of clusters referred to geographical locations. The iPhone and iPod Touch apparently make use of the Skyhook Wireless Inc database of Wi-Fi access point locations, as do Nokia Symbian-based phones and PCs equipped with Skyhook's Loki plugin.
Unlike other positioning systems such as GSM, WPS does not triangulate, but instead looks for a specific location-dependent "signature". Professor Srdjan Capkun of the Zürich research team told heise online that WPS may use received signal strength as well, but this has not been confirmed officially. High positional accuracy – claimed to be in the order of 20m – is possible in dense urban locations such as major towns, where the close proximity of numerous Wi-Fi access points results in considerable overlap of their typical 100m radius of access.
But the simplistic WPS location strategy turns out to be its Achilles heel. The Zürich researchers found that they could readily jam the channels carrying real incoming Wi-Fi MAC announcements and substitute others of their own choosing on free channels – there being 13 available channels, not all of which will be in use at any one time and location. By transmitting the MAC address cluster of a distant location, they first fooled the iPhone into thinking they were across town from their real location. However the GSM capability of the iPhone overrides its WPS location capacity, so the researchers had to jam the GSM signal using an additional jammer device before they could carry out their most dramatic demonstration – an iPhone in Zürich that thought it was near the entrance to Holland Tunnel in New York City.
The researchers found that the Apple mobiles were not the only susceptible devices. They repeated the experiment successfully using the Loki plugin on a PC. They also point out that, by transmitting a cluster of MAC addresses belonging to access points that are not in the same geographical area, the localisation algorithm in a mobile device can be confused completely, effectively denying service to the user.
- iPhone and iPod Location Spoofing Attacks, research report by the Swiss Federal Institute of Technology