1

While browsing the internet on my laptop, I've allowed an internet site to access my location data. What I had expected was that it will show the name of my city based on my IP. I was quite shocked when I've seen the precise address of my location, with the street name and house number! You can try it yourself at: https://browserleaks.com/geo

What I've read is that all browsers nowadays are using GEOLOCATION API. The data source of geo position might be:

Common sources of location information include Global Positioning System (GPS) and location inferred from network signals such as IP address, RFID, WiFi and Bluetooth MAC addresses, and GSM/CDMA cell IDs, as well as user input.

As my laptop has no GPS and nothing to do with mobile phones - it's pretty obvious that my precise location was achieved by mapping WiFis. How exactly was it done?

Based on this article, which is 10 years old:

  1. Basically my browser asked my system* for a list of Wifi access points.
  2. Then my browser parsed it into JSON string
  3. Then my browser sent it to any Location-Based Services like Google Maps , which has mapped infrastructure of all WiFi access points.
  4. Then the Location-Based Service calculated my position (I guess some kind of triangulation technique based on location of known access points) and returned my very precise latitude and longitude (and additionally actual address associated with those data, if requested)
  • as I am on Windows it was probably by WinApi call, using Native Wifi API

So the questions are:

  1. If my Windows System grants my browser permission to WiFi Access Points list, without any questions - does it mean that ANY random program with internet access on my system could possibly get my very precise real location based on the WiFi mapping?
  2. And would it be ignored by any AV and almost undetectable (only trace I can imagine could be firewall log of a connection to Geolocation Services Provider)?
  3. Is there any way on Windows to block programs from accessing that WiFi data?

It blows my mind from the standpoint of privacy how easy it seems to be for a malicious developer to track my real home/work location without my knowledge and permission.

Improve this question

2 Answers 2

Reset to default
2

Short answer: mostly yes, and that has been true for many years, unless you disable WiFi (and cellular if you have it, and probably Bluetooth) or operate somewhere without any networks in range.

These days, browsers (and other apps) generally ask the OS for location data, rather than fetching the nearby WiFi AP list and performing a lookup on it themselves. This API can be turned off entirely, or can be turned off for non-sandboxed ("desktop") apps, and allowed on a case-by-case basis for "Windows Store" (appcontainer) sandboxes. Assuming you're on at least Windows 10:

  • Open Windows Settings
  • Go to "Privacy & Security", possibly in the left sidebar
  • Scroll to "Location" and click it (you can also get there from anywhere by searching "Location" in the search box)
  • Turn off "Location services" to disable the API in general, including for built-in Windows functions like Find My Device.
  • Turn off location access for any individual sandboxed apps you don't want having access, or turn off "Let apps access your location" if you want to block them all
  • Turn off "Let desktop apps access your location" if you want to prevent non-sandboxed apps from using the API directly (though note that there are ways that they can work around this).

Desktop apps will indeed also be able to pull the list of nearby WiFi networks and their signal strengths whether or not Location Services are on (or available to desktop apps), and can use that to get your location with quite good accuracy. You might be able to prevent this by disabling WiFi and/or disconnecting from the Internet, but that's probably kind of inconvenient. Sandboxed apps generally can't access such WiFi network info, though; it requires permissions ("capabilities") that almost no sandbox is allowed to have. (Accessing the Location API from a sandbox also requires a capability, but that one is quite common.)

Improve this answer
10
  • (Not a Windows regular user.) Just checked on Windows + Firefox with location disabled on the device, and it seems like they indeed then pull it from Wifi data. Only once I go into airplane mode the API fails.
    – Arminius
    Commented Aug 21, 2022 at 6:18
  • I'm afraid that management of permissions in Location Settings gives only illusion of privacy, as it doesn't really stop programs from directly reaching WiFi data. It seems that Windows PCs are in this case much less secure than Android phones.
    – Gbr
    Commented Aug 21, 2022 at 11:47
  • 1
    @Gbr Not at all, you just don't understand the security model. If you run sandboxed apps - on Windows, Android, iOS, MacOS, etc. - they are limited to what permissions you give them. If you run full trust apps (on any platform, though it generally requires rooting on mobile), they can do anything the user can do including turn on location services or bypass the standard API. That is, and always has been, a simple fact of general-purpose operating systems. The only way around it is to run all sandboxed apps (as smartphones do) or sandbox yourself (run with very low privileges).
    – CBHacking
    Commented Aug 21, 2022 at 23:05
  • 1
    Respectfully, @Gbr, you don't know what you're talking about. In the context of Windows, "full trust" and "admin rights" are not the same thing (the former actually has two meanings, one .NET-specific, but neither are "admin rights"). Windows has - ever since Win8 (and WP7) - had a first-party sandboxing mechanism ("AppContainers") that is very similar to Android's permissions; the difference is that while on (un-rooted) Android all user-installed apps run in sandboxes subject to those permissions, Windows users can install either sandboxed or full-trust ("runs with full user privileges") apps
    – CBHacking
    Commented Aug 22, 2022 at 23:43
  • 1
    On iOS, the user can choose how precise the location information is per site. So different sites can get my exact location, or my village, or that I’m somewhere in the Uk.
    – gnasher729
    Commented Mar 21, 2023 at 18:08
1

The other answer does a good job of answering the operating system portion. Here's how the wifi portion works...

The wifi subsystem can generate a list of surrounding access points and their signal strength (without connecting to them). If you have a survey of the location of those access points, it's fairly easy to correlate relative signal strengths to get a location. Depending on the density of the access points, the results can be accurate within 5-10 feet. (This isn't exactly triangulation, but it's similar; closer to the method of least circles.)

Worst case, if you can only see one access point, you know the location within about 200 feet, which would get you down to about the resolution of a house.

Similar things can be done with bluetooth.

A number of years ago, google did a drive through survey and collected wifi location data along with their google street view data. (I'm sure they repeat this periodically.) When they first did it, a lot of noise was made about privacy violations, but it's been largely ignored since.

So any application that can access wifi or bluetooth signal strength information can probably pinpoint your location pretty well. It doesn't help to disconnect the wifi, it has to be turned off entirely so that you can't get a list of access points.

Improve this answer
6
  • Disconnecting from the Internet entirely probably helps, as no device will have the full lookup table of MAC address locations stored locally. But in general, yes, to prevent fetching the data you either need to have WiFi disabled at the driver (or hardware) level, or the OS has to prevent the application from querying the driver. And it's not just WiFi, you can do the same with Bluetooth in many cases (though the max range is shorter and there are fewer devices with a fixed location to work from).
    – CBHacking
    Commented Mar 21, 2023 at 9:23
  • Disconnecting might not help, because the app can still record what devices it hears, and next time you connect, upload the log.
    – user10489
    Commented Mar 21, 2023 at 11:19
  • I think gps applications tend to download data for complete areas so someone observing it has no idea where the requester is.
    – gnasher729
    Commented Mar 21, 2023 at 18:10
  • Yes, those are both true. I should have been clearer in the comment that it might help prevent location lookup at the time of the request but not necessarily in the future. The point about caching regional WiFi location data is also a good one, though I'm not sure how that works; it's better for the user's privacy if they can download data for a region and use it locally, but it's better the data provider if they don't offer that data to user devices. Plausibly it depends on the provider, and there are some that offer the access point location data set for download.
    – CBHacking
    Commented Mar 22, 2023 at 1:00
  • @user10489 I haven't been looking here for a while... I think there is theoretical way to prevent it. You need to hook into Windows API, which returns list of SSIDs, just like some Antiviruses hook into internal Windows API to have control if program e.x. accesses some registry keys. Then give programs access permissions, just like some AVs do. Btw. it would be interesting to see which programs are actually are calling WINAPI functions to get SSID lists, as generally they are not supposed to do that, I see no other use of that than geolocation.
    – Gbr
    Commented Jan 5 at 1:53

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .