Why Your Wi-Fi Router Doubles as an Apple AirTag

Original Article ↗ Hacker News Discussion ↗

Tracking via Wi‑Fi, Bluetooth, and Other Signals

  • Access points (APs) broadcast static identifiers (BSSIDs/MACs) that enable long‑term location tracking, similar in effect to AirTags.
  • Bluetooth devices (phones, TVs, cars) are also seen as strong tracking beacons; moving a TV or in‑vehicle AP can effectively reveal a household move.
  • Some argue more authoritative records (voter registration, mail forwarding, payroll, banks, retailers, USPS) already map residential moves, so Wi‑Fi is just one of many signals.

Privacy Strategies and Threat Models

  • Some participants take extreme measures: changing AP hardware/BSSIDs on moves, avoiding personal info in SSIDs, using multiple residences, or ensuring primary sleeping address is never in common databases.
  • Others consider this overkill because many official or commercial records will still leak addresses.
  • Cash‑only landlords, PO boxes, and “vanlife” are mentioned as ways to keep real sleeping locations off public records.

Opt‑Out SSID Suffixes (_nomap, _optout) and Criticism

  • Apple, Google, Microsoft, and WiGLE honor SSID markers like _nomap or _optout to exclude APs from their Wi‑Fi positioning systems.
  • Many criticize this as backwards: privacy requires attention‑drawing SSID changes, may not be honored consistently, and different vendors use incompatible tags, leading to ugly “ssid_optout_nomap”‑style names.
  • Several posters distrust that these flags are actually respected, calling it a pure “trust” mechanism.

Apple vs Google WPS Design and Exposure

  • Google’s system computes user location server‑side and returns just the location.
  • Apple’s API returns locations of hundreds of nearby BSSIDs so devices can compute location locally; this verbosity enabled large‑scale mapping by researchers.
  • Some see Apple’s on‑device design as better for user privacy; others note that exposing a world‑scale BSSID location database is itself a major privacy and security risk.

Client Device Behavior and Technical Nuances

  • Hidden SSIDs don’t truly hide networks; they remove the SSID from beacons but cause clients to probe with network names, worsening privacy.
  • Android and other devices attempt to reconnect to known networks, which combined with saved SSID lists can uniquely identify and locate users.
  • MAC randomization exists but is typically per‑SSID or per‑day; only a few systems reportedly randomize per connection attempt.
  • Some want APs that periodically randomize their BSSIDs; OpenWRT plus reboot scripts is suggested as a workaround.

Data Use, Ethics, and “Public Airwaves” Argument

  • One camp argues that anything broadcast over radio is inherently public; collecting BSSIDs/MACs fails any “expectation of privacy” test.
  • Others counter that ordinary users don’t realize this and just want simple home Wi‑Fi, so large‑scale commercial harvesting of these signals still feels like a privacy violation.
  • Data brokers are suspected of replicating these datasets without the minimal privacy controls used in the research.

Open Questions and Ambiguities

  • Unclear exactly how iPhones populate Apple’s database: whether solely via handset reports or other collection methods.
  • Unclear how GDPR treats MAC addresses, though some note IPs are considered personal data.