Other people’s smartphones are spying on your router. How to stop it

The exact location of your router is publicly available through global Wi-Fi geolocation databases. Let’s explore why this is necessary, and the risks it entails and how to mitigate them.

How to exclude your router from surveillance via Wi-Fi positioning system

Every time someone with a smartphone with GPS enabled passes by near your Wi-Fi access point, the approximate geographic coordinates of your router are uploaded to the databases of Apple, Google and other tech giants. This is an integral part of the Wi-Fi Positioning System (WPS). For your router to end up in this database, you don’t even need to have a smartphone yourself — it’s enough for a neighbor or passer-by to have one.

WPS is what enables you to see your location almost immediately when you open a map app. Relying on “pure” GPS data from satellites would take a few minutes. Your smartphone checks which Wi-Fi access points are nearby, sends the list to Google or Apple, and receives either its calculated coordinates (from Google) or a list of router coordinates (from Apple) to calculate its own position.

Even devices without GPS, such as laptops, can also use this type of geolocation. As discovered by researchers at UMD, Apple places minimal restrictions on requests for access point coordinates, making it possible to create your own worldwide router map and use it to find interesting phenomena and patterns, or even track individuals.

What are the risks inherent in router surveillance?

While the approximate physical location of a router might not seem like particularly confidential data, especially for those living in your area, there are several cases when it’s best to keep this information hidden. Here are a just a few examples:

  • When using satellite internet terminals, such as Starlink. These provide internet access via Wi-Fi, and tracking the terminal equals tracking the user’s location. This is particularly sensitive when terminals are used in military conflict or emergency zones.
  • When using mobile hotspots for business and travel. If you find it convenient to share internet from a mobile router to your laptop and other devices, your pocket hotspot likely accompanies you on business trips. This creates opportunities to monitor your travel schedule, frequency and directions. The same applies to hotspots installed in RVs and yachts.
  • When people have moved. Often, a router moves with its owner, revealing their new address to anyone who’s previously connected to their Wi-Fi — even just once before. While this is usually harmless, it can be problematic for those relocating to escape harassment, domestic violence or other serious issues.

The limitations of WPS tracking

These are all valid concerns, but there’s good news: WPS tracking is less accurate and slower than other surveillance methods.

First of all, for a router to be added to the WPS database, it must be consistently detected in the same area over some time. UMD researchers found that a new router took between two and seven days to appear in the WPS database. If you go somewhere with a mobile router for a short period, this movement is unlikely to be recorded in the database.

Secondly, a router must be scanned by several smartphones with activated geolocation services to be included in the WPS database. Therefore, a router installed in an isolated or unpopulated area may never appear on the map.

Thirdly, the identification and further tracking of routers relies on a BSSID — an identifier broadcast by the access point. Wi-Fi standards allow for BSSID randomization, and if this feature is enabled, the identifier automatically changes at certain time intervals. This doesn’t interfere with the normal operation of devices connected to the access point, but it does make it more difficult to re-identify the router. Just like the private MAC address setting in Android, iOS and Windows reduces the risk of tracking client devices, BSSID randomization makes it much more difficult to track access points.

How to protect your router from WPS tracking

Both Apple and Google have a little-known tool that allows you to exclude an access point from WPS databases. To do this, add the suffix _nomap to the end of the access point name. For example, the access point MyHomeWifi should be renamed MyHomeWifi_nomap.

For home and office routers, an additional security measure is to rent a device from the provider rather than buying your own. Then, whenever you move, you can simply return it and rent a new router at the new location.

A more technologically advanced solution, though more complicated to implement, would be to use a router that supports BSSID randomization — such as those from Supernetworks with open-source firmware. The popular alternative firmware for routers, DD-WRT, also allows for BSSID randomization if supported by the hardware.

For those using a smartphone as an access point, we recommend reviewing the device settings. On Apple devices, enabling BSSID randomization for your hotspot is not very straightforward — there’s no such switch directly in the Personal Hotspot settings. However, if the Private Wi-Fi Address feature is enabled for at least some Wi-Fi networks (Settings → Wi-Fi → tap the name of the connected Wi-Fi network → enable Private Wi-Fi Address), then your hotspot will start randomizing the BSSID of the access point. This feature can also occasionally be found on Android smartphones, although the activation process varies by manufacturer.

According to Starlink, their terminals have also gradually been receiving a software update since early 2023 that automatically activates BSSID randomization.