Any phone can recognize your router

Your smartphone is constantly checking for available Wi-Fi hotspots and looking to reconnect to ones you've already used. You can see this, and it's very convenient (although it's vulnerable to spoofing and "lookalike" attacks).

What you don't see, however, is that your smartphone is also uploading identifying information about your (and everyone else's) router to massive databases maintained by Apple, Google, and others. These databases benefit you (and everyone else) by providing you with a more accurate GPS location.

What is Wi-Fi positioning?
When you ask a maps app for directions, it uses GPS to determine your starting point and show your progress along the way. However, GPS itself can be slow, so your smartphone supplements it with data from the WiFi Positioning System (WPS). In an informative blog post, a Kaspersky researcher explains: “WPS allows you to see your location almost immediately when you open a maps app. Relying on ‘pure’ GPS data from satellites would take several minutes.”

Apple maintains a WPS database based on data from iPhones, iPads, and Macs. Google has its own WPS database based on a large number of Android devices. These two are also the largest.

How is it all going?
When your smartphone encounters a new access point in its constant search for available Wi-Fi networks, it sends the router's BSSID to the appropriate database along with the signal strength and some other information. What is a BSSID? Well, you're probably familiar with the term SSID, which is the name you give to your Wi-Fi network. Multiple access points can have the same SSID, but the BSSID is unique and is based on the router's MAC address and is unique.

The WPS system combines all reports for a given BSSID and calculates the best possible estimate of the router's location. If the router remains in place long enough (from a few days to a week), it is added to the database.

On a map, such a database would look like a set of overlapping circles. When your phone requests location information from the system, it sends the information for all routers in range. WPS actually finds the intersection of the corresponding circles, and thus locates you faster than GPS would.

What's wrong with WPS?
The general advice when choosing an SSID for your home network is to avoid anything too close to the name of a nearby access point, and to avoid including personal information in the name. Using your address may seem smart, but it's not. Anyone who comes within range of your router can see your SSID.

However, there is another problem. Anyone with enough technical knowledge can get free access to WPS databases via the API. Even if your SSID is Nekaj123 or TuakjNiWiFija, a tech-savvy person can use the SSID and general location to convert it into access to the BSSID. And with the BSSID, they can get your exact location.

This is generally not a big deal, but imagine a situation where you are forced to move to a new location to escape an online stalker. If your stalker has previously captured your router's BSSID, all they have to do is sit back and wait for that BSSID to reappear in the system.

Even if you're a multimillionaire CEO traveling the world with your personal mobile hotspot, you could still be the subject of unwanted tracking. It's true that the hotspot's BSSID won't usually reappear in the system until it's been inactive for a few days, but why take the risk?

Satellite internet terminals like Starlink also use Wi-Fi and can be found via WPS. Such terminals are also often used in war zones and other sensitive areas. Researchers at the University of Maryland have demonstrated the danger by mapping Wi-Fi BSSIDs in Ukraine and Gaza.

How to avoid this?
If you're concerned about your privacy, you can simply opt out. Both Apple and Google have agreed to ignore routers with SSIDs in a certain format. Specifically, if the router name ends with "_nomap," they ignore it.

To change this, you'll need to dig into your router's settings, a process that starts with determining your router's IP address.

It's not hard. Press Windows-R to open the Run dialog box, type CMD, and press Enter. In the command prompt that appears, type the command IPCONFIG. The address you want is labeled as the default gateway, and it's most likely 192.168.1.1.

Now open a browser window and type the IP address you found in the address bar. What happens next depends on the type of router you have. You will need a username and password to access your router settings. If you can't find anything, turn the router over. Sometimes the credentials are printed on a sticker on the back or bottom of the router. No sticker? Search the Internet for the default credentials for your router model. If all else fails, contact your ISP's technical support.

Some modern routers don't support accessing settings through a browser, instead relying on a smartphone app. In such a case, when you try to access settings in a browser, you'll likely see a QR code that you can use to download the app.

Whether you’re in a browser or an app, your next task is to find the entry that controls the SSID. This may be labeled as SSID, Network Name, or something similar. Once you find it, simply append “_nomap” to the existing name. If the name alone gives away your location, consider changing the name entirely and leaving the “_nomap” suffix. While you’re changing your router settings, also consider choosing a new Wi-Fi password. And if you’ve logged into your settings with the default credentials, that’s a big security hole. Change those credentials to something unique and store them in a password manager.

Now comes the fun part. You'll need to adjust the settings on each laptop, smartphone, and smart home device to use the new SSID and (if you changed it) the new password. Yes, it takes some work, but it's a good security practice, and in the end, you'll know exactly how many devices are connected to your router.