I had been poking at this for a while before it clicked. You know how your laptop usually knows where it is, even without GPS? I had vaguely assumed there was some kind of cell-tower-ish black magic involved. There is not. It is just WiFi, and the whole thing rests on an assumption that is, frankly, embarrassing.
Here is the setup. Your device scans the access points around it, ships their MAC addresses off to Google or Apple, and gets coordinates back. That is the WiFi Positioning System. The databases behind it were built by Street View cars driving around for years, plus a constant stream of crowdsourced updates from every phone that has ever turned on. Skyhook did this. Mozilla used to do it. It is a quietly enormous piece of infrastructure that nobody talks about.
The assumption it rests on is that the BSSID a client sees actually belongs to the access point it claims to belong to. That assumption is not enforced anywhere. And once you sit with that for a minute, the whole thing starts to feel a bit like a magic trick where you can see the strings.
Beacons, and why you should not trust them
Your WiFi card scans the air constantly. It does this even when it is not connected to anything. There are two modes. Passively it listens for beacon frames – every AP throws these out roughly ten times a second, broadcasting its name, its MAC, what kind of encryption it supports, that sort of thing. Actively it pings out probe requests asking "anyone here called home_wifi?" and waits to see who replies.
Out of that, the card builds a list of BSSID + RSSI pairs – which APs it saw and how loudly. The OS hands the list to Google or Apple, and the answer comes back as a coordinate.
The thing is, 802.11 has no authentication on beacons. None at all. Any radio that can transmit on the right channel can throw out a beacon claiming any BSSID it likes, and the receiving card has no way of telling that beacon apart from one sent by a real AP. Whatever showed up at the antenna is real, as far as the driver is concerned. That is the whole crack.
So you do not attack the laptop. You attack the laptop's idea of what is around it.
The trick
Picture two laptops in the same room. Laptop X is the target, just sitting there minding its own business. Laptop Y, a couple of metres away, is running a tool that spits out beacon frames with BSSIDs taken from a residential street in Shibuya. X scans the band a few seconds later and sees a hundred and fifty access points that were not there before. It asks Google "where am I, given all this?", and Google says Tokyo. From that moment on, every app on X that touches the platform location API – maps, the weather widget, the browser geolocation prompt – believes it is in Japan.
You never touched X. You do not have its password. You have no account on it, no shell, no malware, nothing. You influenced it entirely through the air.
The only real constraint is range. At 2.4 GHz you get a few dozen metres through walls, less at 5 GHz, and a directional antenna stretches that out. Otherwise the radio just does what radios do.
The tools
There are four bits of tooling that come up over and over in this corner of the world, and people mix them up a lot because they show up in the same blog posts. They each do something pretty different.
hostapd turns your card into an actual access point. It transmits beacons, answers probes, accepts associations, can hand out DHCP and route traffic. You point it at a config file with SSID, BSSID, channel, crypto, and it just runs. From the outside it looks like a router someone forgot to label. This is what you reach for when you want one well-behaved fake AP that plays by the rules.
mdk4 b does almost the opposite. It does not run an AP at all. It just floods the air with raw beacon frames – hundreds a second, each one a different BSSID and SSID from whatever list you fed it. None of those networks actually exist; if you tried to connect to one of them, nothing would happen. But that does not matter, because the geolocation API only looks at the scan list. It never tries to connect. For pure location spoofing, beacon flooding is usually the better tool.
eaphammer, karma, mdk4 p are a different beast. They listen for probe requests ("is home_wifi around?") and answer "yes" to every single one. This is mostly a man-in-the-middle technique for picking up clients with saved networks, and it is mostly orthogonal to geolocation. Worth knowing they exist though.
kismet is the inverse of all the above. Card in monitor mode, no transmissions at all, just listening. It catalogues every AP, every client, every signal it can hear. You use kismet before you build the fake environment – it tells you what the real radio picture looks like, so that what you broadcast actually fits in.
And if you need a stash of real BSSIDs to emulate a real place, Wigle.net is the resource. It is a public, crowdsourced database of access point sightings with coordinates. You can draw a polygon on a map and pull every BSSID that has ever been logged inside it. Feed those into mdk4 and you have a passable Tokyo radio environment running in your kitchen.
Where it actually gets hard
The naive version of this works in a clean room. But the geolocation servers are not stupid. They average across observations, weight by signal strength, and they look for internal consistency. If your kitchen contains your real router and a hundred and fifty spoofed Tokyo beacons, Google might decide the one strong, locally-consistent BSSID it actually knows about outweighs the noise. It might not. It depends on what it knows about each individual ID in its database, which is opaque.
To make spoofing reliable when there are real APs in the room, you have to dominate the scan. More power. A directional antenna pointed at the target. Physical attenuation of the real APs, if you are committed enough to wrap things in foil. Chipset matters too – Atheros (ath9k_htc) and MediaTek (mt76) cards handle high-rate beacon flooding much better than Realtek, which tends to silently drop frames once you push it.
Why this is interesting
The interesting question is not "can I convince my laptop it is in Tokyo." That is a party trick. The interesting question is what depends on platform geolocation downstream, and what breaks when it lies. Conditional access policies that geofence by country. Fraud signals in banking apps. Region locks on services. Trip-tracking apps. Some of those checks are robust and cross-reference cellular triangulation, IP geolocation, accelerometer data. A lot of them are not.
The fundamental fact about 802.11 – that beacons are unauthenticated, that any radio can claim any identity – has been true since 1997. It just did not matter much for the first decade or so, because nobody important was reading the BSSIDs. Now they are. That is the entire shift.