How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots
N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. HubauxPETS 2013, 07/2013
1
How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots
GPS-Level Geo-location at Public Hotspots:A Crowd-Sourcing Approach Based on Shared Public IPs
locationInformation(e.g., LBS)
locationinformation
co-locationinformation
(e.g., same IP)
2
Location Information• The place one visits convey a large amount
of (sensitive) information
• Location information is valuable• Offers context-aware services• Creates new revenue opportunities
• Potential to provide targeted advertisements(US$ 31.74 Billion ad revenue in the US in 2011)
• Web services are interested in obtaining users’ locations• Users reveal their locations to Location-Based Services (LBS) in
exchange for context-aware services• Non-LBS service providers rely on IP – location
• i.e., determining a location from an IP address 3
IP-Location Services• Provides IP address to geo-location translation• Active techniques (e.g., delay measurements)• Passive techniques
• Databases with records of IP – location mappings• Commercial (e.g., Quova Inc., MaxMind, IP2Location) • Free (e.g., HostIP, IPInfoDB)
• Results are not very accurate (country-, state-, city-? level)
• Incentives for service providers (e.g., Google) to implement fine-grained IP geo-location techniques 4
Adversary & Threat
• Goal: Learn (and exploit) users’ (current) locations • e.g., monetize through location-targeted ads
• Adversary: Service providers that • Offer either LBS or geo-location service • Might offer other online services (e.g., webmail, search, etc.)
• Threat: Location privacy compromised by others• Location + co-location information
5location
Information(e.g., LBS)
locationinformation
co-locationinformation
(e.g., same IP)
The Threat
Access Point (AP)location public IP: a.b.c.d (obtained by DHCP)Private IP: 192.168.1.1Uses Network Address Translation (NAT)
Mobile Phoneprivate IP: 192.168.1.5
Location-Based Service
Mobile Phone (GPS)private IP: 192.168.1.3position:
Web ServerUse mapping: (a.b.c.d) ↔ Build mapping: (a.b.c.d) ↔
Request(IP: a.b.c.d)
LBS Request (IP: a.b.c.d)
Controlled by the adversary
6
DHCP Lease & IP Change Inference
7
Access Point (AP)Public IP obtained by DHCPUses Network Address Translation (NAT)
Laptop
Infer IP change: (a1.b1.c1.d1) (a2.b2.c2.d2)
time
HTTP
Req
uest
Cook
ie jo
hn@
dom
.com
(IP: a
1.b 1
.c 1.d 1
)
Rene
w IP
a 1.b1.c
1.d1
DHCP lease
Rene
w IP
Rene
w IP
HTTP
Req
uest
Cook
ie jo
hn@
dom
.com
(IP:a 2
.b 2.c2.d
2)
Rene
w IP
a 2.b2.c
2.d2
Web Server
Quantifying the Threat
8
A5D1
A6 A7 D4
Vulnerability Window W
t
T – IP periodicityAi /Di – arrival/departure LBSi – LBS req. from user iStdi – Standard req. from user iAuthi – Authenticated req. from user i
Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking)
Proportion of Victims: Victims/(NCon+ λArrT)
Std7 Std4 Std6LBS5
TComp
kT (k+1)T
Compromise time TComp : First LBS query in T Probability of the adversary successfully obtaining the mapping
Renew IP Renew IP
Auth5 Auth7
System Model• Users U• Connecting to AP: Poisson (λArr)
• Connection duration: exponential distribution λDur
• Stationary system• Number of connected users NCon = λArr / λDur
• LBS, standard, authenticated requests: Poisson* (λLBS ), (λStd ), (λAuth )
• Access point AP• At location (x,y)• Single dynamic public IP with lease T, renewed with prob. pNew
• Adversary• Goal: obtain MAP =(IP ↔Loc) mapping
9
Success of the Adversary
10
EPFL Data Set• Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012 • User session, traffic and DNS traces• 4302 users in total (136 users on average around 6PM)• Considered traffic to Google services• 17% of the traffic; 81.3% of the users access at least one Google service• 9.5% of the users generate LBS requests
11
Measured the compromise time and the proportion of victims Measured the probability of inferring IP changes
Results – Victims (ads)
12 Users start arriving around 7AM
Theoretical TComp = 7:42 AMExperimental TComp = 8:25 AM
Compromised location privacy of 90% of Google users
Probability of Inferring the IP Change
13
Countermeasures(Oh boy what can I do?!)
• Hiding users’ actual IPs from the destination• Relay-based communication (e.g., Tor, mix networks, proxies)• Virtual Private Networks (VPNs)• ISPs implementing country-wide NAT or IP Mixing
• Decreasing the knowledge of the adversary• Reducing accuracy of the reported location (e.g., spatial cloaking, adding
noise)• Increase adversary’s uncertainty (e.g., inject dummy requests)
• Adjust the system parameters• Reduce the DHCP lease, always allocate a new IP, IP change when the
traffic is low• Do-not-geolocalize initiative• Opt-out of being localized
14
Conclusions• Location privacy at hotspots can be compromised by other users• Consequence of network operational mode • i.e., APs with NATs
• Scale of the threat is immense • New business opportunities for service providers• Users’ lack of incentives to coordinate and their lack of know-how
impede the wide deployment of the countermeasures
15