How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots

N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. HubauxPETS 2013, 07/2013

1

How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots

GPS-Level Geo-location at Public Hotspots:A Crowd-Sourcing Approach Based on Shared Public IPs

locationInformation(e.g., LBS)

locationinformation

co-locationinformation

(e.g., same IP)

2

Location Information• The place one visits convey a large amount

of (sensitive) information

• Location information is valuable• Offers context-aware services• Creates new revenue opportunities

• Potential to provide targeted advertisements(US$ 31.74 Billion ad revenue in the US in 2011)

• Web services are interested in obtaining users’ locations• Users reveal their locations to Location-Based Services (LBS) in

exchange for context-aware services• Non-LBS service providers rely on IP – location

• i.e., determining a location from an IP address 3

IP-Location Services• Provides IP address to geo-location translation• Active techniques (e.g., delay measurements)• Passive techniques

• Databases with records of IP – location mappings• Commercial (e.g., Quova Inc., MaxMind, IP2Location) • Free (e.g., HostIP, IPInfoDB)

• Results are not very accurate (country-, state-, city-? level)

• Incentives for service providers (e.g., Google) to implement fine-grained IP geo-location techniques 4

Adversary & Threat

• Goal: Learn (and exploit) users’ (current) locations • e.g., monetize through location-targeted ads

• Adversary: Service providers that • Offer either LBS or geo-location service • Might offer other online services (e.g., webmail, search, etc.)

• Threat: Location privacy compromised by others• Location + co-location information

5location

Information(e.g., LBS)

locationinformation

co-locationinformation

(e.g., same IP)

The Threat

Access Point (AP)location public IP: a.b.c.d (obtained by DHCP)Private IP: 192.168.1.1Uses Network Address Translation (NAT)

Mobile Phoneprivate IP: 192.168.1.5

Location-Based Service

Mobile Phone (GPS)private IP: 192.168.1.3position:

Web ServerUse mapping: (a.b.c.d) ↔ Build mapping: (a.b.c.d) ↔

Request(IP: a.b.c.d)

LBS Request (IP: a.b.c.d)

Controlled by the adversary

6

DHCP Lease & IP Change Inference

7

Access Point (AP)Public IP obtained by DHCPUses Network Address Translation (NAT)

Laptop

Infer IP change: (a1.b1.c1.d1) (a2.b2.c2.d2)

time

HTTP

Req

uest

Cook

ie jo

hn@

dom

.com

(IP: a

1.b 1

.c 1.d 1

)

Rene

w IP

a 1.b1.c

1.d1

DHCP lease

Rene

w IP

Rene

w IP

HTTP

Req

uest

Cook

ie jo

hn@

dom

.com

(IP:a 2

.b 2.c2.d

2)

Rene

w IP

a 2.b2.c

2.d2

Web Server

Quantifying the Threat

8

A5D1

A6 A7 D4

Vulnerability Window W

t

T – IP periodicityAi /Di – arrival/departure LBSi – LBS req. from user iStdi – Standard req. from user iAuthi – Authenticated req. from user i

Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking)

Proportion of Victims: Victims/(NCon+ λArrT)

Std7 Std4 Std6LBS5

TComp

kT (k+1)T

Compromise time TComp : First LBS query in T Probability of the adversary successfully obtaining the mapping

Renew IP Renew IP

Auth5 Auth7

System Model• Users U• Connecting to AP: Poisson (λArr)

• Connection duration: exponential distribution λDur

• Stationary system• Number of connected users NCon = λArr / λDur

• LBS, standard, authenticated requests: Poisson* (λLBS ), (λStd ), (λAuth )

• Access point AP• At location (x,y)• Single dynamic public IP with lease T, renewed with prob. pNew

• Adversary• Goal: obtain MAP =(IP ↔Loc) mapping

9

Success of the Adversary

10

EPFL Data Set• Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012 • User session, traffic and DNS traces• 4302 users in total (136 users on average around 6PM)• Considered traffic to Google services• 17% of the traffic; 81.3% of the users access at least one Google service• 9.5% of the users generate LBS requests

11

Measured the compromise time and the proportion of victims Measured the probability of inferring IP changes

Results – Victims (ads)

12 Users start arriving around 7AM

Theoretical TComp = 7:42 AMExperimental TComp = 8:25 AM

Compromised location privacy of 90% of Google users

Probability of Inferring the IP Change

13

Countermeasures(Oh boy what can I do?!)

• Hiding users’ actual IPs from the destination• Relay-based communication (e.g., Tor, mix networks, proxies)• Virtual Private Networks (VPNs)• ISPs implementing country-wide NAT or IP Mixing

• Decreasing the knowledge of the adversary• Reducing accuracy of the reported location (e.g., spatial cloaking, adding

noise)• Increase adversary’s uncertainty (e.g., inject dummy requests)

• Adjust the system parameters• Reduce the DHCP lease, always allocate a new IP, IP change when the

traffic is low• Do-not-geolocalize initiative• Opt-out of being localized

14

Conclusions• Location privacy at hotspots can be compromised by other users• Consequence of network operational mode • i.e., APs with NATs

• Scale of the threat is immense • New business opportunities for service providers• Users’ lack of incentives to coordinate and their lack of know-how

impede the wide deployment of the countermeasures

15