How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux PETS 2013, 07/2013 1
How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots GPS-Level Geo-location at Public Hotspots: A Crowd-Sourcing Approach Based on Shared Public IPs location Information (e.g., LBS) location information co-location information (e.g., same IP) 2
Location Information The place one visits convey a large amount of (sensitive) information Location information is valuable Offers context-aware services Creates new revenue opportunities Potential to provide targeted advertisements (US$ Billion ad revenue in the US in 2011) Web services are interested in obtaining users’ locations Users reveal their locations to Location-Based Services (LBS) in exchange for context-aware services Non-LBS service providers rely on IP – location i.e., determining a location from an IP address 3
IP-Location Services Provides IP address to geo-location translation Active techniques (e.g., delay measurements) Passive techniques Databases with records of IP – location mappings Commercial (e.g., Quova Inc., MaxMind, IP2Location) Free (e.g., HostIP, IPInfoDB) Results are not very accurate (country-, state-, city-? level) Incentives for service providers (e.g., Google) to implement fine- grained IP geo-location techniques 4
Adversary & Threat Goal: Learn (and exploit) users’ (current) locations e.g., monetize through location-targeted ads Adversary: Service providers that Offer either LBS or geo-location service Might offer other online services (e.g., webmail, search, etc.) Threat: Location privacy compromised by others Location + co-location information 5 location Information (e.g., LBS) location information co-location information (e.g., same IP)
The Threat Access Point (AP) Mobile Phone private IP: Location-Based Service Mobile Phone (GPS) Web Server Request (IP: a.b.c.d) Controlled by the adversary 6
DHCP Lease & IP Change Inference 7 Access Point (AP) Public IP obtained by DHCP Uses Network Address Translation (NAT) Laptop HTTP Request Cookie (IP: a 1.b 1.c 1.d 1 ) Renew IP a 1.b 1.c 1.d 1 DHCP lease Renew IP HTTP Request Cookie (IP:a 2.b 2.c 2.d 2 ) Renew IP a 2.b 2.c 2.d 2 Web Server
Quantifying the Threat 8 A5A5 D1D1 A6A6 A7A7 D4D4 Vulnerability Window W t T – IP periodicity A i /D i – arrival/departure LBS i – LBS req. from user i Std i – Standard req. from user i Auth i – Authenticated req. from user i Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking) Proportion of Victims: Victims/(N Con + λ Arr T) Std 7 Std 4 Std 6 LBS 5 T Comp kT (k+1)T Compromise time T Comp : First LBS query in T Probability of the adversary successfully obtaining the mapping Renew IP Auth 5 Auth 7
System Model Users U Connecting to AP: Poisson (λ Arr ) Connection duration: exponential distribution λ Dur Stationary system Number of connected users N Con = λ Arr / λ Dur LBS, standard, authenticated requests: Poisson* (λ LBS ), (λ Std ), (λ Auth ) Access point AP At location (x,y) Single dynamic public IP with lease T, renewed with prob. p New Adversary Goal: obtain M AP =(IP ↔Loc) mapping 9
Success of the Adversary 10
EPFL Data Set Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012 User session, traffic and DNS traces 4302 users in total (136 users on average around 6PM) Considered traffic to Google services 17% of the traffic; 81.3% of the users access at least one Google service 9.5% of the users generate LBS requests 11 Measured the compromise time and the proportion of victims Measured the probability of inferring IP changes
Results – Victims (ads) 12 Users start arriving around 7AM Theoretical T Comp = 7:42 AM Experimental T Comp = 8:25 AM Compromised location privacy of 90% of Google users
Probability of Inferring the IP Change 13
Countermeasures (Oh boy what can I do?!) Hiding users’ actual IPs from the destination Relay-based communication (e.g., Tor, mix networks, proxies) Virtual Private Networks (VPNs) ISPs implementing country-wide NAT or IP Mixing Decreasing the knowledge of the adversary Reducing accuracy of the reported location (e.g., spatial cloaking, adding noise) Increase adversary’s uncertainty (e.g., inject dummy requests) Adjust the system parameters Reduce the DHCP lease, always allocate a new IP, IP change when the traffic is low Do-not-geolocalize initiative Opt-out of being localized 14
Conclusions Location privacy at hotspots can be compromised by other users Consequence of network operational mode i.e., APs with NATs Scale of the threat is immense New business opportunities for service providers Users’ lack of incentives to coordinate and their lack of know-how impede the wide deployment of the countermeasures 15