Download How Others Compromise Your Location Privacy

How Others Compromise Your Location Privacy:
The Case of Shared Public IPs at Hotspots
N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux
PETS 2013, 07/2013
1
GPS-Level Geo-location at Public Hotspots:
A Crowd-Sourcing Approach Based on Shared Public IPs
How Others Compromise Your Location Privacy:
The Case of Shared Public IPs at Hotspots
co-location
information
(e.g., same IP)
location
information
location
Information
(e.g., LBS)
2
Location Information
• The place one visits convey a large amount
of (sensitive) information
• Location information is valuable
• Offers context-aware services
• Creates new revenue opportunities
• Potential to provide targeted advertisements
(US$ 31.74 Billion ad revenue in the US in 2011)
• Web services are interested in obtaining users’ locations
• Users reveal their locations to Location-Based Services (LBS) in
exchange for context-aware services
• Non-LBS service providers rely on IP – location
• i.e., determining a location from an IP address
3
IP-Location Services
• Provides IP address to geo-location translation
• Active techniques (e.g., delay measurements)
• Passive techniques
• Databases with records of IP – location mappings
• Commercial (e.g., Quova Inc., MaxMind, IP2Location)
• Free (e.g., HostIP, IPInfoDB)
• Results are not very accurate (country-, state-, city-? level)
• Incentives for service providers (e.g., Google) to implement finegrained IP geo-location techniques
4
Adversary & Threat
• Goal: Learn (and exploit) users’ (current) locations
• e.g., monetize through location-targeted ads
• Adversary: Service providers that
• Offer either LBS or geo-location service
• Might offer other online services (e.g., webmail, search, etc.)
• Threat: Location privacy compromised by others
• Location + co-location information
co-location
information
(e.g., same IP)
5
location
information
location
Information
(e.g., LBS)
The Threat
Controlled by the adversary
Web Server
Location-Based Service
Use mapping: (a.b.c.d) ↔ 𝑥0 , 𝑦0
Build mapping: (a.b.c.d) ↔ 𝑥0 , 𝑦0
Request
(IP: a.b.c.d)
Mobile Phone
private IP: 192.168.1.5
LBS Request 𝑥0 , 𝑦0
(IP: a.b.c.d)
Access Point (AP)
location 𝑥1 , 𝑦1
public IP: a.b.c.d (obtained by DHCP)
Private IP: 192.168.1.1
Uses Network Address Translation (NAT)
Mobile Phone (GPS)
private IP: 192.168.1.3
position: 𝑥0 , 𝑦0
6
DHCP Lease & IP Change Inference
Web Server
Renew IP
a1.b1.c1.d1
Infer IP change:
(a1.b1.c1.d1) → (a2.b2.c2.d2)
Renew IP
Renew IP
Public IP obtained by DHCP
Uses Network Address Translation (NAT)
Renew IP
a2.b2.c2.d2
Access Point (AP)
DHCP lease
time 𝑡
7
Laptop
Quantifying the Threat
Renew IP
A5
A6
T – IP periodicity
Ai /Di – arrival/departure
LBSi – LBS req. from user i
Stdi – Standard req. from user i
Authi – Authenticated req. from user i
A7
D1
D4
Renew IP
TComp
(k+1)T
kT
Auth5
LBS5 Auth7
Std7
Std4
t
Std6
Vulnerability Window W


Compromise time TComp : First LBS query in T
Probability of the adversary successfully obtaining the mapping
8
Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking)
Proportion of Victims: Victims/(NCon+ λArrT)
System Model
• Users U
• Connecting to AP: Poisson (λArr)
• Connection duration: exponential distribution λDur
• Stationary system
• Number of connected users NCon = λArr / λDur
• LBS, standard, authenticated requests: Poisson* (λLBS ), (λStd ), (λAuth )
• Access point AP
• At location (x,y)
• Single dynamic public IP with lease T, renewed with prob. pNew
• Adversary
• Goal: obtain MAP =(IP ↔Loc) mapping
9
Success of the Adversary
10
EPFL Data Set
•
•
•
•
Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012
User session, traffic and DNS traces
4302 users in total (136 users on average around 6PM)
Considered traffic to Google services
• 17% of the traffic; 81.3% of the users access at least one Google service
• 9.5% of the users generate LBS requests


Measured the compromise time and the proportion of victims
Measured the probability of inferring IP changes
11
Results – Victims (ads)
Theoretical TComp = 7:42 AM
Experimental TComp = 8:25 AM

Users start arriving around 7AM
Compromised location
privacy of 90% of Google
users
12
Probability of Inferring the IP
Change
13
Countermeasures
(Oh boy what can I do?!)
• Hiding users’ actual IPs from the destination
• Relay-based communication (e.g., Tor, mix networks, proxies)
• Virtual Private Networks (VPNs)
• ISPs implementing country-wide NAT or IP Mixing
• Decreasing the knowledge of the adversary
• Reducing accuracy of the reported location (e.g., spatial cloaking,
adding noise)
• Increase adversary’s uncertainty (e.g., inject dummy requests)
• Adjust the system parameters
• Reduce the DHCP lease, always allocate a new IP, IP change when the
traffic is low
• Do-not-geolocalize initiative
• Opt-out of being localized
14
Conclusions
• Location privacy at hotspots can be compromised by other users
• Consequence of network operational mode
• i.e., APs with NATs
• Scale of the threat is immense
• New business opportunities for service providers
• Users’ lack of incentives to coordinate and their lack of know-how
impede the wide deployment of the countermeasures
15