Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux PETS 2013, 07/2013 1 GPS-Level Geo-location at Public Hotspots: A Crowd-Sourcing Approach Based on Shared Public IPs How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots co-location information (e.g., same IP) location information location Information (e.g., LBS) 2 Location Information • The place one visits convey a large amount of (sensitive) information • Location information is valuable • Offers context-aware services • Creates new revenue opportunities • Potential to provide targeted advertisements (US$ 31.74 Billion ad revenue in the US in 2011) • Web services are interested in obtaining users’ locations • Users reveal their locations to Location-Based Services (LBS) in exchange for context-aware services • Non-LBS service providers rely on IP – location • i.e., determining a location from an IP address 3 IP-Location Services • Provides IP address to geo-location translation • Active techniques (e.g., delay measurements) • Passive techniques • Databases with records of IP – location mappings • Commercial (e.g., Quova Inc., MaxMind, IP2Location) • Free (e.g., HostIP, IPInfoDB) • Results are not very accurate (country-, state-, city-? level) • Incentives for service providers (e.g., Google) to implement finegrained IP geo-location techniques 4 Adversary & Threat • Goal: Learn (and exploit) users’ (current) locations • e.g., monetize through location-targeted ads • Adversary: Service providers that • Offer either LBS or geo-location service • Might offer other online services (e.g., webmail, search, etc.) • Threat: Location privacy compromised by others • Location + co-location information co-location information (e.g., same IP) 5 location information location Information (e.g., LBS) The Threat Controlled by the adversary Web Server Location-Based Service Use mapping: (a.b.c.d) ↔ 𝑥0 , 𝑦0 Build mapping: (a.b.c.d) ↔ 𝑥0 , 𝑦0 Request (IP: a.b.c.d) Mobile Phone private IP: 192.168.1.5 LBS Request 𝑥0 , 𝑦0 (IP: a.b.c.d) Access Point (AP) location 𝑥1 , 𝑦1 public IP: a.b.c.d (obtained by DHCP) Private IP: 192.168.1.1 Uses Network Address Translation (NAT) Mobile Phone (GPS) private IP: 192.168.1.3 position: 𝑥0 , 𝑦0 6 DHCP Lease & IP Change Inference Web Server Renew IP a1.b1.c1.d1 Infer IP change: (a1.b1.c1.d1) → (a2.b2.c2.d2) Renew IP Renew IP Public IP obtained by DHCP Uses Network Address Translation (NAT) Renew IP a2.b2.c2.d2 Access Point (AP) DHCP lease time 𝑡 7 Laptop Quantifying the Threat Renew IP A5 A6 T – IP periodicity Ai /Di – arrival/departure LBSi – LBS req. from user i Stdi – Standard req. from user i Authi – Authenticated req. from user i A7 D1 D4 Renew IP TComp (k+1)T kT Auth5 LBS5 Auth7 Std7 Std4 t Std6 Vulnerability Window W Compromise time TComp : First LBS query in T Probability of the adversary successfully obtaining the mapping 8 Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking) Proportion of Victims: Victims/(NCon+ λArrT) System Model • Users U • Connecting to AP: Poisson (λArr) • Connection duration: exponential distribution λDur • Stationary system • Number of connected users NCon = λArr / λDur • LBS, standard, authenticated requests: Poisson* (λLBS ), (λStd ), (λAuth ) • Access point AP • At location (x,y) • Single dynamic public IP with lease T, renewed with prob. pNew • Adversary • Goal: obtain MAP =(IP ↔Loc) mapping 9 Success of the Adversary 10 EPFL Data Set • • • • Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012 User session, traffic and DNS traces 4302 users in total (136 users on average around 6PM) Considered traffic to Google services • 17% of the traffic; 81.3% of the users access at least one Google service • 9.5% of the users generate LBS requests Measured the compromise time and the proportion of victims Measured the probability of inferring IP changes 11 Results – Victims (ads) Theoretical TComp = 7:42 AM Experimental TComp = 8:25 AM Users start arriving around 7AM Compromised location privacy of 90% of Google users 12 Probability of Inferring the IP Change 13 Countermeasures (Oh boy what can I do?!) • Hiding users’ actual IPs from the destination • Relay-based communication (e.g., Tor, mix networks, proxies) • Virtual Private Networks (VPNs) • ISPs implementing country-wide NAT or IP Mixing • Decreasing the knowledge of the adversary • Reducing accuracy of the reported location (e.g., spatial cloaking, adding noise) • Increase adversary’s uncertainty (e.g., inject dummy requests) • Adjust the system parameters • Reduce the DHCP lease, always allocate a new IP, IP change when the traffic is low • Do-not-geolocalize initiative • Opt-out of being localized 14 Conclusions • Location privacy at hotspots can be compromised by other users • Consequence of network operational mode • i.e., APs with NATs • Scale of the threat is immense • New business opportunities for service providers • Users’ lack of incentives to coordinate and their lack of know-how impede the wide deployment of the countermeasures 15