1 / 15

How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots

How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots. N. Vratonjic, K. Huguenin , V. Bindschaedler, and J.-P. Hubaux PETS 2013, 07/2013. How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots.

tamber
Download Presentation

How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots N. Vratonjic, K. Huguenin, V. Bindschaedler, and J.-P. Hubaux PETS 2013, 07/2013

  2. How Others Compromise Your Location Privacy:The Case of Shared Public IPs at Hotspots GPS-Level Geo-location at Public Hotspots: A Crowd-Sourcing Approach Based on Shared Public IPs co-location information (e.g., same IP) location Information (e.g., LBS) location information

  3. Location Information • The place one visits convey a large amountof (sensitive) information • Location information is valuable • Offers context-aware services • Creates new revenue opportunities • Potential to provide targeted advertisements(US$ 31.74 Billion ad revenue in the US in 2011) • Web services are interested in obtaining users’ locations • Users reveal their locations to Location-Based Services (LBS) in exchange for context-aware services • Non-LBS service providers rely on IP – location • i.e., determining a location from an IP address

  4. IP-Location Services • Provides IP address to geo-location translation • Active techniques (e.g., delay measurements) • Passive techniques • Databases with records of IP – location mappings • Commercial (e.g., Quova Inc., MaxMind, IP2Location) • Free (e.g., HostIP, IPInfoDB) • Results are not very accurate (country-, state-, city-? level) • Incentives for service providers (e.g., Google) to implement fine-grained IP geo-location techniques

  5. Adversary & Threat • Goal: Learn (and exploit) users’ (current) locations • e.g., monetize through location-targeted ads • Adversary: Service providers that • Offer either LBS or geo-location service • Might offer other online services (e.g., webmail, search, etc.) • Threat: Location privacy compromised by others • Location + co-location information co-location information (e.g., same IP) location Information (e.g., LBS) location information

  6. The Threat Controlled by the adversary Mobile Phone Mobile Phone (GPS) private IP: 192.168.1.5 private IP: 192.168.1.3 position: Location-Based Service Web Server Use mapping: (a.b.c.d) ↔ Build mapping: (a.b.c.d) ↔ Request (IP: a.b.c.d) LBS Request (IP: a.b.c.d) Access Point (AP) location public IP: a.b.c.d(obtained by DHCP) Private IP: 192.168.1.1 Uses Network Address Translation (NAT)

  7. DHCP Lease & IP Change Inference Web Server HTTP Request Cookie john@dom.com (IP: a1.b1.c1.d1) • HTTP Request • Cookie john@dom.com • (IP:a2.b2.c2.d2) Renew IP a1.b1.c1.d1 DHCP lease time Infer IP change: (a1.b1.c1.d1) (a2.b2.c2.d2) • Renew IP • a2.b2.c2.d2 Renew IP Renew IP Access Point (AP) Public IP obtained by DHCP Uses Network Address Translation (NAT) Laptop

  8. Quantifying the Threat T – IP periodicity Ai /Di – arrival/departure LBSi – LBS req. from user i Stdi – Standard req. from user i Authi– Authenticated req. from user i A7 A5 A6 D4 Renew IP D1 Renew IP TComp (k+1)T t kT LBS5 Auth7 Std7 Auth5 Std4 Std6 Vulnerability Window W • Compromise time TComp: First LBS query in T • Probability of the adversary successfully obtaining the mapping Victims : |{U4, U6, U7}|= 3 (ads), |{U5, U7}|= 2 (tracking) Proportion of Victims: Victims/(NCon+λArrT)

  9. System Model • Users U • Connecting to AP: Poisson (λArr) • Connection duration: exponential distribution λDur • Stationary system • Number of connected users NCon= λArr/ λDur • LBS, standard, authenticated requests: Poisson* (λLBS ), (λStd), (λAuth) • Access point AP • At location (x,y) • Single dynamic public IP with lease T, renewed with prob. pNew • Adversary • Goal: obtain MAP =(IP↔Loc) mapping

  10. Success of the Adversary

  11. EPFL Data Set • Traces collected from 2 EPFL campus Wi-Fi APs over 23 days in June 2012 • User session, traffic and DNS traces • 4302 users in total (136 users on average around 6PM) • Considered traffic to Google services • 17% of the traffic; 81.3% of the users access at least one Google service • 9.5% of the users generate LBS requests • Measured the compromise time and the proportion of victims • Measured the probability of inferring IP changes

  12. Results – Victims (ads) • Theoretical TComp= 7:42 AM • Experimental TComp= 8:25 AM • Compromised location privacy of 90% of Google users • Users start arriving around 7AM

  13. Probability of Inferring the IP Change

  14. Countermeasures(Oh boy what can I do?!) • Hiding users’ actual IPs from the destination • Relay-based communication (e.g., Tor, mix networks, proxies) • Virtual Private Networks (VPNs) • ISPs implementing country-wide NAT or IP Mixing • Decreasing the knowledge of the adversary • Reducing accuracy of the reported location (e.g., spatial cloaking, adding noise) • Increase adversary’s uncertainty (e.g., inject dummy requests) • Adjust the system parameters • Reduce the DHCP lease, always allocate a new IP, IP change when the traffic is low • Do-not-geolocalize initiative • Opt-out of being localized

  15. Conclusions • Location privacy at hotspots can be compromised by other users • Consequence of network operational mode • i.e., APs with NATs • Scale of the threat is immense • New business opportunities for service providers • Users’ lack of incentives to coordinate and their lack of know-how impede the wide deployment of the countermeasures

More Related