A Location-Privacy Threat Stemming from the Use of Shared Public IP Addresses

This paper presents a concrete and widespread example of situation where a user's location privacy is unintentionally compromised by others, specifically the location-privacy threat that exists at access points (public hotspots, FON, home routers, etc.) that have a single public IP and make use of network address translation (NAT). As users connected to the same hotspot share a unique public IP address, a single user's making a location-based request is enough to enable a service provider to map the IP address of the hotspot to its geographic coordinates, thus compromising the location privacy of all the other connected users. When successful, the service provider can locate users within a few hundreds of meters, thus improving over existing IP-location databases. Even in the case where IPs change periodically (e.g., by using DHCP), the service provider is still able to update a previous (IP, Location) mapping by inferring IP changes from authenticated communications (e.g., cookies). The contribution of this paper is three-fold: (i) We identify a novel location-privacy threat caused by shared public IPs in combination with NAT. (ii) We formalize and analyze the threat theoretically. In particular we derive and provide expressions of the probability that the service provider will learn the mapping and of the expected proportion of victims. (iii) We experimentally assess the state in practice by using real traces (collected from deployed hotspots over a period of 23 days) of users who accessed Google services. We also discuss how existing countermeasures can thwart the threat.

[1]  Hui Xiong,et al.  Enhancing Security and Privacy in Traffic-Monitoring Systems , 2006, IEEE Pervasive Computing.

[2]  Marco Gruteser,et al.  USENIX Association , 1992 .

[3]  Sabrina De Capitani di Vimercati,et al.  An Obfuscation-Based Approach for Protecting Location Privacy , 2011, IEEE Transactions on Dependable and Secure Computing.

[4]  Yehuda Lindell,et al.  Privacy Preserving Data Mining , 2002, Journal of Cryptology.

[5]  Nick Feamster,et al.  Geographic locality of IP prefixes , 2005, IMC '05.

[6]  Jean-Yves Le Boudec,et al.  Quantifying Location Privacy , 2011, 2011 IEEE Symposium on Security and Privacy.

[7]  Ming Zhang,et al.  You Can Run, but You Can't Hide: Exposing Network Location for Targeted DoS Attacks in Cellular Networks , 2012, NDSS.

[8]  Aleksandar Kuzmanovic,et al.  Towards Street-Level Client-Independent IP Geolocation , 2011, NSDI.

[9]  Allan C. Rubens,et al.  Remote Authentication Dial In User Service (RADIUS) , 1997, RFC.

[10]  David Wetherall,et al.  Enlisting ISPs to Improve Online Privacy: IP Address Mixing by Default , 2009, Privacy Enhancing Technologies.

[11]  Philippe Golle,et al.  On the Anonymity of Home/Work Location Pairs , 2009, Pervasive.

[12]  Steve Uhlig,et al.  IP geolocation databases: unreliable? , 2011, CCRV.

[13]  Roger Dingledine,et al.  On the Economics of Anonymity , 2003, Financial Cryptography.

[14]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[15]  Sameer Patil,et al.  "Check out where I am!": location-sharing motivations, preferences, and practices , 2012, CHI Extended Abstracts.

[16]  Klaus Kayser,et al.  To be at the right place at the right time , 2011, Diagnostic pathology.

[17]  Tetsuji Satoh,et al.  An anonymous communication technique using dummies for location-based services , 2005, ICPS '05. Proceedings. International Conference on Pervasive Services, 2005..

[18]  Nick Mathewson,et al.  Tor: The Second-Generation Onion Router , 2004, USENIX Security Symposium.

[19]  John Krumm,et al.  Inference Attacks on Location Tracks , 2007, Pervasive.

[20]  Steffen Kunz,et al.  Privately Waiting - A Usability Analysis of the Tor Anonymity Network , 2010, AMCIS.

[21]  Pierangela Samarati,et al.  Location privacy in pervasive computing , 2008 .

[22]  Martín Casado,et al.  Peering Through the Shroud: The Effect of Edge Opacity on IP-Based Client Identification , 2007, NSDI.

[23]  George Danezis,et al.  Mixminion: design of a type III anonymous remailer protocol , 2003, 2003 Symposium on Security and Privacy, 2003..

[24]  N. K. Shankaranarayanan,et al.  Modeling and characterization of large-scale Wi-Fi traffic in public hot-spots , 2011, 2011 Proceedings IEEE INFOCOM.

[25]  Paul C. van Oorschot,et al.  Internet geolocation: Evasion and counterevasion , 2009, CSUR.

[26]  David Wetherall,et al.  Towards IP geolocation using delay and topology measurements , 2006, IMC '06.

[27]  Jean-Pierre Hubaux,et al.  How Others Compromise Your Location Privacy: The Case of Shared Public IPs at Hotspots , 2013, Privacy Enhancing Technologies.

[28]  Sheldon M. Ross,et al.  Stochastic Processes , 2018, Gauge Integral Structures for Stochastic Calculus and Quantum Electrodynamics.

[29]  Nick Mathewson,et al.  Anonymity Loves Company: Usability and the Network Effect , 2006, WEIS.