This post is the first in a three-part series summarizing recent efforts towards protecting Internet geolocation services from manipulation.
Internet geolocation is the process of learning the geographic location of an Internet-connected device. Geolocating a client (such as a browser accessing a website) can be useful for location-aware authentication, access control, online voting, social networking and fraud reduction. Geolocating a remote server can provide higher assurance of the server’s identity – important when justifying critical transactions, such as those that require data sovereignty.
Geolocation is often targeted for manipulation in order to impersonate (if location is used to reinforce authentication) or other location-dependent benefits, such as access to copyright-protected media and localized news.
We will look at Client Presence Verification and Server Location Verification as techniques for verifying geographic locations of clients and servers in real time over the Internet. Each technique addresses a wide range of tactics for manipulating geolocation, including IP-hiding technologies such as VPNs and anonymizers.
The methods by which location is discovered varies by browser. Most major browsers rely on the following methods: GPS, WiFi Positioning System (WPS), IP-address-based location lookup, and cell-tower triangulation. The method used differs by browser too, and if the preferred method fails, the next will be tried.
The geographic location of an IP address can be learned from publicly available routing information, or public registries such as whois. Many location service providers maintain lookup tables to instantly map IP addresses to locations. Although it can often take a long time for changes to be updated, this kind of static tabulation is often reliable enough for benign server geolocation. Flagfox is an example of a browser extension that uses IP address-based geolocation to display a flag of the economy corresponding to the server’s location.
None of the above techniques are resilient to manipulation, however. Generally, the server trusts the coordinates communicated to it by the browser, which in most cases can easily be forged. Firefox extensions such as Fake Location and Location Guard both enable this kind of forgery, enabling a user to specify the location they wish to appear to be in. If the server relies on tabulation methods instead of asking the browser, the use of proxies and anonymizers comes into play.
Many other techniques can be used to help a server infer a client’s geographic location, such as using hints obtained from HTTP headers, like preferred language or time zone. A device’s location can also be interpolated from its proximity to nearby devices with known locations, such as WiFi access points.
Network measurement-based techniques aim to locate devices (clients or servers) by estimating their distance from landmarks in a network with known locations. The network delay to or from a network landmark is measured, then mapped to a geographic distance. This form of mapping is not nearly as accurate as GPS satellite-based measurement but is considered more accurate than the IP address-based tabulation approach.
Network measurement-based methods are also vulnerable to evasion. Delay-increasing attacks can distort the perceived location of a client or server, and delay-decreasing attacks can be performed by issuing fake ICMP echo replies. Combining both attacks, an adversary can forge the calculated location to an accuracy of a few tens of kilometres relative to the desired target location.
This post was adapted from an article that featured in ;login: titled “Secure client and server geolocation over the Internet”.
AbdelRahman Abdou is a Postdoctoral Researcher in the Department of Computer Science at ETH Zurich, Switzerland. His research interests include location-aware security, SDN security, and using Internet measurements to solve problems related to Internet security.
The views expressed by the authors of this blog are their own and do not necessarily reflect the views of APNIC. Please note a Code of Conduct applies to this blog.