id="info"

Networking

Researchers devise method to detect location spoofing by calculating network delays

Location-sensitive service providers and users in unserved geographic areas are in a game of cat-and-mouse with VPN location spoofing. Now, VPN use can be detected by calculating network delay.

Image: iStockphoto/cybrain

Researchers at Carleton University have devised a method that analyzes the location of a given internet user by observing delays in packet delivery. This method, called Client Presence Verification (CPV) [PDF] is a more advanced method of reliably determining geolocation than present methods, as it is not susceptible to being tricked by one-way delays from a client attempting to cloak their geographical location.

How does geolocation work?

Traditional geolocation strategies rely on one (or a combination of) technologies that clients are capable of cloaking. GPS and Wi-Fi positioning system data is sent by the client, and is trivial to manipulate. Address tables such as Neustar and Maxmind, which associate IP address blocks with ISPs in a given locality (and other attributes), can be tricked using basic proxy servers. Standard delay-based computations of round-trip time for packet delivery are susceptible to the client manipulating the inherent variability of network speeds and artificially increasing delay to cloak their true location.

Why is CPV more effective at confirming location?

CPV relies on the strong correlation between geographic distance and network delays. With the widespread use of cloud computing, a given user would likely be connected to a geographically nearby server (particularly in bandwidth-intensive cases such as streaming video). Users cloaking their geographic location with a VPN typically experience slower performance than users in the "correct" location, connecting directly to the service provider.

CPV uses a new, custom protocol to verify the forward and reverse one-way delays between two hosts on the internet. To ensure reliability, heuristics are used to improve the accuracy of delay-to-distance mapping., and reduce the impact of variable network performance on this calculation.

SEE: Port Fail VPN security flaw exposes your true IP address (ZDNet)

Strictly speaking, CPV is not itself a geolocation utility—it does not independently determine where a user is. It uses delay-to-distance mapping to verify (in a confidence interval) if a user is in the location claimed. Because of this, CPV is more likely to be successful in determining how much farther away a user's real location is from their claimed location. According to the researchers, "CPV correctly rejected 97% (1,749 of 1,803) of fraudulent location assertions that were >200km [~125 miles] away from the adversaries' true locations".

Why cloak location?

The use of VPNs to access content not otherwise available in a given market has long been a tactic used by people wanting to use officially licensed platforms to consume media. Often, the targets of such activity are streaming video platforms such as Netflix—with the end user paying both for content and a VPN through which to access it. With Netflix going global in January, the need to go to such technical lengths has lessened somewhat, though the US catalog continues to have more content. In 2013, an Australian consumer lobby encouraged the use of VPNs due to the disparity, which Sony executives pressured Netflix to curtail.

Similarly, another frequent target of location cloaking is BBC's iPlayer service. Unlike Netflix—a private company funded by a subscription model—programming produced by the BBC is funded with the proceeds of a compulsory television license (in effect, a tax). Consequently, the iPlayer service is unavailable outside the United Kingdom. This arrangement has peculiar implications. First, potential foreign customers have no mechanism by which they can pay the license fee to view iPlayer programs. Second, and most troubling, is that UK residents who hold a television license, and who are overseas on holiday or a protracted work assignment, won't have access either. At minimum, in the latter case, users have a reasonable expectation of service which is presently not provided—a legitimate case for location cloaking currently being curtailed by geolocation methods. This access issue was recently highlighted by UK culture secretary John Whittingdale.

What do you think?

Do you implement geolocation in your projects? Have you had to resort to using a VPN in order to overcome region restrictions? Share your experiences in the comments.

Also see

About

James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware.

Editor's Picks