VPN Location Leaking
Clients often tell us they use a Virtual Private Network (VPN) as their primary method to mask / change their location. In some ways a VPN will achieve this, however, it’s also a flawed practice to believe this is a complete process.
Masking location through a VPN by changing your IP address.
An IP address is classed as a logical address. A logical address is how data finds its way through a network to a physical device. As a logical address an IP address is very easy to change, the simplest way is to physically change your location and connect to a different WiFi router (ie leave your home, walk to a café and connect to their WiFi router). Different network, different IP address to find you on that network. In simple terms, the IP address is how your internet traffic can find you and your device when you request a web service.
You can’t avoid having an IP address assigned if you are using web services. It’s a fundamental function of how the internet works. However, by using a VPN you can add an additional link into this process. This allows all your traffic to flow through a new node (VPN service) which becomes your external facing gateway to the rest of the internet.
The outcome is you can appear to web services in any geographical location of your choosing; because the IP address they see is the one belonging to by the VPN service not your own.
Webservices & Apps
The issue with relying on VPN to mask your location is that all this is happening at the transmission layer of your internet activity. It’s the equivalent of having a forwarding address or PO Box in real world. People only know your forwarding address, you collect your mail from here and your location remains hidden. However, if your home address is in the telephone directory it totally bypasses your forwarding address and is a different way to discover your real address. The same is applicable in a webservice.
Webservices and Apps can request to know your location. They can’t just do this, they must request your permission with pop ups like this in your browser. However, once you have given permission this website will be able to access your location when you navigate to it without having to ask again.
If you then head into your browser settings you will see the webservice now has the rights to access your location. Its worth noting different browsers deal with this differently.
Apps on Smart phones request this level of permission when you install them. Most of us don’t read all the terms and conditions. You provide this data because you want access to the service the App provides. If the App requests location data on install it allows the App to poll your location when it wants if you don’t disable this feature.
Why is this so important?
The location method used by applications is completely separate process from IP geolocation. It doesn’t matter if you are running a VPN. It will completely defeat this process and acquire your location. Your IP will remain masked by the VPN but your location will be discoverable to the applications you have given access to.
The situation is further compound by the level of accuracy of the location. IP geolocation and application level geolocation is wildly different. As we already stated, IP addresses are logical and easy to change. Therefore the location data for IP addresses isn’t usually very accurate and cant be relied on (usually city or country level geolocation). At the application layer, when you give location access to Apps and webservices, its very different. This doesn’t use your IP address but instead the location your device has stored. Two separate processes doing two very different things.
How does my device know where it is then?
The primary method is through Assisted / Augmented Global Positioning Service (AGPS). AGPS is a system which uses services to map the position of every Cell Tower and WiFi Access Points (AP’s / routers). Your device (mobile, tablet etc) doesn’t have to connect to a WiFi AP for this to happen. Mobile phones, tablets etc do this by constantly listening to the WiFi signals around them and sending their location, and the WiFi AP’s they can see around them, back to AGPS services.
As we walk around with our phones, they are listening to WiFi beacons and mapping them. From the signal strength they receive from the WiFi AP they can work out how far you are from the WiFi AP. AGPS services use this data to build maps of every WiFi AP in the world. Then when your device wants to know where it is, it sends the WiFi AP’s it can see around it to an AGPS service which works out exactly where you are, often with a degree of accuracy less than 5m2. Think about that for a moment… it isn’t a case of whether you are in Glasgow, Santiago, Nairobi or Tokyo, but which room of your house you are in.
To demonstrate the detail of this data, Wigle.net is an example of a free service people can contribute to who are willing to map WiFi AP’s. This map shows the coverage they have in Western Europe created just from the data of willing volunteers.
Who does this?
We all do. That’s correct, your mobile phone is constantly scanning for WiFi AP’s and sending their location back to services which map the location of WiFi AP’s. Most services will do this by default. On an Android device you can check in your settings to see if you are scanning and sending this data back to Google. That’s every single Android device defaulting to perform this task. That’s a lot of devices from just one service provider.
This data is then sold to companies or added to a service providers own dataset to allow AGPS services to ascertain your exact location. This is great as a lot of applications need to know your location to provide a service to you. I am not saying this is a negative thing, without it Google maps wouldn’t be able to navigate, FourSquare wouldn’t be as simple to use, Uber wouldn’t be able to find you a ride as easily and of course, Tinder wouldn’t be able to find people near you.
Why should I care?
That depends on what you are trying to achieve through using a VPN. If your primary concern is changing location you have to understand the flaws in the process so you can protect yourself. If your goal is to truly mask your location, you need to rethink just using a VPN. The reality is, a VPN doesn’t make your location anonymous, it just masks your IP and one way of determining your location. Whether you are conducting sensitive OSINT or simply concerned about your online footprint, you need to understand the limitations of VPNs against your requirements.
At Ecliptic Dynamics we deliver solutions to mitigate these risks and protect you. If you want to know more about the services we provide get in touch.
