Researchers at the National University of Singapore have discovered a serious new threat to personal privacy in the Internet era: “geo-location inference,” which allows almost anyone with a website to determine the precise location of that site's visitors (from country and city right down to street address), and “geo-inference attacks,” which makes this information available to hackers who can make hyper-precise measurements of the timing of browsers' cache queries.
The full research study, downloadable as a .pdf here, is titled I Know Where You've Been: Geo-Inference Attacks via the Browser Cache. The problem is particularly widespread in the U.S., U.K., Australia, Japan and Singapore, and among users of Chrome, Firefox, Internet Explorer, Opera and Safari browsers.
Head researcher Yaoqi Jia told the Daily Dot that geo-inference attacking is a “new attack” with a “big impact,” and that “It’s the first to utilize timing channels in browsers to infer a user’s geo-location. No existing defenses are efficient to defeat such attacks.” Even the anonymizing network Tor cannot provide perfect protection against it.
What is it?
But what exactly is this problem? Many popular websites are “location-oriented,” which means that different visitors from different locations see different things.
Craigslist lets users narrow their searches by geographical area. Google uses different pages in different countries: Google.com in the United States becomes Google.ca in Canada. And of course, anyone using Google Maps types in all sorts of specific addresses and locations, and Google Maps remembers them all. So does your browser, unless and until you clear your browser history.
You've surely noticed on your own computer or mobile device that, all else being equal, the websites you visit on a regular basis tend to load much faster than some new-to-you website you're visiting for the first time. That's because when you visit your regular sites, your browser saves time by relying partly on its memory cache: the files you see every time you visit a particular website get saved onto your computer or device, so you don't have to re-download them on every subsequent visit.
But this process is not secure, and it does take time. Exactly how much time varies based on many different factors, including your actual physical distance from the website's server.
Suppose that you, and your friend who lives 10 miles away, are both frequent visitors of a website based on the opposite side of the country. (For the sake of this hypothetical, let's also pretend that your computer or mobile device, and your friend's, are alike in every possible way: same connection speeds, same browsing history and memory space, same everything except your geographic locations, which are 10 miles apart.)
As far as your merely human senses can tell, it takes the same amount of time to visit that website from your home computer as it does your friend's. But with a computer's super-human senses, you can see there's actually a time lag – a very noticeable one, if you're measuring in something like fractions of nanoseconds.
That, in a nutshell, is geo-location inference. And when hackers break in and steal this information, that's a “geo-inference attack.” And who exactly is vulnerable to such attacks? According to the researchers, all mainstream-browser users and most popular-website visitors:
all five mainstream browsers (Chrome, Firefox, Safari, Opera and IE) on both desktop and mobile platforms as well as TorBrowser are vulnerable to geo-inference attacks. Meanwhile, 62% of Alexa Top 100 websites are susceptible to geo-inference attacks
So what can you do to protect yourself? Delete your browser cache on a regular basis — and Yaoqi also recommends you “Never give additional permissions to unfamiliar sites or open it for a long time” and “clear [your] cache after visiting a site with your credentials, e.g. online banking sites.” This still leaves users vulnerable while they're actually visiting a website, though: even if you clear your cache immediately after finishing an online session, the cache remains full during the session.