Location verification on the Internet: Towards enforcing location-aware access policies over Internet clients

Over the Internet, location-sensitive content/service providers are those that employ location-aware authentication or location-aware access policies in order to prevent fraud, comply with media streaming licencing, regulate online gambling/voting, etc. An adversary can configure its device to fake geolocation information, such as GPS coordinates, and send this information to the location-sensitive provider. IP-address based geolocation is circumvented when the adversary's device employs a nonlocal IP address, which is easily achievable through third party proxy and Virtual Private Network providers. To address the issue that existing Internet geolocation techniques were not designed with adversaries in mind, we propose Client Presence Verification (CPV), a delay-based verification technique designed to verify an assertion about a device's presence inside a prescribed triangular geographic region. CPV does not identify devices by their IP addresses, thus hiding the IP does not evade it. Rather, the device's location is corroborated in a novel way by leveraging geometric properties of triangles, which prevents an adversary from manipulating the delay-sampling process to forge the location. To achieve high accuracy, CPV mitigates path asymmetry by introducing a new method to deduce one-way application-layer delays to/from the adversary's participating device, and mines these delays for evidence supporting/denying the asserted location. We implemented CPV, and conducted real world extensive experimental evaluation on PlanetLab. Our results to date show false reject and false accept rates of 2% and 1.1% respectively.