Marco Polo: Using Wireless Signals to Locate an IP Address
We have developed an approach that can quickly geolocate Internet users that are connected through a WiFi network. To do so, we send specially-crafted signals to the user's IP address. When these signals are broadcast by the user's wireless router to the user's wireless device, they have a discernible signature. We then use other geolocation efforts to scope the Internet user's location (e.g., to the appropriate city or section of a city). We then drive through the search area listening on wireless channels for the discernible wireless signature. Once we find it, we use directional antennas and triangulation to exactly locate the user.
Law enforcement often needs to be able to quickly geolocate an online suspect (e.g., to catch individuals distributing child pornography). The current approach of subpoenaing Internet Service Providers (ISPs) is too slow: by the time the ISP responds, the suspect stops engaging in the illegal act and deletes evidence. It is further difficult to determine the criminal from just an ISP customer address, since the home may be occupied by multiple individuals.
Law enforcement would like to have the geolocation results to a fine granularity in as close to real time as possible. After meeting with officials from the Cybercrime Division of the Massachusetts Attorney General's office, the investigators have confirmed our work in the area would be useful.
Since the majority of US households use wireless networks, we use a geolocation technique that uses wireless signals to find a suspect's location.
We establish a connection with the suspect (e.g., double click a file the suspect offers via peer-to-peer software) and then send specially-crafted network traffic to the suspect. At the same time, we use traditional geolocation techniques to find the suspect's city. We then drive around the target's city looking for the special signals.
The approach allows fine-grain geolocation. In a summer experiment, a graduate student was able to geolocate one of the investigator's home to within three houses. Further refinements are likely to be able to exactly identify the appropriate house (though apartments may be harder). It is also quick: this effort took less than 45 minutes.
The technique works even if the suspect is using wireless encryption or using a mobile device using a WiFi network (e.g., a smartphone).
The approach does not require subpoenas or ISP cooperation. The approach does not violate wiretap laws (it does not examine the network data, only the sizes of packets transmitted).
- Subpoena to Internet Service Providers: The traditional ISP subpoena process can be very slow, requiring days to learn the registered customer address of a suspect's IP address. During this time, evidence may be destroyed. Further, it is challenging to prove the individual responsible when multiple people share the residence or when guests visit.
- Traditional Geolocation Approaches: The most precise current geolocation technique can narrow an IP address down to a 690m radius circle in its best case. Unfortunately, this is not precise enough. In the New York City area, the population density is so high that roughly 33,000 may live inside this search area.
Our prior efforts have allowed us to geolocate a single target to within three houses [ PDF ]. However, we would like to be able to generalize the approach to multiple targets and perform more fine-grained geolocation.