4

Can my VPN provider track the wireless network name, besides the IP? If I'm connecting from home to the VPN via my WiFi called "Whatever" - do they see that my WiFi is called that?

Anders
  • 64,406
  • 24
  • 178
  • 215
Jenna.Deen
  • 43
  • 3

1 Answers1

1

Yes but this is not an issue with the VPN protocol per se its more an issue with data leakage of traffic exiting through that connection.

Specifically there are many ways in which geolocation can be done against the client via a number of protocols. In your case the most relevant one would be using client-side javascript to capture the wireless SSID and comparing it to a geolocation database of wireless SSID's. If ANY web server requests this data while you are using a VPN provider that information will also be sent via this connection. A more malicious VPN provider could also MITM a cleartext http session and easily add a request like that in (note: I'm not saying VPN providers do this and most likely they don't because they don't really need too in order to determine your location as most clients will leak that information via normal usage).

Note: This also means some web servers will know your SSID too.

See the Wi-Fi based positioning section and javascript geolocation demo on the following web page:

https://mobiforge.com/design-development/html5-mobile-web-a-guide-geolocation-api

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
  • 1
    Out of curiosity, could you point me in the direction of a proof of concept for gathering SSID via javascript? I'm just not understanding how JS would be capable of obtaining system info like current SSID. – hopkins-matt May 25 '16 at 20:12
  • http://security.stackexchange.com/questions/108885/how-can-i-detect-real-location-of-the-user-through-their-ip-address/108893#108893 – Trey Blalock May 25 '16 at 20:37
  • 1
    Are you saying the SSID can be obtained directly through the JavaScript geolocation API? If so, how so? – Alexander O'Mara May 26 '16 at 00:53
  • In the case of mobile devices yes, in the case of regular browsers without plugins no, but some browser plugins are able to grab additional data like this. Likewise other applications on a given host which "call home" frequently send data like this out which can be collected at the VPN egress point. Likewise cookies for a given user of a regular browser can be correlated with their mobile device to determine the users "primary" home and "work" (or other) most frequented SSID's. In some cases this SSID can be discovered directly others via correlation. – Trey Blalock May 26 '16 at 05:41
  • 1
    client-side javascript (mobile or desktop) cannot see SSIDs. period. webservers cannot see your SSID either. while a db could theoretically turn an IP into an SSID of a known hotspot, it can't go the other way or get the SSID directly, and if the hotspot is not known, there's no way to get the SSID at all. Also most routers will use DCHP, so the IP on file can be outdated at any time. – dandavis May 29 '16 at 04:41