Carnegie Mellon University

vpn servers

December 12, 2018

As Advertised? Exposing Lies About VPN Server Locations

By Daniel Tkacik

Daniel Tkacik
  • College of Engineering
  • 412-268-1187

One afternoon, Zack Weinberg was conducting a study about web censorship when he noticed something a little odd.

Using Virtual Private Networks (VPNs) to route web requests from his computer in Pittsburgh through servers located in various countries of interest, Weinberg was investigating what internet users in those countries were able to see online.

“If you’re in Saudi Arabia and you try to visit a gambling website, you’re supposed to get a screen that says gambling is prohibited in Saudi Arabia,” said Weinberg, a graduate researcher in Carnegie Mellon University’s CyLab Security & Privacy Institute. “But that didn’t happen for me, even though the VPN I was using claimed to be in Saudi Arabia.”

It turns out the VPN was lying; its servers were actually located in a datacenter in Germany.

This led Weinberg to pursue a whole new study, “How to Catch when Proxies Lie: Verifying the Physical Locations of Network Proxies with Active Geolocation.” Weinberg, who is a Ph.D. student in the Department of Electrical and Computer Engineering, presented his findings at a recent ACM Internet Measurement Conference in Boston.

Beyond research purposes, many people use VPNs to circumvent eavesdropping on their internet activity that may occur in their country or to bypass restrictions on content in their country, such as a sporting event that may be “blacked out” in their location. If VPNs lie about their location, users may not get what they want.

Weinberg and his co-authors figured out a way to approximate actual locations of VPNs based on the amount of time it took for a server in the unknown location to send a packet of data to a server in a known location — generally referred to as “ping time.”

“It’s a similar principle to GPS,” Weinberg said. “You ping a server from Pittsburgh, and you learn that it took 20 milliseconds. You do this from a whole bunch of servers with known locations all over the world, draw some circles on a map, and you can see where they all intersect.”

Weinberg and his co-authors estimated the location of 2,269 proxy servers and found that one-third of the servers were “definitely not located in the advertised countries, and another third might not be.”

One VPN service in particular claimed to have servers in almost every country in the entire world, including North Korea, and “a bunch of Pacific islands that probably don’t even have cables,” Weinberg said.

But, why would a VPN service lie about where its servers are? Weinberg said it probably has to do with costs.

“It’s definitely cheaper to have many servers in one location than one server in many locations,” Weinberg said. “A secondary benefit may be that these VPN providers don’t have to do business with a country that is difficult to do business with.”

Weinberg said people using VPNs should be wary about the countries they claim to have servers in.

“If people expect their data is actually going to go through this country and it’s not going to go through this other country — if they’re genuinely trying to control which jurisdictions their traffic is subject to, which is something that comes up a lot in surveillance — then this is a big concern,” he said.

Other authors on the study included Ph.D. student Shinyoung Cho from Stony Brook University, Associate Professor Phillipa Gill from the University of Massachusetts, and CyLab faculty Nicolas Christin and Vyas Sekar.