Constructing secure localization systems with adjustable granularity using commodity hardware

Proof of a user's identity is not always a sufficient means for making an authorization decision. In an increasing set of circumstances, knowledge of physical location provides additional and necessary context for making decisions about resource access. For example, sensitive information stored on a laptop (e.g. customer records, social security numbers, etc), may require additional protections if a user operates outside of an approved area. However, current localization techniques based on signal strength reporting or specialized hardware fail to achieve this goal. In this paper, we design, develop, deploy and measure a system which securely determines the location of a user to within one meter through using only off-the-shelf 802.11 and Bluetooth equipment. We apply this equipment in a two-phased challenge-response protocol: first determining the general area of the client in the Regionalization phase and then pinpointing it in the Localization phase. Using nearly 32,000 data points collected over 75 days, we argue that the stability of wireless networks over time creates easily distinguishable location profiles by which a client can be positioned. Additionally, we demonstrate the inherent ability of a two-phased protocol to discern a client's location information at a level of granularity no finer than is necessitated by policy. After discussing a number of applications, we build a location-based access control framework that automatically protects a white-listed set of resources through encryption when the user leaves specified areas. Our analyses show that this system provides a realistic and efficient means of incorporating unforgeable location information at the appropriate level of granularity into many authorization decisions.