FWIW, this isn’t to do with me personally at all, I’m not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn’t know enough about this (as an infosec noob)
Presuming:
- an employer provides the employee with their laptop
- with security software installed that enables snooping and wiping etc and,
- said employer does not want their employee to work remotely from within some undesirable geographical locations
How hard would it be for the employee to fool their employer and work from an undesirable location?
I personally figured that it’s rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I’d presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?
What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!
There are ways, but the VPN/Personal Router route will thwart 99.99999% of businesses out there (For a non-cellular enabled laptop and you refuse a work phone)
The remaining .000001% that go the extra mile are going to be dealing high security, confidential secret stuff like TS gov defense contracts or something
Your cybersecurity team is going to be annoyed with you using a non-corporate VPN if you have one. Any monitoring they have will probably have something that will ping on using common VPNs, but at most companies, consequences there likely won’t make it to HR. May make it to your manager though if they think it’s a sign of compromise.
Ez-Pz, cheap VPS + VPN server
Or I think there are also VPNs that advertise using “residential IPs”, I know that’s a thing with SOCKS proxy services.
Yeah, common VPSes are monitored too, it’s a very easy add. Alert on IP ranges from a publicly maintained and easy to find list is not a hard ask. If you ran it through AWS, it would probably pass a lot of basic checks. Using residential IPs will probably get you a bit of time, but I can’t imagine there being a good way to do that without it being very hard for the VPN provider to keep up and very easy for a security company to just make a new list of IPs and assume the whole range is bad.
Your best defense here though is that your cybersecurity team probably doesn’t care that you’re doing this once it’s determined that you aren’t a malicious actor as long as you aren’t creating too many alerts.
When I use a VPN I am disconnected from anything relating to my companies network. Includes email. They use microsoft services.
When you use the VPN are you using/opening the VPN on the device itself instead of a dedicated wireless router configured with the VPN instead?
If so, that’s your problem, otherwise it’s like the other commenter said, they’re probably detecting a common VPN IP if you’re using a common service. Grab a cheap VPS in your desired location and setup a VPN server and connect to that instead
Yep, on the device itself. Thanks!
Or spin up an ec2 instance yourself and route everything from there.
Amazon can get you fixed ip for cheap.
I made devices to track wildlife via gps and an embedded simcard and GSM radio to report tracking data. It would be trivial to install a device to basically turn the laptop into one of those tracking devices. But this is beyond what a typical business would consider doing.
Depending on how accurate you want it, the simcard is plenty. If your goal is “don’t be in France”, you really don’t need more…
yea, that’s what I’d figure. However easy a GPS setup would be, most businesses are, I’d guess, relying entirely on network snooping/logs. Which, if true, seemed pretty fallible once I started thinking about it.
Most places will use IP based location services so if you use a router based VPN to appear in another place it will hide you well enough for the initial glance.
Conditional access policies may out you though. Several places will deny known VPN endpoints from logging in. But if you get a VPS hosting server and run your own endpoint you will be less likely to get nabbed by that one.GPS in laptops is almost unheard of. Sure there are specific models built for specific use cases that have them but a regular corporate laptop is not.
AGPS probably does work though for location. Many work laptops have sim cards for 5g, and that means connectivity permanence and assisted gps from cell tower triangulation.
However I know from testing things like m365 login just accepts the ip location of vpn endpoint.
My advice is it depends: and it mostly depends on the effort of the sysadmin and the level of logs they look into. The timing of the log from your vpn connection and your location. If they own the networks you did connect to, those networks will know where you are.
Use your personal device for personal things. End of story.
Oh one different situation: because I’ve been on the side of supplying logs to cyber forensic analysts as part of cyber insurance post breach, the level of scrutiny will matter. If they find you’re doing something they don’t want on work equipment near or around a cyber incident you’ll be part of the post breach recommendations. As in, what to remediate.
Skimmed most of the thread and there are a lot of guesses, the actual answer is presumably impossible given the parameters. Asset management tracking software is pretty much permanent tracking these days, screen idle time, keystrokes per minute, application focus tracking. A lot of higher end devices have gps chips in them by default, your works VPN reports it’s trace route so it will have general geographic location. Microsoft and Google cooperate accounts even offer remote hard drive wipes to protect company secrets, regardless of the location. My work gets reports of where people connect from as part of the RTO policy. We had someone working from their parents house for a few weeks and got emailed by HR asking why they were logging in from an unapproved area. Most places can pull this data, but not all of them act on it.
If you have a VPN server set up at home, and like a portable router that allows you to establish a VPN connection to your home connection… And then you connect your work machine to your portable router that’s connected to your home… Fairly certain you would always look like you’re working from home.
I was looking into this for a family member who wants to look like they’re in a location a couple hundred miles away occasionally. I think the only pitfall might be if they are made to use an authenticator that can query their GPS location in order to enact conditional policies that restrict their location.
https://learn.microsoft.com/en-us/entra/identity/conditional-access/location-condition
Yeah if you have to use the authenticator app and it has GPS you might be hosed.