How well can an employer be certain of a remote employee's geographical location?
from to on 03 May 04:11

FWIW, this isn’t to do with me personally at all, I’m not looking to do anything dodgy here, but this came up as a theoretical question about remote work and geographical security, and I realised I didn’t know enough about this (as an infosec noob)


How hard would it be for the employee to fool their employer and work from an undesirable location?

I personally figured that it’s rather plausible. Use a personal VPN configured on a personal router and then manually switch off wifi, bluetooth and automatic time zone detection. I’d presume latency analysis could be used to some extent?? But also figure two VPNs, where the second one is that provided by/for the employer, would disrupt that enough depending on the geographies involved?

What else could be done on the laptop itself? Surreptitiously turn on wiki and scan? Can there be secret GPSs? Genuinely curious!


threaded - newest on 03 May 04:20 next collapse

I made devices to track wildlife via gps and an embedded simcard and GSM radio to report tracking data. It would be trivial to install a device to basically turn the laptop into one of those tracking devices. But this is beyond what a typical business would consider doing. on 03 May 04:29 next collapse

yea, that’s what I’d figure. However easy a GPS setup would be, most businesses are, I’d guess, relying entirely on network snooping/logs. Which, if true, seemed pretty fallible once I started thinking about it. on 03 May 05:01 collapse

Depending on how accurate you want it, the simcard is plenty. If your goal is “don’t be in France”, you really don’t need more… on 03 May 06:31 next collapse

I ran a VPN on my router, and forgot to turn it off a couple of times before logging in to work. Our work VPN recommended their VPN nodes that were close to the router VPN location. So they were just doing iplookups. I think most companies aren’t going to do much more than that. That said, if they’re determined to get your location then they can get it. You usually don’t have much control over your work computer and there are a bajillion different ways to get your real location. on 03 May 06:33 next collapse

There are ways, but the VPN/Personal Router route will thwart 99.99999% of businesses out there (For a non-cellular enabled laptop and you refuse a work phone)

The remaining .000001% that go the extra mile are going to be dealing high security, confidential secret stuff like TS gov defense contracts or something on 03 May 12:34 next collapse

Your cybersecurity team is going to be annoyed with you using a non-corporate VPN if you have one. Any monitoring they have will probably have something that will ping on using common VPNs, but at most companies, consequences there likely won't make it to HR. May make it to your manager though if they think it's a sign of compromise. on 03 May 16:20 collapse

Ez-Pz, cheap VPS + VPN server

Or I think there are also VPNs that advertise using “residential IPs”, I know that’s a thing with SOCKS proxy services. on 03 May 19:07 collapse

Yeah, common VPSes are monitored too, it's a very easy add. Alert on IP ranges from a publicly maintained and easy to find list is not a hard ask. If you ran it through AWS, it would probably pass a lot of basic checks. Using residential IPs will probably get you a bit of time, but I can't imagine there being a good way to do that without it being very hard for the VPN provider to keep up and very easy for a security company to just make a new list of IPs and assume the whole range is bad.

Your best defense here though is that your cybersecurity team probably doesn't care that you're doing this once it's determined that you aren't a malicious actor as long as you aren't creating too many alerts. on 03 May 13:46 collapse

When I use a VPN I am disconnected from anything relating to my companies network. Includes email. They use microsoft services. on 03 May 16:22 collapse

When you use the VPN are you using/opening the VPN on the device itself instead of a dedicated wireless router configured with the VPN instead?

If so, that’s your problem, otherwise it’s like the other commenter said, they’re probably detecting a common VPN IP if you’re using a common service. Grab a cheap VPS in your desired location and setup a VPN server and connect to that instead on 03 May 17:38 next collapse

Yep, on the device itself. Thanks! on 04 May 05:05 collapse

Or spin up an ec2 instance yourself and route everything from there.

Amazon can get you fixed ip for cheap. on 03 May 06:40 next collapse

Most places will use IP based location services so if you use a router based VPN to appear in another place it will hide you well enough for the initial glance.
Conditional access policies may out you though. Several places will deny known VPN endpoints from logging in. But if you get a VPS hosting server and run your own endpoint you will be less likely to get nabbed by that one.

GPS in laptops is almost unheard of. Sure there are specific models built for specific use cases that have them but a regular corporate laptop is not. on 03 May 07:07 collapse

AGPS probably does work though for location. Many work laptops have sim cards for 5g, and that means connectivity permanence and assisted gps from cell tower triangulation.

However I know from testing things like m365 login just accepts the ip location of vpn endpoint.

My advice is it depends: and it mostly depends on the effort of the sysadmin and the level of logs they look into. The timing of the log from your vpn connection and your location. If they own the networks you did connect to, those networks will know where you are.

Use your personal device for personal things. End of story. on 03 May 07:09 collapse

Oh one different situation: because I’ve been on the side of supplying logs to cyber forensic analysts as part of cyber insurance post breach, the level of scrutiny will matter. If they find you’re doing something they don’t want on work equipment near or around a cyber incident you’ll be part of the post breach recommendations. As in, what to remediate. on 04 May 05:52 next collapse

If you have a VPN server set up at home, and like a portable router that allows you to establish a VPN connection to your home connection… And then you connect your work machine to your portable router that’s connected to your home… Fairly certain you would always look like you’re working from home. on 04 May 14:42 collapse

I was looking into this for a family member who wants to look like they’re in a location a couple hundred miles away occasionally. I think the only pitfall might be if they are made to use an authenticator that can query their GPS location in order to enact conditional policies that restrict their location.…/location-condition on 04 May 19:57 collapse

Yeah if you have to use the authenticator app and it has GPS you might be hosed. on 04 May 15:00 next collapse

Skimmed most of the thread and there are a lot of guesses, the actual answer is presumably impossible given the parameters. Asset management tracking software is pretty much permanent tracking these days, screen idle time, keystrokes per minute, application focus tracking. A lot of higher end devices have gps chips in them by default, your works VPN reports it’s trace route so it will have general geographic location. Microsoft and Google cooperate accounts even offer remote hard drive wipes to protect company secrets, regardless of the location. My work gets reports of where people connect from as part of the RTO policy. We had someone working from their parents house for a few weeks and got emailed by HR asking why they were logging in from an unapproved area. Most places can pull this data, but not all of them act on it. on 04 May 20:16 collapse