WebGeoInfer: Structure-Free Multi-Stage Framework for Geolocation Inference from Exposed Device Web Interfaces

While the web interfaces of remotely managed devices offer convenience, their unstructured content can inadvertently leak geographic locations, posing a significant security risk. We aim to assess the feasibility of automatically exploiting this leakage, serving as a clear warning to cybersecurity regulators. To this end, we propose WebGeoInfer, a framework that does not rely on page structure. It extracts clues through page clustering and differential analysis to overcome the challenge of information heterogeneity. It also leverages search engines and large language models to augment sparse clues and infer precise coordinates, addressing the challenge of information sparsity. In large-scale experiments, WebGeoInfer successfully located 5,435 devices across 94 countries and 2,056 cities, achieving accuracy rates as high as 96.96% at the country level, 88.05% at the city level, and 79.70% at the street level. These findings provide the first conclusive evidence of the reality and scale of this threat. Furthermore, our analysis offers new insights and mitigation strategies for affected devices, establishing a key benchmark for future security research.