A Single Legacy IPv6 Address On Your Network Can Spoil Your Security
One Bad Apple Spoils The Bunch
There is a new research paper out from a collaboration of academics with good taste in titles explains how a single device on your network using a legacy EUI-64 IPv6 address can ruin the security of every other device on your network; not just itself. As you should expect by now this will apply to just about every single IoT device ever sold, from doorbells through toasters to TVs. The vulnerability defeats the obfuscation of your devices hardware addresses, which means someone cant only track your devices over the web no matter how many IP refreshes you perform.
EUI-64 was used as a way to generate the host portion of an IPv6 address for a device using it’s MAC address, which was deprecated after it was realized that revealing hardware identification over the network layer is a bad idea. It was replaced with DHCPv6 and stateless address auto-configuration (SLAAC), which allowed a device to generate it’s own host portion to append to the prefix provided by your router, or your ISP. The problem is that IoT makers never bothered to update to either of those protocols, even on new devices.
The Register has posted an example of how this can be used to breach your network security. The first time your personal network reaches out to the internet and connects to a CDN, IPv6 address are generated, with the same end-user prefix for both a TV and laptop. The laptop uses SLAAC to generate a random host address but uses the same prefix as the TV. The next day, the laptop generates a new IPv6 address but the TV does not because the address is generated from the MAC address. This means that no matter how many times your laptops address changes, because it is on the same network as the TV it can be associated back to the original IP address and your usage can now be tracked.
A single device within an IPv6 home network can reduce the privacy of every computer, handheld, and other gadget on that network, enabling all devices to be tracked around the internet, even those with IPv6 privacy protections.
More Tech News From Around The Web
- This is a BlackCat you don’t want crossing your path @ The Register
- Kioxia CD8 PCIe Gen5 NVMe SSDs Prepare for Next-Gen Servers @ ServeTheHome
- Wireshark HTTPS Decryption @ Hackaday
- Roku OS 11 Will Let You Set Your Own Photos as a Screensaver @ Slashdot
- The New-Phone Blues: A Reminder That Hackers Shouldn’t Settle @ Hackaday
- NVIDIA Launches ‘Hopper’ AI-focused GPU Architecture @ Techgage
- Two-Dimensional Polymer Is A New Ultra-Strong Material @ Hackaday
- Calgarians Detail Life With an Electricity Load Limiter @ Slashdot
- Ursa Major says its Hadley engine supports vertical launch and hypersonic uses @ Ars Technica
- Microsoft Says Digital Extortion Gang Lapsus$ Targets Cryptocurrency, Too @ Slashdot