Lack of IPv6 Awareness Could Leave Users Vulnerable to Phishing, Researchers Say

Not all security tools and devices support IPv6, said a 2012 SANS Institute report on the topic (http://bit.ly/1a5o0cP). “Some firewalls, and intrusion detection and prevention systems can detect malicious IPv4 data traffic, but the attacker may potentially bypass the control and detection mechanisms by sending malicious IPv6 data traffic.” IPv6 increases address space and different fields in the header, all of which impacts security. In some ways, IPv6 is more secure: Attacks that were easy operations on IPv4, can be time-consuming to set up over IPv6’s much larger address space, the report said. But network administrators must also reconfigure firewalls and intrusion detection systems to support the new protocol, it said. Scanning for open ports or vulnerability must be conducted with a scanner which supports IPv6, said an example.

Some attacks parallel those in IPv4, but some are specific to the new protocol, said Brent Bandelgar and Scott Behrens, security consultants for Neophasis. Their research automated a Stateless Address Auto Configuration, or SLAAC attack, where an attacker gains physical access to a network that runs IPv4 (http://bit.ly/14exzOA). The subsequent attack takes advantage of several operating systems, including Windows Vista, Windows 7 and Windows 8, that automatically search for and prefer IPv6 networks. “An attacker performing the SLAAC attack would set up a device to advertise an IPv6 connection to the users’ devices, which will then make all of their Internet connections through the attacker,” Bandelgar told us. “If the attacker is successful, the users will not know that their connections are being intercepted.” The attacker could then inject malware and spyware or set up fake websites to steal password and credit card information, he said.

"Many organizations mistakenly believe that having only IPv4 means that IPv6 monitoring and defenses are not needed,” Bandelgar said. “This provides a massive blind spot as organizations, let alone consumers, would not have any way of detecting IPv6 traffic or any malicious activity done through IPv6.” Many enterprises don’t even realize they're searching for IPv6 connections, Behrens told us. Few have the monitoring capabilities to really detect what occurs over IPv6, he said. “What’s really interesting is that a lot of this has been theoretical for so long, and we just haven’t seen it in the wild,” Behrens said. “But it could be happening; it’s so transparent. Maybe it’s happening and we just don’t know. Detecting this type of attack would actually be really challenging.” Behrens said other security professionals to whom he presented the SLAAC attack, at several recent conferences including DEF CON 21, seemed surprised at how simply it could be deployed and how immediate a threat it presented.

Bandelgar and Behrens recommend a simple fix to the problem, but one that Comcast’s Brzozowski said is problematic. Bandelgar and Behrens told us they believe enterprises and consumers should disable the automatic IPv6 searching on their devices, unless they have deployed and are using mostly IPv6, since simply having an IPv6 network will stop this version of the SLAAC attack. The researchers said they realize the need for increased adoption of IPv6, but want to see proper firewalls, access control, logging and monitoring systems and intrusion detection and prevention systems first. IPv6-enabled security mechanisms exist, they said, but often only for high-end systems. “Unfortunately, we don’t want to take too many steps back, but if you turn it off, and build out your infrastructure, then you can turn it back on,” Behrens said.

Brzozowski cautioned that users may not be so vulnerable to SLAAC attacks. Since it requires physical access to a network, attackers would have to enter a home or business to set up the fraudulent sites, he said. Though the attack could be managed over a public Wi-Fi connection, Brzozowski said, “you're basically standing there with your shorts down anyhow.” He compared worrying about SLAAC attacks over public connections to worrying about getting a penny stolen in a particularly crime-ridden area. He said the protocols aren’t different enough to warrant turning off capability. “It’s very much an exaggeration to say v6 has all these security issues,” he said. “For many of the cases, if the problem exists in v6, it probably exists in v4, too.” Certain specific subsets of the v6 protocol are different enough that people need to take extra care, he said, pointing to router advertisement or neighbor discovery over IPv6, neither of which have direct parallels in IPv4. Companies deploying their own 6-to-4 relays might also require different security mechanisms, he said, depending on what they send over the relay.

Warnings about security problems like this “could have an adverse effect,” Brzozowski said. “It’s not the right thing to do. People shouldn’t prevent others from advancing their own deployment.” He said the IPv6 adoption effort needs people to keep those IPv6 searching technologies enabled. It isn’t as if there are no side effects to remaining on an IPv4 system, he said. “If you don’t deploy IPv6, people are going to start deploying carrier-grade [network address translation], and if people don’t think those are serious side effects, then they're awfully wrong.” -- Erin Mershon (emershon@warren-news.com)