SlideShare a Scribd company logo

IPvSeeYou.pdf

Y
YuChianWu

1

Engineering
1 of 44
Download to read offline
IPvSeeYou:ExploitingLeakedIdentifiersin IPv6forStreet-LevelGeolocation Erik Rye (@gigaryte, CMAND) Rob Beverly (@badcksum, CMAND) #BHUSA @BlackHatEvents @v6intel https://sixint.io
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 2
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 3
IPvSeeYou: Home Routers • Got IPv6 at home? (I think…) • Know how your router is configured? (we didn’t…) • What does your router reveal about you? (you might be surprised…) 4
IPvSeeYou: In a Nutshell • Routers deployed in the wild use legacy EUI-64 IPv6 addressing • Anyone (able to ping6 / traceroute6) can find router’s physical geolocation • …. with street-level precision • E.g., a subscriber’s home 2001:abcd:1234:fedc::/64 5
IPvSeeYou: Our Contributions 6 • Developed a technique to find residential routers (needle in a haystack in IPv6) • Discovered >60M routers in the wild that reveal their hardware (MAC) address • Gathered 450M BSSID -> Geolocations • Developed a technique to infer the WAN MAC -> WiFi BSSID mapping • Data fusion to geolocate IPv6 prefixes of home routers
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 7
IPv6 Primer • IPv6: • IPv6 addresses are 128 bits • E.g., 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 • Huge address space + sparsity • No way to actively probe entire IPv6 Internet, ala zmap • Even residential customers allocated a /64 (=264 addresses) • No NAT • Implication: • IPv6 is deployed differently than IPv4! 8
IPv6 “Periphery” • Device at customer premises (CPE) is a routed hop! • One subnet allocated to link between provider’s router and CPE • Different subnet allocated to customer, on other side of CPE Customer Point-to-point CPE Provider Router Subnet Subnet Router IPv6 Periphery 2001:abcd:beef:cafe::/64 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 9
Background (or, IPv6 gore) • Smallest allocation, e.g., to a residential customer, is a /64 • What’s a home to do with 264 addresses? • Every device needs a unique IPv6 address • How do devices choose an address within this /64? • Today (RFC3041/4941): “privacy extensions”, i.e., random and short-lived • Legacy (RFC1971/2462): “EUI-64”, encode hardware MAC address into lower 64 bits 10
Background: EUI-64 Addresses • Recall, IEEE MAC addresses are 6 bytes, in hex: 00:11:22:33:44:55 • IPv6 EUI-64 address: • Insert ff:fe between upper and lower 3B of MAC • Invert 7th most significant bit OrganizationalUniqueIdentifier (OUI) = hardwaremanufacturer that owns block 11
Background: EUI-64 Addresses • Advantages: • Simple to implement • Guarantees (in theory) unique IPv6 address • No need for duplicate address detection (faster) • Disadvantages: • Exposes layer 2 (Ethernet address) in layer 3 (IP) • Reveals device details (hardware, vendor, etc) • Static address doesn’t change, even if device connects to new network • Globally unique -- permits tracking! 12
Background: Privacy Extensions • RFC3041, January 2001 • Generate short-lived random interface identifier • Perform duplicate address detection • Regenerate address often • For example: 2001:558:6045:1c:8c9c:5f05:ecc0:1f49 • Privacy implications of SLAAC / EUI-64 known for 20+ years • So, all devices use privacy extensions, right? 13
IPvSeeYou: Impact 1. A remote, unprivileged attack on privacy, even when end-hosts utilize IETF standardized IPv6 “privacy extensions” 2. Tool that maps IPv6 router address to geolocation 3. Precision geolocation of ~12M residential IPv6 routers and allocated IPv6 prefixes 4. Geolocation of provider last-hop infrastructure, thereby geolocating IPv6 routers that use privacy extensions 5. Responsible disclosure and vendor remediation 14
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 15
IPvSeeYou 16
IRB & Ethical Considerations • This work combines • IPv6 addresses w/embedded MAC addresses • BSSIDs w/fine-grained geolocation data • To geolocate IPv6 addresses • Consulted with IRB • Follow all best practices to minimize any potential for harm • Publish aggregate data analysis only • Goal: ultimately improve privacy protections by highlighting this vulnerability 17
EUI-64 Address Discovery at Scale • IPv6: no NAT, in-home devices publicly addressed • Smallest IPv6 allocation a /64: • Traceroute to a random target in each /64 in a provider’s network • (Target unlikely to exist) • But, typically elicits an ICMPv6 Time Exceeded from CPE, if /64 is allocated to a customer • Traceroute is slow! use yarrp* • Found >60M EUI-64-derived MAC addresses Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) Customer CPE Provider Router Subnet Router Probe Packet 2001:abcd:beef:cafe::/64 ICMP6 Time Exceeded 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 * https://www.cmand.org/yarrp Measurement VantagePoint 18
WiFi Geolocation Databases • BSSID = WiFi interface MAC address • BSSID geolocations reported by • War-drivers • wigle.net, mylnikov.net • Crowd-sourced network of millions of devices • Provides non-GPS geolocation data for other devices in ecosystem • Apple Location Services* • Google Geolocation API • Query databases and APIs for BSSIDs in same OUI as EUI-64-derived MAC addresses • Amass corpus of 450M BSSID geolocations • Union of mylnikov.net, openBMap, and openWifi.su databases combined with querying Apple Location Services and WiGLE.net APIs Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) + WiFi Geolocation Databases (Section Y.Y) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) *iSniff-GPS by Hubert Seiwert (BH 2012): https://github.com/hubert3/iSniff-GPS 19
Mapping WAN MAC to WiFi BSSID B B B B B B W W WW W W BSSIDs WAN MACs Apple, WiGLE Active Probing Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) + WiFi Geolocation Databases (Section Y.Y) 20
Mapping WAN MAC to WiFi BSSID B B B B B B W W WW W W BSSIDs WAN MACs ??? Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) + WiFi Geolocation Databases (Section Y.Y) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) 21
Mapping WAN MAC to WiFi BSSID • Mental model: • Many all-in-one CPE devices, e.g. cable modem with built-in WiFi • Many System-on-a-Chip (SoC) designs where all radios made by one company • E.g., Broadcom BCM3349 • Each interface gets its own MAC address • These MAC addresses are related • For example, +/- 1 Wired-Wireless Identifier Matching Algorithm (Section Z.Z) Street-Level IPv6 Geolocation 22
Mapping WAN MAC to WiFi BSSID • Complications • Some devices have many interfaces (WAN, LAN, 2.4GHz, 5GHz, Guest WiFi, Bluetooth, etc) • Different devices have different offsets • Naïve “nearest” match does not work • But, in the best case • WAN MAC embedded in an EUI-64 IPv6 address: 2001:c001:d00d:0211:22ff:fe00:0003 • BSSID 00:11:22:00:00:01/2 captured in WiFi geolocation database 23
Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Naively,this BSSID and this WAN MAC are adjacentand belong to same device 24 End result: produce WAN-BSSID offset inference on a per-OUI basis
Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Offsets differ dependingon 2.4GHz or 5GHz or guest 25 End result: produce WAN-BSSID offset inference on a per-OUI basis
Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Each device allocated 7 MAC addresses True match, offset +6 26 End result: produce WAN-BSSID offset inference on a per-OUI basis
Limitations • IPv6 Collection Limitations • Some CPE devices don’t use EUI-64 IPv6 addresses • SLAAC w/Privacy Extensions, DHCPv6 addresses • Nonresponsive to ICMP6 probes • WLAN BSSID Collection Limitations • Device may not have a BSSID • Router w/o built-in WiFi • IoT devices • Devices with BSSIDs maynot be in wardriving/geolocation databases • Restrictions/lawsregardingwardriving • Correlation Limitations • MAC addresses assigned to wired and wireless interfaces non-sequential or in different OUI • Multiple offsets per OUI • 2.4/5 GHz BSSIDs complicate offset inference 27
Results • Combining our WAN MAC and BSSID data with our algorithm, we geolocated: • At least 12M unique devices of 60M total devices • In 147 countries • In 1000+ unique OUIs • Widespread use of EUI-64 IPv6 addresses cause serious location privacy concerns for individuals • CPE routers typically in homes, businesses • In this presentation, we examine geolocation results in the aggregate or introduce large error to preserve personal privacy 28
Street Level Geo Precision • Solicited volunteers with CPE using EUI-64 IPv6 addresses • They divulged internal subnet • eg 2003:ab::/56 • We traceroute to random address in internal network • Obtain WAN EUI-64 IPv6 address • Use IPvSeeYou to infer BSSID and geolocate IP address • 4 of 5 volunteer devices geolocated • < 50m geolocation accuracy • 5th device used EUI-64 IPv6 addressing but non-sequential WAN/BSSID MACs 29 Volunteer’sgeolocated device (substantialerror introduced in figure)
Results – OUI Allocations • Manufacturers frequently divide MAC address space by model* • IPvSeeYou shows this results in geographic divisions, too • MitraStar OUI shows clear bands of devices geolocated to Argentina and Peru *Decompositionof MAC Address Structure for GranularDevice Inference – Martin, Rye & Beverly, ACSAC 2016 30 cc:d4:a1:aa:bb:cc
Results – OUI Allocations • Other OUIs show consistent country geolocations • Minor regional variations oftentimes exist • Askey Corp OUI shows vast majority of geolocations in Switzerland • Swisscom, a major Swiss ISP, provides Askey routers as its standard home WLAN device 31 1c:24:cd :aa:bb:cc
Results – Comparison vs IP Geo DBs • Can infer an ISP’s coverage area • Blue • >1M geolocated Xfinity routers • Orange • Maxmind’s GeoLite database geolocation for all 1M IP addresses • Far surpasses IP geolocation database performance • IPvSeeYou geolocation matches FCC coverage map, validating methodology Inferred Comcast Xfinity service map in contiguousUS 32
Results – Comparison vs IP Geo DBs • Can infer an ISP’s coverage area • Blue • >1M geolocated Xfinity routers • Orange • Maxmind’s GeoLite database geolocation for all 1M IP addresses • Far surpasses IP geolocation database performance • IPvSeeYou geolocation matches FCC coverage map, validating methodology 33 FCC 2020 Comcast Coverage Map https://broadbandmap.fcc.gov/#/provider-detail
Results – Geolocation by Association • Assume IPv6 periphery (link from provider to customer router) has physical distance constraint • If we can geolocate EUI-64 CPE attached to provider router • We can geolocate that provider router • We can geolocate non-EUI-64 CPE attached to that same router! 34
Results – Geolocation by Association • Recall, using yarrp high-speed IPv6 traceroute • Penultimate hop is the provider’s infrastructure, e.g., cable head-end • Group geolocated EUI-64 IPv6 addresses by penultimate hop … 18 2001:558:3:25c::2 74.284 ms 19 2001:558:80:1b1::2 71.886 ms 20 2001:558:82:380d::2 72.287 ms 21 2001:558:6045:6:98cf:88bc:79ca:c366 90.986 22 2601:642:c300:963:0211:22ff:fe33:4455 82.029 Intuition: last-mile connection between provider and customer (e.g., cable head- end) is relatively short. Geolocation of CPE thus can reveal geolocation of provider infrastructure and non-EUI-64CPE! 35
Results – Geolocation by Association • First, geolocate all EUI-64 CPE(blue dots) connected to same last hop as a target non-EUI-64CPE (unknown location) • Next, find centroid & EUI-64- encompassing centroid radius (large blue circle) • Non-EUI-64 CPE inferred to within encompassing circle (orange dot known ground truth) • Simply living near EUI-64 CPE routers is a location privacy threat 36
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 37
IPvSeeYou Tool 1. Input WAN MAC or EUI-64 IPv6 address 2. Calculates predicted BSSID value using our inferred WAN MAC – BSSID offsets 3. Queries Apple, wigle.net, or mylnikov.net for predicted BSSID value 4. Optionally outputs KML for geolocated BSSIDs 38
IPvSeeYou Demo 39
Disclosure and Remediation • Ideal remediation: stop using EUI-64 IPv6 addresses • Disclosed vulnerability to multiple vendors • Devices account for millions of geolocated CPE • Mixed results 40
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 41
Conclusions • IPvSeeYou • Large scale data fusion attack • Combines: • EUI-64 IPv6 Addresses • Geolocated BSSIDs • To geolocate • Millions of CPE routers • Provider infrastructure • Non-EUI-64 CPE devices • Easy to prevent (don’t use EUI-64 IPv6 addresses),but: • Embedded / forgotten infrastructure that doesn’t get updated • Often *can’t* be updated • Even a single EUI-64 router can compromise privacy of non-EUI-64 devices 42
Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 43
Thanks! • IPvSeeYou • Large scale data fusion attack • To geolocate millions of CPE routers • Seeking volunteers to test / validate tool; contact us! • info@sixint.io • EUI-64 IPv6 Geolocation Tool • https://github.com/6int/IPvSeeYou 44 Questions?

Recommended

IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
Shane Duffy
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
DevOps4Networks
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
Waqas Ahmed Nawaz
 
MAC address Rohit Kumar Shah.pptx
MAC address Rohit Kumar Shah.pptxMAC address Rohit Kumar Shah.pptx
MAC address Rohit Kumar Shah.pptx
RohitKumarShah6
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scout
yeokm1
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
ehsan nazer
 
Computer Networking: A Top-Down Approach
Computer Networking: A Top-Down Approach Computer Networking: A Top-Down Approach
Computer Networking: A Top-Down Approach
PolRobinson
 
PicoScenes Tutorial @ CPS-IOT Week 2022
PicoScenes Tutorial @ CPS-IOT Week 2022PicoScenes Tutorial @ CPS-IOT Week 2022
PicoScenes Tutorial @ CPS-IOT Week 2022
Zhiping Jiang
 

Recommended

IPv6 networking training sduffy v3
IPv6 networking training sduffy v3IPv6 networking training sduffy v3
IPv6 networking training sduffy v3
Shane Duffy
 
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.comInfrastructure API Lightning Talk by Jeremy Pollard of box.com
Infrastructure API Lightning Talk by Jeremy Pollard of box.com
DevOps4Networks
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 7
Waqas Ahmed Nawaz
 
MAC address Rohit Kumar Shah.pptx
MAC address Rohit Kumar Shah.pptxMAC address Rohit Kumar Shah.pptx
MAC address Rohit Kumar Shah.pptx
RohitKumarShah6
 
BLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev ScoutBLE Localiser (Full) for iOS Dev Scout
BLE Localiser (Full) for iOS Dev Scout
yeokm1
 
Cisco presentation2
Cisco presentation2Cisco presentation2
Cisco presentation2
ehsan nazer
 
Computer Networking: A Top-Down Approach
Computer Networking: A Top-Down Approach Computer Networking: A Top-Down Approach
Computer Networking: A Top-Down Approach
PolRobinson
 
PicoScenes Tutorial @ CPS-IOT Week 2022
PicoScenes Tutorial @ CPS-IOT Week 2022PicoScenes Tutorial @ CPS-IOT Week 2022
PicoScenes Tutorial @ CPS-IOT Week 2022
Zhiping Jiang
 
fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
FernandoGont
 
Module3
Module3Module3
Module3
Naresh Gotad
 
CCNAS :Multi Area OSPF
CCNAS :Multi Area OSPFCCNAS :Multi Area OSPF
CCNAS :Multi Area OSPF
rooree29
 
Routing of netwok protocls and how .pptx
Routing of netwok protocls and how .pptxRouting of netwok protocls and how .pptx
Routing of netwok protocls and how .pptx
sayidkhalif
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
Musa Stephen HONLUE
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
Progreso Training
 
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
kmjanjua19
 
Configuring IPv4 and IPv6 Addressing to STEM
Configuring IPv4 and IPv6 Addressing to STEMConfiguring IPv4 and IPv6 Addressing to STEM
Configuring IPv4 and IPv6 Addressing to STEM
Johnny Jean Tigas
 
MULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKSMULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKS
Kathirvel Ayyaswamy
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
Waqas Ahmed Nawaz
 
network design 7.pptx
network design 7.pptxnetwork design 7.pptx
network design 7.pptx
aida alsamawi
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
keyalea
 
IPv6 Development in ITB 2013
IPv6 Development in ITB 2013IPv6 Development in ITB 2013
IPv6 Development in ITB 2013
Affan Basalamah
 
Network Fundamentals: Ch6 - Addressing the Network IP v4
Network Fundamentals: Ch6 - Addressing the Network IP v4Network Fundamentals: Ch6 - Addressing the Network IP v4
Network Fundamentals: Ch6 - Addressing the Network IP v4
Abdelkhalik Mosa
 
IPv4 adressing
IPv4 adressingIPv4 adressing
IPv4 adressing
AssemNazirova2
 
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITYHari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
IGN MANTRA
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
Zivaro Inc
 
ITN_Module_9.pptx
ITN_Module_9.pptxITN_Module_9.pptx
ITN_Module_9.pptx
SomEducationonline
 
lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdf
YuChianWu
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdf
YuChianWu
 

More Related Content

Similar to IPvSeeYou.pdf

Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
EdgeUno
 
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
kmjanjua19
 

Similar to IPvSeeYou.pdf (20)

fgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdffgont-h2hc-2020-ipv6-security.pdf
fgont-h2hc-2020-ipv6-security.pdf
 
Module3
Module3Module3
Module3
 
CCNAS :Multi Area OSPF
CCNAS :Multi Area OSPFCCNAS :Multi Area OSPF
CCNAS :Multi Area OSPF
 
Routing of netwok protocls and how .pptx
Routing of netwok protocls and how .pptxRouting of netwok protocls and how .pptx
Routing of netwok protocls and how .pptx
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
 
AF-23- IPv6 Security_Final
AF-23- IPv6 Security_FinalAF-23- IPv6 Security_Final
AF-23- IPv6 Security_Final
 
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 SecurityFernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
Fernando Gont - The Hack Summit 2021 - State of the Art in IPv6 Security
 
IPv6 Security
IPv6 SecurityIPv6 Security
IPv6 Security
 
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
70-410_r2_lecture_slides_lehjhjkhjkhjhkjhjkhkjsson_10.pptx
 
Configuring IPv4 and IPv6 Addressing to STEM
Configuring IPv4 and IPv6 Addressing to STEMConfiguring IPv4 and IPv6 Addressing to STEM
Configuring IPv4 and IPv6 Addressing to STEM
 
MULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKSMULTIMEDIA COMMUNICATION & NETWORKS
MULTIMEDIA COMMUNICATION & NETWORKS
 
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
CCNA (R & S) Module 01 - Introduction to Networks - Chapter 8
 
network design 7.pptx
network design 7.pptxnetwork design 7.pptx
network design 7.pptx
 
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017Wi-Fi Denver OWASP Presentation Feb. 15, 2017
Wi-Fi Denver OWASP Presentation Feb. 15, 2017
 
IPv6 Development in ITB 2013
IPv6 Development in ITB 2013IPv6 Development in ITB 2013
IPv6 Development in ITB 2013
 
Network Fundamentals: Ch6 - Addressing the Network IP v4
Network Fundamentals: Ch6 - Addressing the Network IP v4Network Fundamentals: Ch6 - Addressing the Network IP v4
Network Fundamentals: Ch6 - Addressing the Network IP v4
 
IPv4 adressing
IPv4 adressingIPv4 adressing
IPv4 adressing
 
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITYHari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
Hari 2 BIMTEK ACEH WARDRIVING dan WIRELESS SECURITY
 
IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013IPv6 Security - Hacker Halted 2013
IPv6 Security - Hacker Halted 2013
 
ITN_Module_9.pptx
ITN_Module_9.pptxITN_Module_9.pptx
ITN_Module_9.pptx
 

More from YuChianWu

lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdf
YuChianWu
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdf
YuChianWu
 
week13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdfweek13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdf
YuChianWu
 
week14_segmentation.pdf
week14_segmentation.pdfweek14_segmentation.pdf
week14_segmentation.pdf
YuChianWu
 
week10_Reinforce.pdf
week10_Reinforce.pdfweek10_Reinforce.pdf
week10_Reinforce.pdf
YuChianWu
 
week12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdfweek12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdf
YuChianWu
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
YuChianWu
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
YuChianWu
 
Lets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdfLets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdf
YuChianWu
 
A-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdfA-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdf
YuChianWu
 
kolmogorov_foundations.pdf
kolmogorov_foundations.pdfkolmogorov_foundations.pdf
kolmogorov_foundations.pdf
YuChianWu
 
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdfIntroductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
YuChianWu
 

More from YuChianWu (12)

lecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdflecture04_mle_svm_multiclass_pca.pdf
lecture04_mle_svm_multiclass_pca.pdf
 
lecture02_LinearRegression.pdf
lecture02_LinearRegression.pdflecture02_LinearRegression.pdf
lecture02_LinearRegression.pdf
 
week13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdfweek13_yolo_mobilenet.pdf
week13_yolo_mobilenet.pdf
 
week14_segmentation.pdf
week14_segmentation.pdfweek14_segmentation.pdf
week14_segmentation.pdf
 
week10_Reinforce.pdf
week10_Reinforce.pdfweek10_Reinforce.pdf
week10_Reinforce.pdf
 
week12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdfweek12_cv_intro_and_r-cnn.pdf
week12_cv_intro_and_r-cnn.pdf
 
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdfFragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
Fragattacks-Breaking-Wi-Fi-Through-Fragmentation-And-Aggregation.pdf
 
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
Im-A-Hacker-Get-Me-Out-Of-Here-Breaking-Network-Segregation-Using-Esoteric-Co...
 
Lets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdfLets-Attack-Lets_Encrypt.pdf
Lets-Attack-Lets_Encrypt.pdf
 
A-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdfA-Hole-in-the-Tube.pdf
A-Hole-in-the-Tube.pdf
 
kolmogorov_foundations.pdf
kolmogorov_foundations.pdfkolmogorov_foundations.pdf
kolmogorov_foundations.pdf
 
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdfIntroductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
Introductory Real Analysis (A. N. Kolmogorov, S. V. Fomin etc.) (z-lib.org).pdf
 

Recently uploaded

Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
amitlee9823
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
dollysharma2066
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
SUHANI PANDEY
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
roncy bisnoi
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
Epec Engineered Technologies
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
Kamal Acharya
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
Call Girls in Nagpur High Profile Call Girls
 

Recently uploaded (20)

Introduction to Serverless with AWS Lambda
Introduction to Serverless with AWS LambdaIntroduction to Serverless with AWS Lambda
Introduction to Serverless with AWS Lambda
 
Thermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . pptThermal Engineering Unit - I & II . ppt
Thermal Engineering Unit - I & II . ppt
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night StandCall Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
Call Girls In Bangalore ☎ 7737669865 🥵 Book Your One night Stand
 
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
FULL ENJOY Call Girls In Mahipalpur Delhi Contact Us 8377877756
 
A Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna MunicipalityA Study of Urban Area Plan for Pabna Municipality
A Study of Urban Area Plan for Pabna Municipality
 
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort ServiceCall Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
Call Girls in Ramesh Nagar Delhi 💯 Call Us 🔝9953056974 🔝 Escort Service
 
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
VIP Model Call Girls Kothrud ( Pune ) Call ON 8005736733 Starting From 5K to ...
 
Thermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.pptThermal Engineering -unit - III & IV.ppt
Thermal Engineering -unit - III & IV.ppt
 
Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086Minimum and Maximum Modes of microprocessor 8086
Minimum and Maximum Modes of microprocessor 8086
 
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance BookingCall Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
Call Girls Wakad Call Me 7737669865 Budget Friendly No Advance Booking
 
Unleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leapUnleashing the Power of the SORA AI lastest leap
Unleashing the Power of the SORA AI lastest leap
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
Standard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power PlayStandard vs Custom Battery Packs - Decoding the Power Play
Standard vs Custom Battery Packs - Decoding the Power Play
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
Call Now ≽ 9953056974 ≼🔝 Call Girls In New Ashok Nagar ≼🔝 Delhi door step de...
 
22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf22-prompt engineering noted slide shown.pdf
22-prompt engineering noted slide shown.pdf
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
(INDIRA) Call Girl Bhosari Call Now 8617697112 Bhosari Escorts 24x7
 
Double Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torqueDouble Revolving field theory-how the rotor develops torque
Double Revolving field theory-how the rotor develops torque
 

IPvSeeYou.pdf

  • 1. IPvSeeYou:ExploitingLeakedIdentifiersin IPv6forStreet-LevelGeolocation Erik Rye (@gigaryte, CMAND) Rob Beverly (@badcksum, CMAND) #BHUSA @BlackHatEvents @v6intel https://sixint.io
  • 2. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 2
  • 3. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 3
  • 4. IPvSeeYou: Home Routers • Got IPv6 at home? (I think…) • Know how your router is configured? (we didn’t…) • What does your router reveal about you? (you might be surprised…) 4
  • 5. IPvSeeYou: In a Nutshell • Routers deployed in the wild use legacy EUI-64 IPv6 addressing • Anyone (able to ping6 / traceroute6) can find router’s physical geolocation • …. with street-level precision • E.g., a subscriber’s home 2001:abcd:1234:fedc::/64 5
  • 6. IPvSeeYou: Our Contributions 6 • Developed a technique to find residential routers (needle in a haystack in IPv6) • Discovered >60M routers in the wild that reveal their hardware (MAC) address • Gathered 450M BSSID -> Geolocations • Developed a technique to infer the WAN MAC -> WiFi BSSID mapping • Data fusion to geolocate IPv6 prefixes of home routers
  • 7. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 7
  • 8. IPv6 Primer • IPv6: • IPv6 addresses are 128 bits • E.g., 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 • Huge address space + sparsity • No way to actively probe entire IPv6 Internet, ala zmap • Even residential customers allocated a /64 (=264 addresses) • No NAT • Implication: • IPv6 is deployed differently than IPv4! 8
  • 9. IPv6 “Periphery” • Device at customer premises (CPE) is a routed hop! • One subnet allocated to link between provider’s router and CPE • Different subnet allocated to customer, on other side of CPE Customer Point-to-point CPE Provider Router Subnet Subnet Router IPv6 Periphery 2001:abcd:beef:cafe::/64 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 9
  • 10. Background (or, IPv6 gore) • Smallest allocation, e.g., to a residential customer, is a /64 • What’s a home to do with 264 addresses? • Every device needs a unique IPv6 address • How do devices choose an address within this /64? • Today (RFC3041/4941): “privacy extensions”, i.e., random and short-lived • Legacy (RFC1971/2462): “EUI-64”, encode hardware MAC address into lower 64 bits 10
  • 11. Background: EUI-64 Addresses • Recall, IEEE MAC addresses are 6 bytes, in hex: 00:11:22:33:44:55 • IPv6 EUI-64 address: • Insert ff:fe between upper and lower 3B of MAC • Invert 7th most significant bit OrganizationalUniqueIdentifier (OUI) = hardwaremanufacturer that owns block 11
  • 12. Background: EUI-64 Addresses • Advantages: • Simple to implement • Guarantees (in theory) unique IPv6 address • No need for duplicate address detection (faster) • Disadvantages: • Exposes layer 2 (Ethernet address) in layer 3 (IP) • Reveals device details (hardware, vendor, etc) • Static address doesn’t change, even if device connects to new network • Globally unique -- permits tracking! 12
  • 13. Background: Privacy Extensions • RFC3041, January 2001 • Generate short-lived random interface identifier • Perform duplicate address detection • Regenerate address often • For example: 2001:558:6045:1c:8c9c:5f05:ecc0:1f49 • Privacy implications of SLAAC / EUI-64 known for 20+ years • So, all devices use privacy extensions, right? 13
  • 14. IPvSeeYou: Impact 1. A remote, unprivileged attack on privacy, even when end-hosts utilize IETF standardized IPv6 “privacy extensions” 2. Tool that maps IPv6 router address to geolocation 3. Precision geolocation of ~12M residential IPv6 routers and allocated IPv6 prefixes 4. Geolocation of provider last-hop infrastructure, thereby geolocating IPv6 routers that use privacy extensions 5. Responsible disclosure and vendor remediation 14
  • 15. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 15
  • 17. IRB & Ethical Considerations • This work combines • IPv6 addresses w/embedded MAC addresses • BSSIDs w/fine-grained geolocation data • To geolocate IPv6 addresses • Consulted with IRB • Follow all best practices to minimize any potential for harm • Publish aggregate data analysis only • Goal: ultimately improve privacy protections by highlighting this vulnerability 17
  • 18. EUI-64 Address Discovery at Scale • IPv6: no NAT, in-home devices publicly addressed • Smallest IPv6 allocation a /64: • Traceroute to a random target in each /64 in a provider’s network • (Target unlikely to exist) • But, typically elicits an ICMPv6 Time Exceeded from CPE, if /64 is allocated to a customer • Traceroute is slow! use yarrp* • Found >60M EUI-64-derived MAC addresses Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) Customer CPE Provider Router Subnet Router Probe Packet 2001:abcd:beef:cafe::/64 ICMP6 Time Exceeded 2001:abcd:1234:fedc:fe75:16ff:fe01:2345 * https://www.cmand.org/yarrp Measurement VantagePoint 18
  • 19. WiFi Geolocation Databases • BSSID = WiFi interface MAC address • BSSID geolocations reported by • War-drivers • wigle.net, mylnikov.net • Crowd-sourced network of millions of devices • Provides non-GPS geolocation data for other devices in ecosystem • Apple Location Services* • Google Geolocation API • Query databases and APIs for BSSIDs in same OUI as EUI-64-derived MAC addresses • Amass corpus of 450M BSSID geolocations • Union of mylnikov.net, openBMap, and openWifi.su databases combined with querying Apple Location Services and WiGLE.net APIs Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) + WiFi Geolocation Databases (Section Y.Y) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) *iSniff-GPS by Hubert Seiwert (BH 2012): https://github.com/hubert3/iSniff-GPS 19
  • 20. Mapping WAN MAC to WiFi BSSID B B B B B B W W WW W W BSSIDs WAN MACs Apple, WiGLE Active Probing Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) + WiFi Geolocation Databases (Section Y.Y) 20
  • 21. Mapping WAN MAC to WiFi BSSID B B B B B B W W WW W W BSSIDs WAN MACs ??? Active Measurement EUI-64 IPv6 Address Discovery (Section x.x) + WiFi Geolocation Databases (Section Y.Y) Wired-Wireless Identifier Matching Algorithm (Section Z.Z) 21
  • 22. Mapping WAN MAC to WiFi BSSID • Mental model: • Many all-in-one CPE devices, e.g. cable modem with built-in WiFi • Many System-on-a-Chip (SoC) designs where all radios made by one company • E.g., Broadcom BCM3349 • Each interface gets its own MAC address • These MAC addresses are related • For example, +/- 1 Wired-Wireless Identifier Matching Algorithm (Section Z.Z) Street-Level IPv6 Geolocation 22
  • 23. Mapping WAN MAC to WiFi BSSID • Complications • Some devices have many interfaces (WAN, LAN, 2.4GHz, 5GHz, Guest WiFi, Bluetooth, etc) • Different devices have different offsets • Naïve “nearest” match does not work • But, in the best case • WAN MAC embedded in an EUI-64 IPv6 address: 2001:c001:d00d:0211:22ff:fe00:0003 • BSSID 00:11:22:00:00:01/2 captured in WiFi geolocation database 23
  • 24. Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Naively,this BSSID and this WAN MAC are adjacentand belong to same device 24 End result: produce WAN-BSSID offset inference on a per-OUI basis
  • 25. Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Offsets differ dependingon 2.4GHz or 5GHz or guest 25 End result: produce WAN-BSSID offset inference on a per-OUI basis
  • 26. Mapping WAN MAC to WiFi BSSID W B W B W B W B B 0 4 8 12 16 20 24 28 Each device allocated 7 MAC addresses True match, offset +6 26 End result: produce WAN-BSSID offset inference on a per-OUI basis
  • 27. Limitations • IPv6 Collection Limitations • Some CPE devices don’t use EUI-64 IPv6 addresses • SLAAC w/Privacy Extensions, DHCPv6 addresses • Nonresponsive to ICMP6 probes • WLAN BSSID Collection Limitations • Device may not have a BSSID • Router w/o built-in WiFi • IoT devices • Devices with BSSIDs maynot be in wardriving/geolocation databases • Restrictions/lawsregardingwardriving • Correlation Limitations • MAC addresses assigned to wired and wireless interfaces non-sequential or in different OUI • Multiple offsets per OUI • 2.4/5 GHz BSSIDs complicate offset inference 27
  • 28. Results • Combining our WAN MAC and BSSID data with our algorithm, we geolocated: • At least 12M unique devices of 60M total devices • In 147 countries • In 1000+ unique OUIs • Widespread use of EUI-64 IPv6 addresses cause serious location privacy concerns for individuals • CPE routers typically in homes, businesses • In this presentation, we examine geolocation results in the aggregate or introduce large error to preserve personal privacy 28
  • 29. Street Level Geo Precision • Solicited volunteers with CPE using EUI-64 IPv6 addresses • They divulged internal subnet • eg 2003:ab::/56 • We traceroute to random address in internal network • Obtain WAN EUI-64 IPv6 address • Use IPvSeeYou to infer BSSID and geolocate IP address • 4 of 5 volunteer devices geolocated • < 50m geolocation accuracy • 5th device used EUI-64 IPv6 addressing but non-sequential WAN/BSSID MACs 29 Volunteer’sgeolocated device (substantialerror introduced in figure)
  • 30. Results – OUI Allocations • Manufacturers frequently divide MAC address space by model* • IPvSeeYou shows this results in geographic divisions, too • MitraStar OUI shows clear bands of devices geolocated to Argentina and Peru *Decompositionof MAC Address Structure for GranularDevice Inference – Martin, Rye & Beverly, ACSAC 2016 30 cc:d4:a1:aa:bb:cc
  • 31. Results – OUI Allocations • Other OUIs show consistent country geolocations • Minor regional variations oftentimes exist • Askey Corp OUI shows vast majority of geolocations in Switzerland • Swisscom, a major Swiss ISP, provides Askey routers as its standard home WLAN device 31 1c:24:cd :aa:bb:cc
  • 32. Results – Comparison vs IP Geo DBs • Can infer an ISP’s coverage area • Blue • >1M geolocated Xfinity routers • Orange • Maxmind’s GeoLite database geolocation for all 1M IP addresses • Far surpasses IP geolocation database performance • IPvSeeYou geolocation matches FCC coverage map, validating methodology Inferred Comcast Xfinity service map in contiguousUS 32
  • 33. Results – Comparison vs IP Geo DBs • Can infer an ISP’s coverage area • Blue • >1M geolocated Xfinity routers • Orange • Maxmind’s GeoLite database geolocation for all 1M IP addresses • Far surpasses IP geolocation database performance • IPvSeeYou geolocation matches FCC coverage map, validating methodology 33 FCC 2020 Comcast Coverage Map https://broadbandmap.fcc.gov/#/provider-detail
  • 34. Results – Geolocation by Association • Assume IPv6 periphery (link from provider to customer router) has physical distance constraint • If we can geolocate EUI-64 CPE attached to provider router • We can geolocate that provider router • We can geolocate non-EUI-64 CPE attached to that same router! 34
  • 35. Results – Geolocation by Association • Recall, using yarrp high-speed IPv6 traceroute • Penultimate hop is the provider’s infrastructure, e.g., cable head-end • Group geolocated EUI-64 IPv6 addresses by penultimate hop … 18 2001:558:3:25c::2 74.284 ms 19 2001:558:80:1b1::2 71.886 ms 20 2001:558:82:380d::2 72.287 ms 21 2001:558:6045:6:98cf:88bc:79ca:c366 90.986 22 2601:642:c300:963:0211:22ff:fe33:4455 82.029 Intuition: last-mile connection between provider and customer (e.g., cable head- end) is relatively short. Geolocation of CPE thus can reveal geolocation of provider infrastructure and non-EUI-64CPE! 35
  • 36. Results – Geolocation by Association • First, geolocate all EUI-64 CPE(blue dots) connected to same last hop as a target non-EUI-64CPE (unknown location) • Next, find centroid & EUI-64- encompassing centroid radius (large blue circle) • Non-EUI-64 CPE inferred to within encompassing circle (orange dot known ground truth) • Simply living near EUI-64 CPE routers is a location privacy threat 36
  • 37. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 37
  • 38. IPvSeeYou Tool 1. Input WAN MAC or EUI-64 IPv6 address 2. Calculates predicted BSSID value using our inferred WAN MAC – BSSID offsets 3. Queries Apple, wigle.net, or mylnikov.net for predicted BSSID value 4. Optionally outputs KML for geolocated BSSIDs 38
  • 40. Disclosure and Remediation • Ideal remediation: stop using EUI-64 IPv6 addresses • Disclosed vulnerability to multiple vendors • Devices account for millions of geolocated CPE • Mixed results 40
  • 41. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 41
  • 42. Conclusions • IPvSeeYou • Large scale data fusion attack • Combines: • EUI-64 IPv6 Addresses • Geolocated BSSIDs • To geolocate • Millions of CPE routers • Provider infrastructure • Non-EUI-64 CPE devices • Easy to prevent (don’t use EUI-64 IPv6 addresses),but: • Embedded / forgotten infrastructure that doesn’t get updated • Often *can’t* be updated • Even a single EUI-64 router can compromise privacy of non-EUI-64 devices 42
  • 43. Outline • Overview • Background • IPvSeeYou • Tool and Demo • Conclusions • Questions 43
  • 44. Thanks! • IPvSeeYou • Large scale data fusion attack • To geolocate millions of CPE routers • Seeking volunteers to test / validate tool; contact us! • info@sixint.io • EUI-64 IPv6 Geolocation Tool • https://github.com/6int/IPvSeeYou 44 Questions?