IPv6 is a new vector for hacktivists and hackers to exploit, and people do not understand that devices do not work like they used to.
Peter Wood, ISACA member and CEO of penetration testers First Base Technologies said that the majority of devices use IPv6, but he did think that a lot of corporates had got their head around what the differences were when it is implemented. “Some switched on to it and realised that the desktop and servers are already talking IPv6, unless they tell them not to,” he said.
He explained that a large enterprise with modern firewalls will block IPv4 and IPv6, but the nature of IPv6 is that once you switch it on, it will attempt to connect to servers on the internet.
“When you plug a new device into the network, the router delivers an IP address. So if you use a free WiFi, it is the cafe’s IP address that is giving it to you and when you leave you go somewhere else. With an IPv6 device, when you turn it on it connects across internet to a pool of servers and takes an IP address it keeps, and wherever you put it, it will have the same IP address.
“It is the nature of how it works unless you block it. It makes a device visible in a way IPv4 devices are not. When you are sitting at home, your router is giving you a temporary, private address – IPv6 devices do not work like that, they have a public address immediately and are addressable immediately. As soon as you plug in you are publicly available to the internet.”
Wood said that there is a possibility that devices will “jump” across firewalls to talk to the internet without people realising. “It is not about the addressing scheme, though that was the reason for introducing it, as you can have as many devices for as many people as you can think of.
“The way that is operates can be different, so groups of IPv6 devices can assign their own IP addresses to each other without needing a central server. Now that may sound innocent but the way that they decide to take IP addresses may be outside the corporate control and that means naughty people can set up devices to talk to devices across the firewall.”
Wood said that this poses an interesting security issue as it is fundamentally about the way IPv6 works, but that people do not think about or understand how they are designed to pass over the firewall and are intended to seek out devices by their very nature. “Now if they are not secure devices, and mostly they will not be, then it provides a vector for attackers which corporate have not thought about or addressed yet.”
Wood explained that IPv6 will tunnel into other protocols like IPv4, but without intending to be malicious it can cross secure firewalls. Low level IPv6 devices, such as sensors in the server room that detect fire alerts, excessive heat or equipment failure and do not implement security at all.
Coupling the Internet of Things with IPv6, and you have troublesome devices that goes to the internet and accepts requests and completely ignores your broadband router. While large corporations will know to block this, small businesses who are working behind a broadband router will not know about this at all, he said, and an IPv6-connected dumb device like a TV will not have built-in security, so someone can connect to it without your permission.
Asked if as an industry we jumped in too quickly without considering the consequences, he said that this was the case with wireless and that operated insecurely for eight years.
“Look at the technologies when they first appear; they are insecure and we build security into them or into what the device connects to and security improves. When you are talking about billions of devices designed for innocent purposes that the bad guys try to take advantage of, nobody knows about it.
“It doesn’t mean the end of the world, but it does mean that there will be clever attacks against corporations. It is not really about domestic users. If this is the case in big firms, we will end up with a lot more holes and big businesses have to allocate someone on their staff to understand IPv6 and find what they have already got on the network, and determine whether it is a security risk or not as at the moment, they are ignoring them out of ignorance.”
Dan Raywood is editor of The IT Security Guru