The so-called privacy extensions for the Internet protocol IPv6 only partially keep their promise of concealing the surfing behavior of users. With the data protection extension, additional, randomly generated and changing IPv6 addresses can be created. This is intended to help prevent ongoing tracking of the Internet activities of individuals. Using the example of a large European access provider, researchers at the Mack Planck Institute for Computer Science and the TU Delft have found that up to 19 percent of the participants can be unmasked comparatively easily.
“A rotten apple can ruin your IPv6 privacy,” is the title of the scientists’ recently published analysis. According to this, providers around the world are increasingly using IPv6 in their networks. One reason for this is the constantly growing number of networked devices. A poorly configured device that uses old IPv6 addressing schemes can undermine the IPv6 Privacy Extensions.
According to the study, these misconfigurations can enable third parties such as content delivery networks (CDN) or large service providers to track a user’s Internet ID over the long term and permanently. The stumbling block: Computers can use the unique hardware address (MAC) of the respective network card for automatic address setup. Such static IPv6 addresses act like a unique hardware ID that the computer transmits every time it contacts an IPv6-capable server.
MAC address allows identification
This is explosive with devices such as tablets or smartphones, because they are usually only used by one person. The MAC address, which is accessible to every server operator and network observer, makes it possible to recognize this user. Data protectionists therefore warned early on against comprehensive profiling via tracking. The Privacy Extensions for IPv6 should help against this. Deutsche Telekom released a “Privacy Button” in 2011 to make it easy to use. This partially changes the network prefix required for routing data packets and adjustable by the provider in order to make tracking even more difficult.
With providers that use this form of prefix assignment, the customer device of a subscriber receives an addition, the authors explain. This is usually an 8-bit, flexible network prefix. The remaining 64 bits of the overall address belong to the device ID, which is usually generated by the device itself in the home network with IPv6 (“/64 prefix”).
Interface identifier as ID for tracking
The home devices can obtain their IPv6 addresses either via the management protocol DHCPv6 or the counterpart Stateless Address Autoconfiguration (SLAAC). With SLAAC, the customer device or router advertises the prefix, and each client generates its IPv6 address using either the standard MAC aka EUI-64 or IPv6 privacy extensions. This process is repeated each time the provider rotates the prefix and delegates a new /56 prefix to the home device. As a result, the devices renew their IPv6 addresses as soon as the prefix changes.
However, if a laptop in a household uses the data protection extension and, for example, the smart TV EUI-64, the interface ID of the latter remains the same with prefix rotations. For example, a content delivery network or other application can use the interface identifier of the television’s address as an ID for tracking. This would allow not only the television but also the laptop to be tracked via rotated prefixes. A single device with a standard MAC in the (W)LAN is sufficient to also track the laptop.
Stronger industry self-regulation
The researchers analyzed the IP data stream of a large European Internet provider with 15 million customers one day to find out to what extent they were affected by the privacy leak. This access provider delegates /56 prefixes to its subscribers, while the peripheral interfaces of home devices and end-user networks reside in separate /56 prefixes. Thus, a /56 prefix represents a subscriber’s local area network (LAN).
The scientists found 16.9 million IPv6 addresses with EUI-64 in their data set. By extracting the unique MAC addresses, they found 14.4 million devices with EUI-64 addressing. About 2.7 million /56 prefixes had at least one device with an EUI-64 IPv6 address. This accounts for 19 percent, or about a fifth, of all 11.3 million observed /56 prefixes.
In order to better protect the privacy of users, the authors hope for more self-regulation in the industry. The team is in the process of contacting manufacturers of devices for the Internet of Things (IoT) who still use standard MAC addresses, reports Max Planck researcher Said Jawad Saidi in a blog post. ISPs should continually monitor such data breaches and inform users of the risks. In view of the results, MEP Patrick Breyer (Pirate Party) warned against a new version of data retention: indiscriminate logging of user traces will not least affect citizens who rely on cheap IoT devices.
(bme)
