logo

IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation

Conference:  BlackHat USA 2021

2021-08-05

Summary

IPvSeeYou is a data fusion attack against residential home routers running IPv6 that provides street-level geolocation by exploiting leaked identifiers in IPv6. The attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.
  • IPvSeeYou exploits leaked identifiers in IPv6 for street-level geolocation of residential home routers
  • The attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address
  • By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them
  • IPvSeeYou can find tens of millions of deployed CPE with EUI-64 addresses and map them to a precise geolocation
IPvSeeYou can remotely geolocate residential home routers with street-level precision by exploiting leaked identifiers in IPv6. This is done by correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart. The tool can find tens of millions of deployed CPE with EUI-64 addresses and map them to a precise geolocation. This poses a privacy risk as it reveals the physical location of the router and potentially the owner. The attack can be prevented by not using EUI-64 addresses, but many legacy and low-profit-margin customer premises equipment (CPE) still use them.

Abstract

While IP Geolocation -- tying an IP address to a physical location -- is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With "IPvSeeYou," we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64. These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.Last, we demonstrate IPvSeeYou in practice. We develop an Internet-scale IPv6 router discovery technique that finds tens of millions of deployed CPE with EUI-64 addresses. On a per-OUI basis, we map these to a corresponding Wi-Fi BSSID. We search for these BSSID in geolocation databases to successfully map millions of routers, across the world, to a precise geolocation.

Materials:

Tags: