IPvSeeYou: Exploiting Leaked Identifiers in IPv6 for Street-Level Geolocation

Presented at Black Hat USA 2021, Aug. 4, 2021, 11:20 a.m. (40 minutes)

While IP Geolocation -- tying an IP address to a physical location -- is in common use, available public and commercial techniques and tools provide only coarse city-level locations that are often wrong. With "IPvSeeYou," we develop a data fusion attack against residential home routers running IPv6 that provides *street-level* geolocation. We then demonstrate IPvSeeYou by discovering and precisely geolocating millions of home routers deployed in the wild across the world.<br><br>We assume a weak adversary who is remote to the target and has no privileged access. Our privacy attack lies in IPv6 addresses formed via EUI-64, which embed the interface's hardware MAC address in the IPv6 address. While EUI-64 IPv6 addresses are no longer used by most operating systems, they are commonly found in legacy and low-profit-margin customer premises equipment (CPE), e.g., commodity routers connecting residential and business subscribers. Because IPv6 CPE are routed hops (as opposed to IPv4 NATs), we can discover their MAC address via traceroute if they use EUI-64. <br><br>These CPE are frequently all-in-one devices that also provide Wi-Fi. Crucially, the MAC address of the Wi-Fi interface is often related to the MAC address of the wide area interface, e.g., a +/-1 offset. These Wi-Fi MACs are broadcast (the 802.11 BSSID) and captured by wardriving databases that also record their physical location. By correlating the MAC addresses embedded in IPv6 home router addresses with their Wi-Fi address counterpart, we can remotely geolocate them, fusing virtual data with meatspace.<br><br>Last, we demonstrate IPvSeeYou in practice. We develop an Internet-scale IPv6 router discovery technique that finds tens of millions of deployed CPE with EUI-64 addresses. On a per-OUI basis, we map these to a corresponding Wi-Fi BSSID. We search for these BSSID in geolocation databases to successfully map millions of routers, across the world, to a precise geolocation.

Presenters:

• Rob Beverly - Dr, Center for Measurement and Analysis of Network Data (CMAND)
  Rob Beverly likes spoofed packets and teaching. In his spare time he enjoys trying to make Germans laugh. He has totaled fewer than 5 cars.
• Erik Rye - Researcher, Center for Measurement and Analysis of Network Data (CMAND)
  Erik Rye is a researcher with the Center for Measurement and Analysis of Network Data (CMAND). His interests include network measurement, wireless networks, and security and privacy; he likes to make the packet machine go brrrrr. Erik is an IPv6 apologist even though it sometimes makes him sad. Dogs are his favorite animal.

Links:

• https://www.blackhat.com/us-21/briefings/schedule/#ipvseeyou-exploiting-leaked-identifiers-in-ipv6-for-street-level-geolocation-22889
• https://www.blackhat.com/us-21/briefings/schedule/#ipvseeyou-exploiting-leaked-identifiers-in-ipv6-for-street-level-geolocation-228891625065676

Similar Presentations:

• DEF CON China 1.0 (2019) / IPv666 - Address of the Beast
• ShmooCon XV (2019) / IPv666: Address of the Beast
• DeepSec 2014 „Do you want to know more?“ / IPv6 Attacks and Defenses - A Hands-on Workshop