While most new operating systems, such as Windows 8 and Mac OS X, come enabled with the next-generation Internet...
protocol IPv6, the number of users actually connecting to Google over IPv6 currently stands at 1.6%. This means the vast majority of users are still connecting via IPv4, but also have IPv6 enabled -- opening the door to man-in-the-middle attacks.
When you buy a new computer, IPv6 is turned on by default. This leads us to believe that a lot of organizations are vulnerable by default. The thing that's really shocking hackers is that we have this particular security issue that in general seems to be turned on everywhere.
senior security consultant, Neohapsis
Back in 2011, Alec Waters, a security researcher for the InfoSec Institute, posted a blog about how to take advantage of operating systems configured to support IPv6. His "SLAAC" – or stateless address auto configuration -- attacks take advantage of the IPv6 setting being enabled, which allows an attacker on the local network to set up a fake IPv6 infrastructure on top of your IPv4 infrastructure to trick Windows clients into routing information through the attacker's host -- allowing the attacker to "man-in-the-middle" your traffic.
Neohapsis Labs viewed this as a serious security risk and played around with the technology to create their own working version, which they call "Sudden Six." Neohapsis set up a process to make it easily reproducible so they could start spreading awareness of the security implications involved with having an IPv6 host on an IPv4 network.
"With the original approach, you'd need a network administration background or have to be really familiar with configuring network services on Linux," explained Scott Behrens, senior security consultant for Chicago-based Neohapsis. "We came up with a way so security engineers who don't have four weeks to spend in a lab to figure everything out can just take and use our preconfigured bunch of configuration files and run our script that sets up the necessary files … and then you're off and running. It only takes a minute to set up."
The technology works for clear text transmissions, so attackers can't see information transmitted over HTTPS or SSL, but Behrens cautioned that some social network sites use clear text. "If you're accessing Instagram -- which runs over clear text -- in a coffee shop, someone could potentially run this SLAAC-style attack and capture all of your traffic," he added.
In this case, "whatever you type in is going to go through to that attacker. One of the things we can see an attacker potentially doing, aside from just intercepting and viewing your traffic, is intercepting and modifying it," Behrens said. "We view it almost as a gateway to do social engineering attacks."
One aspect of man-in-the-middle attacks that surprises even hardcore hackers is that this issue has been out there for so long. "It was originally discussed in an RFC document, Security implications of IPv6, when hardcore security engineers identified the issue and warned that if you have an IPv4 network it may be possible to set up a rogue IPv6 network on top of it," Behrens said.
The scope of the issue is also surprising. "When you buy a new computer, IPv6 is turned on by default," Behrens noted. "This leads us to believe that a lot of organizations are vulnerable by default. The thing that's really shocking hackers is that we have this particular security issue that in general seems to be turned on everywhere."
Good news: Many websites are now supporting HTTPS by default. Facebook, for example, recently turned it on for all of its users by default. And other high-profile sites are starting to turn on SSL, which should help mitigate the severity of an attack. Now, if an attacker routes your information to Facebook, they won't be able to read it because it's encrypted.
Preventing man-in-the-middle attacks
How can users and organizations prevent man-in-the-middle attacks from occurring? Simply turn IPv6 off, Behrens said.
"As much as I'd like to see everyone switch over to IPv6 overnight, we know that's not going to happen," he said. "Disabling or unclicking the box in your network settings protects you from this attack. Since we can almost assume most organizations don't have IPv6 configured end to end, there's really no need to have it turned on."
An alternative remediation strategy is to implement some of the network's defenses that are available for IPv6 attacks. "One of these is known as RA, router advertisement, and it's a security feature that prevents this attack from working," Behrens said. "It's on Cisco high-end hardware, but the network administrator had to know that the technology exists, because it isn't turned on by default."
Yet another alternative is for organizations to fully deploy IPv6. "This may be the best solution, but it involves the most overhead," Behrens said. "But if your entire organization is on IPv6, we can't come in and set up a rogue IPv6 network on top of your network."
Behrens and colleagues are now turning their focus to the security challenges involved in cutting over to IPv6. "We're looking at all of the intricacies and challenges that might arise and evaluating them from a security perspective. I don't expect it to be an easy cut over to using IPv6, and some of the security vulnerabilities that probably exist can be addressed and we can spread some awareness and help people understand what sorts of challenges they might run into," Behrens said. "We're going to continue spreading awareness about this issue, and hopefully we'll see some real change."