Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Researchers Use UPnP Protocol to Unmask IPv6 Address

Cisco Talos security researchers were able to leverage properties of the Universal Plug and Play (UPnP) protocol to unmask the IPv6 address of specific IPv4 hosts.

Cisco Talos security researchers were able to leverage properties of the Universal Plug and Play (UPnP) protocol to unmask the IPv6 address of specific IPv4 hosts.

Comparative scans of discovered hosts on both IPv4 and IPv6 revealed not only that the newly discovered technique is valid, but also that “there are significant security discrepancies in filtering between IPv4 and IPv6 interfaces of these hosts and unintended IPv6 connectivity will be a growing problem.”

While a full IPv4 port scan can be performed in a matter of hours with relatively few resources, IPv6’s use of 128-bit addresses makes this impossible, due to a theoretical maximum number of hosts being tens of orders of magnitude larger than IPv4, Talos’ Martin Zeiser and Aleksandar Nikolich point out. 

The current IPv6 address space is very sparse and the number of actual addresses in use is very small and somewhat random. With adoption growing fast, however, an ever larger number of hosts will remain hidden in future Internet surveys, and this represents a security issue, the researchers say. 

To help uncover active, Internet-connected, IPv6 hosts and solve this problem, Talos proposes a technique that relies on UPnP NOTIFY packets to uncover pairs of IPv4 and IPv6 addresses of dual-homed hosts (this reveals mostly end-user, client-side, consumer devices, the researchers say).

When connecting to a network, a device announces its presence and capabilities by sending an UPnP NOTIFY packet to a multicast address. A “Location” header in the packet specifies a description URL pointing to an XML file describing the device’s capabilities, and the researchers used this specific UPnP packet to get a target UPnP endpoint to connect back to a URL of their choosing. 

“Combining this, we can have a NOTIFY packet that specifies an URL containing an IPv6 address. If we send that NOTIFY packet to an IPv4 address that has UPnP port open and if that host also has IPv6 connectivity, it would connect back to the specified URL, thus revealing its IPv6 address,” the researchers explain. 

The researchers leveraged this to make pairs of IPv4 and corresponding IPv6 addresses, scan both and look for discrepancies (the method, however, requires for the devices to expose UPnP port to the Internet and have UDP port 1900 open). 

Advertisement. Scroll to continue reading.

Following multiple scans, the researchers noticed that about 12,000 unique IPv6 addresses were logged each time. The top 10 device manufacturers observed were Huawei Technologies, Zhejiang Uniview Technologies, Amazon Technologies, Swann communications, LT Security, Trendnet, Netgem, Shenzhen Giec Electronics, Synology Incorporated, and Panasonic AVC Networks Company. 

The researchers also noticed that 98% of the hosts are embedded Linux devices, including security cameras, media and NAS servers, and Android devices (smart TVs and media dongles). 

The tests revealed that the problem of exposed UPnP devices isn’t going away (the number of open devices on the Internet is likely higher than what Talos has observed) and also unveiled that many devices run severely outdated software and operating systems. 

“With a growing number of connected IPv6 hosts, even though they cannot be directly and exhaustively enumerated, higher exposure through public addresses means that poorly configured and maintained devices that are usually hidden behind NAT in private IPv4 space can and will be abused by employing techniques to actively uncover them,” Talos concludes. 

Related: Europol Looks to Solve IP-Based Attribution Challenges

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

A zero-day vulnerability named HTTP/2 Rapid Reset has been exploited to launch some of the largest DDoS attacks in history.