Security Experts:

Researchers Use UPnP Protocol to Unmask IPv6 Address

Cisco Talos security researchers were able to leverage properties of the Universal Plug and Play (UPnP) protocol to unmask the IPv6 address of specific IPv4 hosts.

Comparative scans of discovered hosts on both IPv4 and IPv6 revealed not only that the newly discovered technique is valid, but also that “there are significant security discrepancies in filtering between IPv4 and IPv6 interfaces of these hosts and unintended IPv6 connectivity will be a growing problem.”

While a full IPv4 port scan can be performed in a matter of hours with relatively few resources, IPv6’s use of 128-bit addresses makes this impossible, due to a theoretical maximum number of hosts being tens of orders of magnitude larger than IPv4, Talos’ Martin Zeiser and Aleksandar Nikolich point out. 

The current IPv6 address space is very sparse and the number of actual addresses in use is very small and somewhat random. With adoption growing fast, however, an ever larger number of hosts will remain hidden in future Internet surveys, and this represents a security issue, the researchers say. 

To help uncover active, Internet-connected, IPv6 hosts and solve this problem, Talos proposes a technique that relies on UPnP NOTIFY packets to uncover pairs of IPv4 and IPv6 addresses of dual-homed hosts (this reveals mostly end-user, client-side, consumer devices, the researchers say).

When connecting to a network, a device announces its presence and capabilities by sending an UPnP NOTIFY packet to a multicast address. A “Location” header in the packet specifies a description URL pointing to an XML file describing the device’s capabilities, and the researchers used this specific UPnP packet to get a target UPnP endpoint to connect back to a URL of their choosing. 

“Combining this, we can have a NOTIFY packet that specifies an URL containing an IPv6 address. If we send that NOTIFY packet to an IPv4 address that has UPnP port open and if that host also has IPv6 connectivity, it would connect back to the specified URL, thus revealing its IPv6 address,” the researchers explain. 

The researchers leveraged this to make pairs of IPv4 and corresponding IPv6 addresses, scan both and look for discrepancies (the method, however, requires for the devices to expose UPnP port to the Internet and have UDP port 1900 open). 

Following multiple scans, the researchers noticed that about 12,000 unique IPv6 addresses were logged each time. The top 10 device manufacturers observed were Huawei Technologies, Zhejiang Uniview Technologies, Amazon Technologies, Swann communications, LT Security, Trendnet, Netgem, Shenzhen Giec Electronics, Synology Incorporated, and Panasonic AVC Networks Company. 

The researchers also noticed that 98% of the hosts are embedded Linux devices, including security cameras, media and NAS servers, and Android devices (smart TVs and media dongles). 

The tests revealed that the problem of exposed UPnP devices isn’t going away (the number of open devices on the Internet is likely higher than what Talos has observed) and also unveiled that many devices run severely outdated software and operating systems. 

“With a growing number of connected IPv6 hosts, even though they cannot be directly and exhaustively enumerated, higher exposure through public addresses means that poorly configured and maintained devices that are usually hidden behind NAT in private IPv4 space can and will be abused by employing techniques to actively uncover them,” Talos concludes. 

Related: Europol Looks to Solve IP-Based Attribution Challenges

view counter