Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system. The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to …
Who needs to worry about introducing hardware to exploit this? I've dealt with virus's introduced via email in a v4 environment that act as rogue DHCP servers, making themselves the default gateway for clients so they get to see outgoing traffic from affected clients. Not really news because v6 is hardly more affected than v4
Dear dear, lets all worry about Windows and IP6 now because if somebody physically broke in and added custom hardware to my Linux and IP4 network, I'd be just fine.
You missed the point...
> if somebody physically broke in and added custom hardware
It doesn't need custom hardware - just something that acts as a router.
That's a piece of software. It could easily be a piece of malware.
So the point is
You get malware installed and things go to shit - hardly a revelation.
re: You get malware installed and things go to shit
ITYM you get one bit of malware on your network and the whole network's Internet traffic is vulnerable - that's a bit more worrying.
Only if your networking config is that bad in the first place. I.e. if it allows rogue DHCP servers, if it allows promiscuous traffic sniffing / injection, etc.
Any decent network config with, literally, an off-the-shelf £100 switch will let you stop such things happening. And then "compromised PC" (of any ilk) is only able to contact things it was ALLOWED to contact anyway.
Seriously, this isn't a Windows/Linux/etc. problem. It's a networking problem. If you have crap networking, this could affect the network. Otherwise it's a single rogue PC (and the implications of that, e.g. if it stores plaintext passwords, etc.)
"have physical access to the targeted network in order to install a tainted router"
Something like a laptop with a wireless AP, perhaps?
Agreed if you want to catch wired networks in big companies you'll have to borrow the janitor's set of keys (hardly unfeasible, but necessitates BOFH-like planning). But whip out Ye Olde dual-WiFi card laptop at your local Starbucks (or in the lobby of you main competitor's building) and I'm sure you can catch enough juicy data to keep your Nigeria-based startup busy (or to do very nasty things to your main competitor).
I don't think that a coprorate network would be vulnerable, unless they are already routing IPv6 packets, if they are the chances are that they are using IPv6 already and therefore wouldn't be vulnerable.
If they have IPv6 turned on and weren't using it, routers would have to be configured to pass DHCP to your tainted router, which isn't very likely.
If you install an IPv6 wireless router into a corporate environment, this will also probably not work becuase the laptops would not be configured to connect to this new AP, also more than likely not speak IPv6.
I think this is a small company/home user problem, which requires physically installed hardware in a compromised site, or a wireless user to connect to a new AP.
"or a wireless user to connect to a new AP."
Yes, that was the problem I was referring to. Given that the vulnerable OSes also have a tendency to connect to whatever AP is "best" -without warning- by default, you'd catch a lot of people at Starbucks.
Depending on how the corporate WiFi is set, you'll probably be able to also catch data from visitors and/or personal laptops from management at your competitor's. Probably enough to really harm them (you don't need much info to mount a devastating social engineering attack).
...but assuming the machine is already compromised how hard would it be for the attacker to put a self-signed Root CA on the machine to then allow the MITM to spy on SSL traffic?
So what this boils down to is that by inserting a rogue piece of hardware onto a network, you can hijack traffic and have it rerouted through your machine, using ipv6...
Assuming ipv6 is turned on
Assuming the application your hijacking is ipv6 aware
Assuming you can create ipv6 dns records (afaik ipv6 stateless autoconfig doesnt set dns)
Assuming the hosts someone is trying to access are looked up via dns and not referenced by ip
Or, since you have access to the local network you could just stick to the traditional arp spoofing or dhcp hijacking attacks which have worked well for years.
All this does is further impede the progress of ipv6 and spread fud.
This is new...
> by inserting a rogue piece of hardware
...Or a rogue piece of software.
> Assuming ipv6 is turned on
It is, by default.
> Assuming the application your hijacking is ipv6 aware
No - that happens in the network stack. The application may neither know nor care that its transport is IPv6.
> Assuming you can create ipv6 dns records
If you're hijacking traffic, you can.
> All this does is further impede the progress of ipv6 and spread fud
Not entirely. There's a real story here, even if it's a problem that's quite easily solved.
@ARP spoofing etc.
One of the points here is that most exploits in IPv4 have been dealt with so you have no end of knobs to turn, e.g. "Dynamic ARP Inspection", "DHCP Snooping" et cetera. Features similar to these are much less common in IPv6, which is a shame. Though there's not much new in the article one can hope it helps forcing the vendors to supply RA Guard et cetera.
Or just use IPv6
The attack works simply because IPv6 is preferred. So if you set up your own router to use IPv6 the problem is solved, yes? If IPv6 is already configured the attack would be ineffective as the computer would already be attached and not find the alternate router's proposal attractive.
Paris, because your computer is just as promiscuous...
It's a collusion to force us to upgrade all network equipment to IPv6! Or to downgrade our OS! (not sure of the profit angle on that one)
"Or to downgrade our OS! (not sure of the profit angle on that one)"
Have you seen what XP still sells for?
Now imagine increased demand.
Possible without physical access..
Any other machine already plugged into the network could act as the evil router in this exploit if they can run a daemon to respond to the SLAAC requests. This means any compromised system could potentially become the gateway for this type of attack.
Physically installing a router is not required to pull this off, it just makes it quite simple to do.
For those with a mac....
Open System Preferences - Network. Go into the 'advanced' for your connection and click on the TCP/IP tab. Then click the Configure IPv6 drop down and set the menu to Off. Click OK and then Apply button.
IPv6, a whole new can of worms for us to worry about........
danger level adequately summed up here:
If you want to make sure you're actually connected to the machine you think you are then SSL is your friend (Comodo issued 'fake' certs aside) - good luck trying MITM if the traffic is encrypted anyway, and that applies to both v4 and v6.
If you use command-line then the simple way to disable IPv6 for all interfaces is
sudo ip6 -x
Thanks for the heads-up, El Reg...
Under MacOSX (OS of the Gods):
System Prefs > Network > Configure IPv6 > Choose "off" > click OK.
There, easy as getting drunk. Speaking of which...
ipv6 on Windows Server
Do NOT turn IPV6 off on a Windows 2008 server. IPV6 is used for the internal routing. Turning IPV6 off on a Windows 2008 server is like disconnecting 127.0.0.1 and LocalHost on an IPV4 machine: something will break.
Presumably you can unbind it from your NICs though? That's the way I do it and I haven't noticed any problems... yet...
NOW they tell us!
Actually, I've seen some weird network stuff that makes me wonder if this is already going on in certain providers' networks, possibly on a large scale. Unfortunately, I'm not a network expert, and what looks quite anomalous to me might be perfectly reasonable and safe to someone who actually understands these things. In the situation where a legitimate IPv6 network is in use, what should the configuration state of the IPv4 data look like?
It depends on what you mean by "configuration state". Most deployments are dual stack where IPv4 and IPv6 live together. Each one is configured just like if it was the only one. In some deployments you could have tunnelling here and there, but for most users/uses this should appear transparent.
If you suspect your ISP is incapable of handling issues like these you really should choose another. Protecting customers from each other has long been a standard ISP practice and IPv6 doesn't change this at all.
Yet more Non-news FUD
Just a protip: turning off IPv6 on your machines is both pointless and silly unless there's a possibility of someone plugging their own router into your stuff, in which case, why not just go with the good old tried and tested IPv4 attacks... hell, a rogue radvd + DHCPv6 server will work just as well as a rogue DHCPv4.
Correct mitigation? don't let people install crap inside your network.
'don't let people install crap inside your network.'
So if you put up a notice that states "No Crap allowed on the network" everything will be ok?
Or just purchase switches that implement RA Guard / RFC 6105
RA Guard is a switch feature that allows the sysadmin to configure an L2 switch so as to only accept RA messages from specified ports. Obviously you'd only accept RAs from the port with the router on it.
Unfortunately that's only available on rather upmarket kit (e.g. Cisco with rather recent IOS loads) at the moment.
Never mind, by the time I get around to rolling out IPv6, even cheap switches should have that feature. Or my employer won't be buying them!
many PCs are connected to cable modems or 3G modems that have no router or firewall. Presumably the ISP though would need to be providing you with IP6 though.
So it's hard to see that many people would be vulnerable as almost no 3G connections provide IP6
It's hard to see how this can work easily.
I turn off IPv6 anyway
on any new macs I hook up, just to cut out a few packets worth of useless chatter, but I can't see a simple switch for the Windows 7 machines. Any pointers anyone?
Start -> Control Pannel -> Network and Sharing Centre
Click on 'Connections: Local Area Connection' (unless you've renamed the default NIC), then Properties.
In the "Networking" tab that pops up deselect "Internet Protocol Version 6 (TCI/IPv6)"
This unbinds IPv6 from your NIC, if you've got multiple NICs, do it for each NIC.
Some people are hoping IPV6 fails..
For good, technical reasons!
And (as an IT manager working with a large network I tend to agree..) And this vulnerability makes me even less enthusiastic..
Well I'm hoping it doesn't fail
>> For good, technical reasons!
Most of those "good reasons" are (IMO) actually good arguments FOR IPv6. Much of what is written is simply drivel written by someone who has never had to deal with the problems caused by s**t like NAT. IMNSHO, if you think NAT is a good idea, you are completely unqualified to talk about networking.
Part of the problem getting IPv6 off the ground is that some f**kwit invented NAT and made people believe the problem was "solved". We'd be far better off now if the effort that's gone into sorting out the s**t caused by NAT has been invested in fixing the real problem instead of new artificial problems.
If you think NAT is easy to deal with (just use STUN I hear being uttered), try it with a Zyxel router and see how well it doesn't work ! uPnP isn't an answer unless you think having a service designed to allow an untrusted bit of software to completely bypass your security is a good thing.
True there are going to be some adjustments needed, and issues to work out. The subject of this article is **NOT** one of them - it's simply an old problem using the new protocol and the tools haven't caught up *YET*. For example, our helpdesk aren't looking forward to diagnosing connection problems with users who struggle to : "type ping 192.168.1.1 and press the return key" even when you spell it out keypress by keypress.
PS - yes I do think some aspects of IPv6 are sub optimal, but that is just detail - there's nothing fundamentally wrong.
All well and good, but...
While this is worth pursuing and holes need to be filled, sadly the biggest threat to computer security is still the dingbat sitting at the keyboard clicking away with wild abandon. Until everyone is educated to take precautions, the nasties will find the easiest route into a system.
We're the weakest link, goodnight!
IPV6 was going to solve everything! Every implementation is beyond question and it makes PERFECT SENSE to give every bloody device on your network a publicly routable address! This didn't happen; it's obviously been reported wrong. Nothing bad could ever happen to anything involving IPV6 or any of it's implementations because the END-TO-END MODEL IS SACRED AND IT REALLY, REALLY, MATTERS (tm)!!!
Go IPV6 now and unicorns will fall from the sky, ensuring peace, love and the continuation of God's Own End-To-End Model.
Guys and gals, do some research and then post, not the other way around!
Got some private replies which suggest my comment was not constructive :).
Is a good place to start. You really do not need dhcp, dns or any of the protocols you are used to. You need a machine to answer wth a certain name (which can be auto discovered in an ipv6 network).
The 'exploit' described in the article remains a corner case to a large extent but let's face it, our hacker/malware friends have demonstrated their imagination too many times for us to not take all threats seriously.
SANS ISC comment
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Chromecast video on UK, Euro TVs hertz so badly it makes us judder – but Google 'won't fix'
- Analysis Pity the poor Windows developer: The tools for desktop development are in disarray
- Analysis BlackBerry's turnaround relies on a secret weapon: Its own network
- Hire and hold IT staff in 2015: The Reg's how-to guide