First, a little background on geolocation for those who haven’t heard of this before:

1. Google has been collecting wifi data while doing streetview. One of the things they collect is MAC addresses of wireless networks.
2. Google, using the above MAC addresses and GPS data, is now offering a geolocation service. You just send in the MAC addresses of any wireless networks in range, and Google will helpfully tell you where you are.
3. While a browser is supposed to prompt a user before sending the MAC addresses off to Google, it is certainly possible for anyone to submit any MAC address they know of to Google. Sam Kamkar has a proof of concept for this.

The summary of the above is this: If you have a MAC address, google will tell you where it has seen that MAC address.

Now for the kicker. IPV6 autoconfig, by default, loads the mac address into the last 64 bits of the IP address. (Not directly – technically the bytes FFFE are added to the middle, and 1 bit is flipped, but this is all easily reversed. Suffice it to say obtaining a MAC address from this sort of IP address is trivial). See where this is going yet? If you want to know where an IPv6 address is located in the real world, just traceroute to the device, pull the MAC address from the device immediately prior to your target, and see if Google has a record of it. If your target is behind NAT, you can skip even this simple step. This attack is probably mostly theoretical right now since the vast majority of wireless networks are still IPv4, but if IPv6 ever does take off, this will become a real worry.

Credit where credit is due: I got this idea while watching the video of Samy Kamkar’s presentation entitled “How I met your girlfriend“. Samy goes from end to end, showing how to get a person’s real life location. He only talks about IPv4, so for the last steps he convinces the target to click a link, exploits their home router, and pulls the MAC address from there using the default credentials. I basically take this attack and consider it in the IPv6 world, where none of the technical wizardry is necessary and the attack difficulty is significantly lower.

Most internet organizations currently consider both lines of attack when designing a security plan, although this may start to change if IPv6 ever becomes a full fledged reality. (Whether or not IPV6 ever does gain wide acceptance is not a matter I care to speculate on). Since IPv6 uses 128 bit IP addresses, (IPv4 uses 32 bit addresses), there will be approximately 3.4×10³⁸ total IP addresses. Even small organizations could have IP spaces that dwarf the entire IPv4 address space. Scanning random IPv6 addresses looking for targets will likely become an exercise in futility. One way attackers will have to adapt in an all IPv6 world is to spend much more time footprinting their targets – trying to find specific system’s through publicly available information sources before attacking them. Parts of this process can clearly be automated by opportunists. For example, an attacker could use Google to find web servers at random and then check them for web specific flaws. However, this will likely deter several common methods of finding targets of opportunity. The danger to this of course is that internet organizations will get lazy and assume that if they can simply hide something in the larger IP space it will never be found. As well know, difficult does not mean impossible.