Annual IoT Security Report 2019-5

Annual IoT Security Report 2019-5

November 23, 2020 | Adeline Zhang
IoT botnets

This section presents the exposure of IPv6 assets on the Internet and methods for recon of these assets.

IPv6 Evolution

With the IoT and 5G gaining ground, the demand of network applications for IP addresses is undergoing an explosive growth. However, the IPv4 address space has been depleted and IPv4 addresses have been unevenly allocated. In this context, IPv6 comes into sight, becoming a critical factor to achieve the Internet of everything and drive digitalized, networked, and intelligent production and lives thanks to the sufficient addresses and great possibility of innovation that come with it. In April 2019, the Ministry of Industry and Information Technology issued the Notice on Launching the IPv6 Ready Campaign for 2019 23 , proposing the goal and mission of and assurance measures for getting ready for the nextgeneration Internet around the overall improvement of the IPv6 penetration rate and network traffic by promoting the deployment and adoption of IPv6 across the board. Obviously, the IPv6 epoch is around the corner.

Classification of IPv6 Addresses

An IPv6 address consists of 128 bits, four times the length of an IPv4 address. This makes the dotted decimal notation used by IPv4 addresses incompetent for IPv6 addresses. The IPv6 designers created colon hexadecimal notation (abbreviated colon hex) in which the value of each 16-bit quantity is represented in hexadecimal separated by colons like X:X:X:X:X:X:X:X. The colon hex notation allows zero compression in which a string of repeated zeros is replaced by a pair of colons, that is, “::”. Such a pair, however, can appear only once in an IPv6 address to avoid causing ambiguity to an address parser.

IPv6 addresses vary greatly from IPv4 addresses in the representation method and configuration. IPv6 addresses are often divided into the following types based on the generation scheme.

  • Low-byte address

In particular circumstances, node addresses, such as addresses of routers and servers, need to be manually configured. Network administrators can choose addresses within the assigned scope at their discretion. Considering the simplicity in configuration and the ease of memorization, they tend to choose low-byte addresses, in which all the bytes of the interface identifier (IID) (except the least significant byte) are set to zero. Such addresses are the same in other bytes than the least significant byte, which contain random bits, as shown in Figure 2-5.

  • Address with random bits in particular bytes

This type of addresses is similar to low-byte addresses, except that they have random bits in particular bytes rather than in the least significant byte, as shown in Figure 2-6.

  • IPv4-based address

This type of addresses has the IPv4 address of the network interface, in part or in full, embedded, as shown in Figure 2-7.

  • Address embedding the MAC address

This type of addresses, also known as EUI-64 addresses, is generated from link-layer addresses (Media Access Control (MAC) addresses) of interfaces. First, in the midst of a 48-bit MAC address (following the 24th bit reading from left to right), insert a hexadecimal number FFFE. Then, set the Universal/Local (U/L) bit (the seventh bit, from left to right) to 11. Finally, we get an address of the 64-bit Extended Unique Identifier (EUI-64) format. Such addresses are characterized by a string of FFFE inserted in the middle , as shown in Figure 2-8.

Figure 2-9 shows the detailed procedure of converting a MAC address to an IPv6 address.

Besides, there are port-based addresses, temporary addresses, and IPv6 addresses corresponding to transition/co-existence technologies. Those who are interested in IPv6 addressing can refer to related documentation for more information.

Challenges and Opportunities with growing IPv6 based IOT Assets

As described previously, research on techniques of surveying IPv6 IoT assets is of great significance to the next-generation cybersecurity and the management of IoT assets.

The IPv6 address space is so large as to contain 296 times as many IPv6 addresses as IPv4 addresses. The method for discovering IPv4 assets across the network is unfeasible for IPv6 assets, whether from the perspective of the time to be taken or the resource to be consumed. Besides, live IPv6 assets today are actually very small in number and are distributed randomly. No appropriate recon method is available specifically for identifying live IPv6 assets on a network. All these factors add to the difficulty of IPv6 asset recon. For these reasons, we cannot use the IPv4-oriented method directly for IPv6 networks.

Researchers at home and abroad have researched this subject on a trial basis and made some IPv6 addresses publicly known for follow-up studies. Understanding how IPv6 addresses are assigned, as explained in section 2.4.1.2 Classification of IPv6 Addresses, can help us do the recon in a much smaller scope. Section 2.4.2 Identification of IoT Assets from Known IPv6 Addresses describes how we identified IoT assets from the known collection of IPv6 addresses and used them as seeds to find other active IoT assets via multiple heuristic search algorithms.

Viewpoint 2: Currently, the recon of IPv6 assets is a problem baffling the academic community. Related research, whether at home or abroad, is at a burgeoning stage. Still, it is advisable to use heuristic approaches to identify IPv6 IoT assets based on characteristics of IPv6 addresses and IoT services. According to our statistics, the number of IPv6 IoT assets in China in 2019 was rather small, largely because IPv6 deployments were yet to be rolled out nationally.

To be continued.