Heuristic Recon via the Dual-Stack UPnP Service
In addition to the recon of IPv6 addresses based on their characteristics, we can also use UPnP to detect IoT assets by referring to the method described in a blog post 28 from Cisco Talos Labs.
UPnP is a set of protocols designed to achieve interconnectivity between devices on a LAN. Due to misconfiguration, many UPnP services are exposed on the Internet. We can use UPnP to uncover dualstack IoT devices — devices with both an IPv4 and IPv6 address. Two roles are available in the UPnP protocol, namely, the control point and device. Each time when the control point goes live, it sends an M-SEARCH message to the multicast address 18.104.22.168:1900 for searching for controllable devices.
After receiving the M-SEARCH message or joining the network, a device sends a NOTIFY message to the multicast address, notifying its own information to other devices. In a NOTIFY message, the LOCATION field indicates the link to the device description. Upon receiving the NOTIFY message sent by the device, the control point will access the link contained in the LOCATION field. Figure 2-16 shows the workflow of UPnP.
For how to use the UPnP service to detect dual-stack assets, perform these steps:
- Use the link contained in the LOCATION field as the address for the IPv6-based web service.
- Send a NOTFIY message to the IPv4 address of each IoT device with the UPnP service exposed on the Internet.
- If the target host has an IPv6 address, it will send a request to the web service using its IPv6 address.
- By parsing the request message, we can get the corresponding IPv6 address of the asset.
After analyzing and deduplicating IPv4 assets exposing port 1900, we found that there were 27,642 dual-stack assets, 27,150 of which embedded MAC addresses. By consulting the geographic information database of IP addresses, we obtained their geographical distribution, as shown in Figure
2-18. Obviously China was home to the most dual-stack assets (15,538), followed by Vietnam (5372). Here, it should be noted that, among the 15,538 dual-stack assets in China, 15,296 assets were distributed in Taiwan.
According to the IPv6 usage provided by the Asia-Pacific Network Information Center (APNIC), 43.35% of IP addresses in Taiwan were IPv6 addresses, ranking No. 7 in the world (as of December 1, 2019). In addition, information about exposed assets in the past two years indicates that the number of exposed IoT assets in the province was relatively great. This probably explains why there were so many dualstack IoT assets in Taiwan.
Since nearly all dual-stack addresses embed an MAC address, we can obtain vendor IDs by parsing the MAC addresses embedded in the IPv6 addresses and then get further information about vendors. After deduplication was performed on MAC addresses, we found that there were a total of 11,606 devices. As shown in Figure 2-19, almost all devices were IoT devices, most of which were from IoT vendor A.
IPv6 Asset Changes
In the 2018 Annual IoT Security Report, we described changes in IPv4 IoT assets in China. In the 2019 Annual IoT Security Report, we decide to reveal changes in IPv6 IoT assets. Since the MAC address embedded in each IPv6 address corresponds to a unique device, we can check whether the network
address of an asset has changed. According to the results of several rounds of recons, the IPv6 address of an IoT device changes from time to time and the mapping between the dual-stack IPv4 and IPv6 addresses of each device is not stable. Table 2-1, Table 2-2, Table 2-3, and Table 2-4 provide some examples to illustrate such unstable mappings.
After deduplication was performed on the MAC addresses of dual-stack assets we detected, there were actually 2927 devices in total. From the mappings between MAC addresses and IPv6 addresses, we found that IPv6 addresses of nearly 90% devices (2633) had changed. To further understand asset changes, we spot-checked 1934 active IPv6 IoT assets and checked them every day. As shown in Figure 2-20, there were 1934 active asset addresses on the first day, 1331 on the second day, and only 42 on the fifth day, accounting for merely 2% of that on the first day. This tells us that at least the IPv6 addresses of the dual-stack IoT assets detected via UPnP had changed, which is somewhat different from our previous understanding. Even if IPv6 addresses are sufficient, carriers or devices are still inclined to adopt the policy of allocating IP addresses dynamically.
This chapter first describes the actual exposure of IPv4 IoT assets in China, Singapore, and Japan in 2019 and then the exposure of some IPv6 IoT assets. In China, the largest number of IPv4 and IPv6 assets were exposed in Taiwan. Then it describes some methods for detecting IPv6 IoT assets. The
method of detecting IPv6 addresses based on address distribution characteristics can help narrow down the recon scope, making IPv6-based recon relatively practical. However, this method has obvious limitations:
It can work only for active IP addresses or network segments and cannot discover irregular IP addresses. Other methods are also available, such as DNS reverse mapping, public network traffic obtaining, and sample survey. Though the method of detecting IPv6 addresses is not perfect, it can be used with proactive detection and passive traffic obtaining methods, so as to detect more and more active IPv6 assets during continuous operations.
With the booming of IoT applications, IPv6 addresses will be gradually adopted, which is an irreversible trend. Attacks against IPv6 networks will ensue. In this sense, detecting IPv6 addresses and services accurately is the prerequisite and method for collecting IoT asset information and detecting vulnerabilities and is of great significance to IoT security.
To be continued.