IPv6 and IoT security: What should you know?

15 May 2018

Amazon Echo Spot smart device. Image: NYCStock/Shutterstock

IPv4 is stretched to breaking point and IPv6 migration is an inevitability as IoT devices multiply.

Internet Protocol (IP) is the system that allows devices to find and connect to each other on the internet. IPv4 made its debut in the 1980s and since then, the exponential growth of the internet has caused a major shift in perspective. Designers never expected that the limited pool of addresses would be an issue, but the proliferation of devices looking to go online soon put that idea to rest.

IPv6, its successor, was introduced way back in 1998. The main difference between the two is the extension of IP addresses from 32 bits to 128. This feature aims to ease the immense pressure in terms of the dearth of network addresses, while creating a sustainable environment for the internet-connected devices of the future.

While IPv6 is touted as the more secure and efficient system, implementing it is a far cry from a hassle-free process. With that in mind, what should professionals know about as it becomes a more pressing issue and more devices such as internet of things (IoT) products require IP addresses? With IPv4 space rapidly running out, the time to develop your IPv6 strategy is now.

Just how secure is it?

Earlier this year, Neustar network engineer Wesley George identified a significant amount of strange traffic being driven to a client as part of a wider attack, but noticed that packets coming from IPv6 addresses were being sent to an IPv6 host. The issue here is not that IPv6 is not secure, said Ed Williams, EMEA director at Trustwave SpiderLabs, but that not enough time is being devoted to educating teams about how it works.

Alan Mindlin, technical manager at Morey, agreed, saying that he thinks IPv4 is “probably better understood. IPv6 adds a broader address space, new features with regard to discoverability of nodes and additional capabilities in the headers.”

He noted that mitigation tools against IPv6 threats are in their infancy. “From a router perspective, you can’t just keep following your IPv4 policies and conducting security checks. Instead, you need to add to your procedures to cover the new features.

“The toolset for securing IPv6 nodes is still being built and the hacks to attack them are just starting to be seen. From the endpoint perspective, the ‘bad guys’ have access to a wide range of deployed and poorly secured IPv4 devices to attack, and are probably not spending much time on IPv6 devices yet.”

It’s a process of adopting a new technology and simultaneously running both technologies side by side on one dual protocol stack that can increase a potential security risk, because it enlarges the attack surface.

Threat modelling

The importance of designing a threat model for IPv6 cannot be underestimated, as it has some unique features. Also, working on a dual stack with IPv4 can present some problems in terms of a vulnerability in one affecting the other.

Williams said that not threat modelling for IPv6 “massively undermines any security that is currently in place within an organisation. IPv6 stacks need to be identified and hardened as a matter of urgency. Any threat model exercise will/should result in a reduced attack surface. We’re not seeing that at the moment. In fact, we’re seeing the opposite: more ports and services that increase the likelihood of a successful attack.”

The lack of a good catalogue of threats to model against is an obstacle, Mindlin said. “The router and server side has years of experience with various attacks and exploits. We still see things as almost anecdotal in nature: data streams of nanny cams stolen, vehicles with internal buses disrupted to compromise safety, or endpoints loaded with malicious code to steal data or disrupt communications.

“These all exploit more than just the IP layer and all are discovered after the fact with 20/20 hindsight as examples of what not to do.” It won’t be easy, by any means, he added. “Pre-emptively figuring out the threat model for IoT on any IP protocol or on any layer of the model is hard work.”

IPv6 and IoT

From smart fridges to connected baby monitors, IoT devices have almost reached ubiquity in modern society – but what effect are they having on the internet’s infrastructure?

Mindlin said: “A surge in the IoT has created a surge in the number of endpoints. This surge is driving adoption of IPv6 to allow larger address space instead of trying to fit into the constrained IPv4 space.”

Martin Hron, researcher at Avast, said: “I don’t think that surge of IoT influenced the adoption of IPv6, but it’s a next logical step and must for us to adopt IPv6 as soon as possible, as we are simply running out of IPv4 addresses. But, obviously, with an increasing number of IoT devices, the demand for IP addresses increases, too. However, nowadays most of the IoT devices are hidden behind the NAT and in internal networks.”

Mistakes to watch out for

In general and at a high level, organisations are forgetting about IPv6 and not giving it the attention it requires, Williams theorised. Considering the more complex structure compared to IPv4, it can seem daunting for those tasked with migration duties. Hron said that many people are forgetting that both IPv4 and IPv6 stacks have to coexist for some time. He also cited the lack of professionals with adequately detailed IPv6 expertise as a problem.

According to Mindlin, the multitudes of implementations occurring at the same time from endpoint gateways to routers are a challenge, and those building the infrastructure that IoT depends on “need to take their best practices of the current IPv4 world and use them as the starting point for IPv6. Endpoint or IoT gateway providers need to implement the new stack using all of the security that comes with it.”

What are the risks?

DDoS and phishing attacks, data theft, and remote hacking of industrial control systems, healthcare systems and automotive technologies are all likely to carry over from IPv4 to IPv6. Mindlin explained that although the structural elements of IPv6 are naturally beefed up, along with the huge address space, hackers will eventually find the network vulnerabilities and, after that, get to work on attacking the higher layers.

Hron said that with a vast global amount of reachable IPv6 addresses, each connected device can be connected directly to the internet network, increasing its visibility and also potentially emphasising its vulnerability issues.

The role of automation

Like numerous business processes both within and outside of the IT space, IPv6 implementation can be made easier with the help of automation. Williams said while many tool sets are IPv6-aware, the fundamental lack of education around IPv6 means they may not be consistently used.

As it is with threat modelling, the relative immaturity of the IPv6 space means there is a dearth of tools currently available, Hron explained. “It would be wise to do penetration testing and semi-automatic deployment for IPv6 networks; however, we can expect that, at least until some point in time, there’s going to be a lack of devices and tools to do so because the market with IPv6 solutions is still at its beginning.”

Amazon Echo Spot smart device. Image: NYCStock/Shutterstock

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects