Beware – IPv6 may be enabling many more users and devices to communicate with the internet, but at the same time it is also enabling hackers to set up undetectable communications channels across computer networks so they can get in and steal data without being caught.
Cybersecurity researchers working for Nato's Cooperative Cyber Defence Centre of Excellence and the Tallinn University of Technology in Estonia have discovered that IPv6's tunnel-based transition mechanisms can be used to create a network backdoor that attackers could use to both steal information without being detected, as well as to remotely control a target's system.
The researchers built a proof of concept of the attack and were able to send and receive web traffic without being detected by multiple network intrusion detection systems like Moloch, Snort, Bro and Suricata over IPv4-only and IPv4/IPv6 dual-stack networks.
Their paper, entitled "Hedgehog in the Fog: Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels" was originally presented at the 21st Nordic Conference on Computational Linguistics (NordSec 2016) and has now been published open access by the researchers for personal use.
Attack can't be spotted by any detection system today
What is IPv6?
Every time your device tries to access the internet, it is assigned an IP address. When the internet was first invented in the 1970s, the Internet Protocol Version 4 (IPv4) was established and allowed space for a total of 4.2 billion addresses.
With the proliferation of modems, laptops, video games consoles, smartphones, tablet and internet-enabled devices like smart TVs, smart fridges, smart thermostats and AI voice assistants, we have so many more devices that need internet connectivity than ever predicted that IPv4 addresses have almost all run out.
To keep the internet running, standards bodies developed a new standard called IPv6, which will enable many more hosts to be connected and a lot more data traffic to be transmitted, and internet service providers (ISP) across the world have been migrating users over since mid-2016.
"It has to be noted, that any reasonably sophisticated method for exfiltrating data will be hard to detect in real-time by existing NIDSs, especially in situations where the data is split into smaller chunks and the resulting pieces use different connections or protocols (e.g. IPv4 and IPv6)," the researchers conclude in the paper.
"Authors acknowledge that the tendency of use of IPv6 in attack campaigns conducted by sophisticated malicious actors is going to increase. Since IPv6 security aspects are being addressed by protocol RFC updates and deprecation of obsolete transition mechanisms, it would be required to focus on these issues at the security solution developer (i.e. vendor) and implementer (i.e. consumer) levels.
"Adding IPv6 support to the security devices would not solve this problem, since fundamental changes would be required in the way how network traffic is interpreted and parsed, while being able to trace the context of various data streams and perform their correlation."
No way to stop such an attack yet
The researchers say that it is possible to detect malicious web traffic sent over IPv6 tunnelling mechanisms by correlating the detection information in near real-time across different flows. However, this method would most likely end up slowing down the network greatly, and any detection system would likely detect false positive results and raise an alarm when there isn't a cyberattack occurring.
The researchers advise that end-users need to know how to properly configure, deploy and monitor security solutions in order to gain maximum awareness of the computer network they are supervising.
But since no one yet knows how to stop these attacks, so the researchers plan to delve further into advanced insider threat detection and investigate how the IPv6 protocol is implemented into operating system kernels and the micro-kernels in Internet of Things-enabled smart devices.