One Bad Apple Can Spoil Your IPv6 Privacy

TL;DR

This paper reveals that a single IoT device with a static MAC-encoded IPv6 address can compromise the privacy of entire end-user networks, despite privacy extensions, with significant tracking by third parties.

Contribution

It identifies the privacy risks posed by MAC-encoded IPv6 addresses from IoT devices and highlights the lack of adoption of privacy extensions by major manufacturers.

Findings

19% of end-user privacy is at risk due to IPv6 address issues.

IoT devices are the main contributors to privacy leakage.

Third-party providers can track up to 17% of subscriber lines.

Abstract

IPv6 is being more and more adopted, in part to facilitate the millions of smart devices that have already been installed at home. Unfortunately, we find that the privacy of a substantial fraction of end-users is still at risk, despite the efforts by ISPs and electronic vendors to improve end-user security, e.g., by adopting prefix rotation and IPv6 privacy extensions. By analyzing passive data from a large ISP, we find that around 19% of end-users' privacy can be at risk. When we investigate the root causes, we notice that a single device at home that encodes its MAC address into the IPv6 address can be utilized as a tracking identifier for the entire end-user prefix -- even if other devices use IPv6 privacy extensions. Our results show that IoT devices contribute the most to this privacy leakage and, to a lesser extent, personal computers and mobile devices. To our surprise, some of the most popular IoT manufacturers have not yet adopted privacy extensions that could otherwise mitigate this privacy risk. Finally, we show that third-party providers, e.g., hypergiants, can track up to 17% of subscriber lines in our study.