Security researchers at Black Hat showed a new way to discern street-level location data. The key? Crummy routers often provided by internet service providers.
Rob Beverly and Erik Rye from the Center for Measurement and Analysis of Network Data call their creation IPVSeeYou, which Rye described as a “large scale data fusion attack.” At its core, it takes a huge pile of IPv6 data and indexes it against known Wi-Fi network locations. Fusing these two piles of data can yield location information that is highly precise.
“We can geolocate down to the street and even the house,” said Beverly.
Data to Fuse
IPv6 addresses look like this: 2001:db8::8a2e:370:7334. That’s quite different from the IPv4 addresses you might be more familiar with, which look like this: 192.0.2.235. The complexity of IPv6 addresses means there are an enormous number of possible addresses compared to IPv4.
“It’s a huge address space,” said Beverly. “Not only is the address space huge, it’s very sparse.” The implication, he explained, is that the vastness prevents active probing of IPv6.
Although IPv6 is relatively new, an older way to create these addresses, called EUI-64, derived a portion of the IPv6 address from the MAC address. This is a problem since it elevates the visibility of one identifier inside another.
That problem’s been around for about 20 years, Beverly said, and mitigations were put in place to protect against abuse. But those protections are not always used by all-in-one modem/router boxes provided by ISPs to their customers.
Called “customer premises equipment” (CPE), these were the focus of the team’s research. By probing random addresses, the team found that they would eventually receive enough IPv6 addresses from CPEs that contained MAC addresses. From there, the team developed a method to extrapolate the Wi-Fi MAC addresses that are broadcast out into the air.
This is where the fusion happens: the researchers compared their guessed addresses against existing public Wi-Fi databases. These are sometimes used to help refine location data on your phone by looking for known Wi-Fi networks.
The team eventually geolocated 12 million unique devices across 147 countries. When they sought volunteers to verify their findings, four out of five were located to within 50 meters. Rye said that in most cases, the location they derived was “on the opposite side of the house from the router.”
While tracing down devices over the internet to within a few yards of their addresses is impressive enough, the team found they could do more. By examining the IPv6 data, they could sometimes determine the ISP that operated it. By graphing multiple locations, they could infer the location of the ISP’s infrastructure.
This had a surprising consequence: Rye explained that these location leaking routers also hurt the privacy of the more secure devices around them. Armed with the information about ISP infrastructure, the researchers were able to roughly geolocate devices that didn’t have EUI-64 IPv6 addresses.
Only One Mitigation
Unfortunately, the researchers said there’s little that individuals can do to remedy this situation. Turning off IPv6 on a router won’t prevent this kind of geolocating. Turning off ICMP would prevent the probing the team used, but this would also deprive people of a useful network troubleshooting tool.
The solution is in the hands of the CPE vendors, who must stop using EUI-64 addresses. “The addresses are more or less deprecated in the endpoint space,” Rye said. “They should be deprecated in the CPE space.”
Keep reading PCMag for more Black Hat coverageBlack Hat coverage.
