One Bad Apple Spoils The Bunch
There is a new research paper out from a collaboration of academics with good taste in titles explains how a single device on your network using a legacy EUI-64 IPv6 address can ruin the security of every other device on your network; not just itself. As you should expect by now this will apply to just about every single IoT device ever sold, from doorbells through toasters to TVs. The vulnerability defeats the obfuscation of your devices hardware addresses, which means someone cant only track your devices over the web no matter how many IP refreshes you perform.
EUI-64 was used as a way to generate the host portion of an IPv6 address for a device using it’s MAC address, which was deprecated after it was realized that revealing hardware identification over the network layer is a bad idea. It was replaced with DHCPv6 and stateless address auto-configuration (SLAAC), which allowed a device to generate it’s own host portion to append to the prefix provided by your router, or your ISP. The problem is that IoT makers never bothered to update to either of those protocols, even on new devices.
The Register has posted an example of how this can be used to breach your network security. The first time your personal network reaches out to the internet and connects to a CDN, IPv6 address are generated, with the same end-user prefix for both a TV and laptop. The laptop uses SLAAC to generate a random host address but uses the same prefix as the TV. The next day, the laptop generates a new IPv6 address but the TV does not because the address is generated from the MAC address. This means that no matter how many times your laptops address changes, because it is on the same network as the TV it can be associated back to the original IP address and your usage can now be tracked.