[LINK] smartphone privacy problems
Jan Whitaker
jwhit at janwhitaker.com
Thu Jan 27 20:18:56 AEDT 2011
14 January 2011, 15:41
IPv6: Smartphones compromise users' privacy
Since version 4 of the iOS operating system,
Apple's iPhones, iPads and iPods have been
capable of handling IPv6, and most Android
devices have been capable since version 2.1.
However, the operating systems transfer an ID
that discloses information about their users:
devices usually determine half of their IPv6
address (the "interface identifier") themselves.
On a wireless network, the smartphones don't
appear to be careful enough with this task; they
simply add the same two bytes to their globally
unique MAC address and use it as their
identifier. As a result, they transfer a unique
hardware ID whenever they communicate with an IPv6-enabled server.
The issue is particularly sensitive because such
devices tend to be used by one specific person.
As a result, the MAC address, which is accessible
to any server operator and network monitor, allows this user to be identified.
The basic problem isn't an IPv6 issue, because
various other methods for generating the address
are available. For instance, a device can
generate a random interface identifier and
replace it on a regular basis. This method is
called Privacy Extensions[1] and is the
factory-set option in Windows; it can also be
enabled in other operating systems.
It's the smartphone users who haven't got a
chance: mobile devices running Apple's iOS or
Android offer neither the option to enable
Privacy Extensions nor the option to disable IPv6
anyone who uses an affected device on an
IPv6-enabled wireless network will transmit their ID.
[for those who aren't up on this, IPv6 is the
upcoming addressing system since we're running
out of IPv4 addresses for devices]
The only thing the smartphones are lacking is a
control option in the user interface, as the
Privacy Extensions do come as part of their
kernel. For instance, on a (jailbroken) iOS 4
device with root access, they can be enabled with
the same command that enables them on a desktop device running Mac OS X:
sysctl -w net.inet6.ip6.use_tempaddr=1
The problem is currently only affecting a small
number of users because IPv6 is not yet in
widespread use. However, German Telekom and
several other IPs plan to offer IPv6 in addition
to the old IPv4 during this year. In addition,
there are such routers as the Cisco Linksys
E3000[2], which will, without requesting user
consent, even establish an IPv6 connection via a
6to4 conversion[3] when their internet access is purely IPv4.
You can check whether you are using such a
telltale IPv6 address with an online tool
available on the heise Germany web site: the
version of "My-Ip-Service" on the server only
accessible via IPv6
http://www.six.heise.de/ip[4], will display your
IPv6 address if you have IPv6-enabled internet
access. If the combination ff:fe marks the
boundary between the third-but-last and
second-but-last address segments, the six bytes
before and after it are likely to be your MAC address."
http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-users-privacy-1169708.html?view=print
http://snipurl.com/1x56zg
Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com
Our truest response to the irrationality of the
world is to paint or sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer
_ __________________ _
More information about the Link
mailing list