[LINK] smartphone privacy problems

Jan Whitaker jwhit at janwhitaker.com
Thu Jan 27 20:18:56 AEDT 2011 

14 January 2011, 15:41
IPv6: Smartphones compromise users' privacy

Since version 4 of the iOS operating system, 
Apple's iPhones, iPads and iPods have been 
capable of handling IPv6, and most Android 
devices have been capable since version 2.1. 
However, the operating systems transfer an ID 
that discloses information about their users: 
devices usually determine half of their IPv6 
address (the "interface identifier") themselves. 
On a wireless network, the smartphones don't 
appear to be careful enough with this task; they 
simply add the same two bytes to their globally 
unique MAC address and use it as their 
identifier. As a result, they transfer a unique 
hardware ID whenever they communicate with an IPv6-enabled server.

The issue is particularly sensitive because such 
devices tend to be used by one specific person. 
As a result, the MAC address, which is accessible 
to any server operator and network monitor, allows this user to be identified.

The basic problem isn't an IPv6 issue, because 
various other methods for generating the address 
are available. For instance, a device can 
generate a random interface identifier and 
replace it on a regular basis. This method is 
called Privacy Extensions[1] and is the 
factory-set option in Windows; it can also be 
enabled in other operating systems.

It's the smartphone users who haven't got a 
chance: mobile devices running Apple's iOS or 
Android offer neither the option to enable 
Privacy Extensions nor the option to disable IPv6 
– anyone who uses an affected device on an 
IPv6-enabled wireless network will transmit their ID.
[for those who aren't up on this, IPv6 is the 
upcoming addressing system since we're running 
out of IPv4 addresses for devices]

The only thing the smartphones are lacking is a 
control option in the user interface, as the 
Privacy Extensions do come as part of their 
kernel. For instance, on a (jailbroken) iOS 4 
device with root access, they can be enabled with 
the same command that enables them on a desktop device running Mac OS X:

sysctl -w net.inet6.ip6.use_tempaddr=1

The problem is currently only affecting a small 
number of users because IPv6 is not yet in 
widespread use. However, German Telekom and 
several other IPs plan to offer IPv6 in addition 
to the old IPv4 during this year. In addition, 
there are such routers as the Cisco Linksys 
E3000[2], which will, without requesting user 
consent, even establish an IPv6 connection via a 
6to4 conversion[3] when their internet access is purely IPv4.

You can check whether you are using such a 
telltale IPv6 address with an online tool 
available on the heise Germany web site: the 
version of "My-Ip-Service" on the server – only 
accessible via IPv6 – 
http://www.six.heise.de/ip[4], will display your 
IPv6 address if you have IPv6-enabled internet 
access. If the combination ff:fe marks the 
boundary between the third-but-last and 
second-but-last address segments, the six bytes 
before and after it are likely to be your MAC address."

http://www.h-online.com/security/news/item/IPv6-Smartphones-compromise-users-privacy-1169708.html?view=print

  http://snipurl.com/1x56zg


Melbourne, Victoria, Australia
jwhit at janwhitaker.com
blog: http://janwhitaker.com/jansblog/
business: http://www.janwhitaker.com

Our truest response to the irrationality of the 
world is to paint or sing or write, for only in such response do we find truth.
~Madeline L'Engle, writer

_ __________________ _

More information about the Link mailing list