Using IPV4 protocol, vulnerability search engines can detect and index Internet connected devices. It will be easy for a hacker to collect a lot of information about some devices and perform an attack. Is that possible for The new Internet protocol IPv6 to give us more privacy? And is that immune to the types of systematic scans?
Asked
Active
Viewed 335 times
2
-
What is "the vulnerability search engine"? – Neil Smithline Feb 25 '16 at 16:13
-
If a device can be connected to, then it can be scanned. IPv6 will not help with that. I'm curious, how do you think shodan indexes connected devices? – schroeder Feb 25 '16 at 16:34
-
@schroeder Apparently by getting malicious NTP servers in popular pools. – CodesInChaos Feb 25 '16 at 17:28
-
@schroeder ShodanHQ describes itself like the search engine for internet of things, webcams.... – GAD3R Feb 25 '16 at 18:36
-
@GAD3R but how do you think it indexes the things you can search for? – schroeder Feb 25 '16 at 19:19
1 Answers
5
Sort of. The IPv6 range is big. Really big. You just won't believe how vastly, hugely, mind-bogglingly big it is. I mean, you may think it's a long way down the road to the chemist, but that's just peanuts to space the IPv6 range. (with apologies to Douglas Adams)
There are 340,282,366,920,938,463,463,374,607,431,768,211,456 addresses in the IPv6 space. There are 4,294,967,296 addresses in the IPv4 space. A standard single user allocation of IPv6 addresses includes enough addresses for each user to run their own IPv4 space.
As a result, it becomes impractical to run full scans of the entire space. Assuming it took you 1 nanosecond to scan each address (or detect that it didn't exist), it would take you 10,790,283,070,806,013,952 millenia to scan the full range. Multiply by 1000 for the number of years.
However, most of the interesting ones are likely to be in predictable clumps. For example, a given company may choose to assign devices within their IPv4 size range, in which case it would be possible to scan through that if you can find the appropriate prefix to look at - it might be published in a DNS record for a web or email server. It might be included in the headers of emails from the company. In those cases, you can scan and potentially get useful information.
The general idea with IPv6 was that end-users never need to look at it. They should be able to make a request for a specific device - "the lightbulb in the living room", say - and the local equivalent of a DNS server supplies the correct address. Currently, this isn't quite the case. However, if this did become the case, you'd better hope that the DNS equivalent systems are secure, else they'll publish all your device details to the world, and if any of them leak, you can bet someone will be trying to spot the data.
Matthew
- 27,233
- 7
- 87
- 101