One bad apple can spoil your IPv6 privacy

Said Jawad Saidi, Oliver Gasser, Georgios Smaragdakis

Research output: Contribution to journalArticleScientificpeer-review

3 Citations (Scopus)
17 Downloads (Pure)

Abstract

IPv6 is being more and more adopted, in part to facilitate the millions of smart devices that have already been installed at home. Unfortunately, we find that the privacy of a substantial fraction of end-users is still at risk, despite the efforts by ISPs and electronic vendors to improve end-user security, e.g., by adopting prefix rotation and IPv6 privacy extensions. By analyzing passive data from a large ISP, we find that around 19% of end-users' privacy can be at risk. When we investigate the root causes, we notice that a single device at home that encodes its MAC address into the IPv6 address can be utilized as a tracking identifier for the entire end-user prefix-even if other devices use IPv6 privacy extensions. Our results show that IoT devices contribute the most to this privacy leakage and, to a lesser extent, personal computers and mobile devices. To our surprise, some of the most popular IoT manufacturers have not yet adopted privacy extensions that could otherwise mitigate this privacy risk. Finally, we show that third-party providers, e.g., hypergiants, can track up to 17% of subscriber lines in our study.

Original languageEnglish
Pages (from-to)10-19
Number of pages10
JournalComputer Communication Review
Volume52
Issue number2
DOIs
Publication statusPublished - Apr 2022

Bibliographical note

Green Open Access added to TU Delft Institutional Repository ‘You share, we take care!’ – Taverne project https://www.openaccess.nl/en/you-share-we-take-care
Otherwise as indicated in the copyright section: the publisher is the copyright holder of this work and the author uses the Dutch legislation to make this work public.

Keywords

  • EUI-64
  • IoT
  • IPv6
  • User privacy

Fingerprint

Dive into the research topics of 'One bad apple can spoil your IPv6 privacy'. Together they form a unique fingerprint.

Cite this