LAS VEGAS — Your home wireless router may be telling everyone on the internet exactly where you live.
That's because millions of home gateway routers, especially those leased to customers by their internet service providers (ISPs), leak their unique hardware ID numbers through their Internet Protocol (IP) addresses — and those hardware ID numbers can be connected to publicly available maps that show the street locations of Wi-Fi networks.
- Your router's security stinks: Here's how to fix it
- How to access your router's settings
- Just in: Millions of Wi-Fi routers under attack by botnet malware
"A large number of routers in the wild use legacy IPv6 addressing that permits the recipient to very precisely locate that router physically," explained researchers Rob Beverly and Erik Rye, who presented their findings at the Black Hat information-security conference here last week.
So now, that angry guy who you argued with in that heated online discussion the other day could find out exactly where you live, even if he doesn't know your name. That's not supposed to be possible.
This situation is due to a technological quick fix that was applied, and then quickly superseded, two decades ago. Unfortunately, the legacy of that decision remains today.
Beverly and Rye, both of the Center for Measurement and Analysis of Network Data (CMAND) at the Naval Postgraduate School in Monterey, California, have developed a tool called IPvSeeYou that scans the internet for IP addresses that may reveal gateway routers' unique ID numbers, also called MAC addresses.
The tool then tries to match those ID numbers to the 450 million geolocated Wi-Fi networks in public databases.
"We found more than 60 million routers that are revealing their hardware MAC addresses," said Rye and Beverly. "We were able to precisely geolocate about 12 million residential routers."
Furthermore, by analyzing the network traffic to and from those routers, Beverly and Rye found they could also roughly locate other home routers that simply used the same ISPs as routers whose hardware IDs were exposed online.
"Simply living near [these exposed] routers is a privacy threat," the researchers said.
What you can do about this
It's hard to overestimate how scary this situation is, even if it involves terms and protocols that most people have never heard of. Fortunately, it's rather easy to avoid. Here's what you can do.
Check your router and modem setup. Is the router, which sends out the Wi-Fi signal, a separate device from the modem, which is what the cable or phone line connects to? If you're seeing two different devices, then you don't need to worry about this.
Are the router and modem one single device, sometimes called a home gateway? In other words, does the cable or phone line plug into the same device that's sending out the Wi-Fi signal? If so, take the following steps.
Did you buy the home gateway yourself? Then refer to its instruction manual and figure out how to disable IPv6.
Did your ISP give you the home gateway to use? Then contact your ISP and ask them whether and how IPv6 — pronounced "eye-pee-vee-six" — can be disabled. If the customer-service representative has no idea what you're talking about, ask to be connected to a technician.
If none of the above solutions work, you may want to consider buying your own router. The gateway provided by your ISP can probably be converted to work in modem-only mode, but you'll have to ask your ISP about that.
You could also buy your own modem as well, but you'll want to check with your ISP about which models are compatible with its service.
What's really going on here
In order to properly explain how all this works, we'll have to bring in some technical terms.
IP addresses: These are the routing numbers that computers and everything else on the internet use to connect to each other. Most IP addresses are temporary, are assigned somewhat randomly, and can be changed.
There are two common types of IP address. The older, more familiar format is based on Internet Protocol version 4 (IPv4) from 1981. IPv4 addresses use four clusters of numbers ranging from 0 to 255 and look something like this: 18.104.22.168.
The newer format is based on Internet Protocol version 6 (IPv6) from 1998. Its IP addresses use eight clusters of numbers and letters (actually numbers too) to end up looking like this: 2001:0000:8e52:d45a:77fb:9069:3bd2:0c65.
IPv6 addresses were supposed to have completely replaced IPv4 addresses years ago, but that hasn't happened. Instead, most internet-ready devices made since 2005 or thereabouts support both protocols, and many have both IPv4 and IPv6 switched on by default. Your home wireless gateway may be one of these.
MAC addresses: These are permanent, unique ID numbers for every network interface on every networked device worldwide. Your laptop has one MAC address for Wi-Fi, another for Bluetooth, and maybe a third for Ethernet.
The most familiar type of MAC address has 48 bits and looks like this: 00:6b:c7:55:4e:21. The first three pairs of letters and numbers indicate the hardware maker, while the last three are unique to a specific device.
There's also a newer format for MAC addresses, called EUI-64, that adds two more pairs of characters. To convert a 48-bit MAC address to an EUI-64 address, you add "ff:fe" to the middle of the 48-bit MAC address and "flip the bit" of the seventh binary character from the left so that zero (0000) becomes 2 (0010). So our 48-bit MAC address from above ends up being the EUI-64 address 02:6b:c7:ff:fe:55:4e:21.
What's important to know is that if you see the characters "ff:fe" in the middle of an EUI-64 address, then you will know it was derived from a MAC address, which itself can be easily figured out.
SSID: This is the name of a Wi-Fi network. It's what shows up when your smartphone or laptop scans for available networks. Your home router broadcasts its SSID to any compatible device within range. SSIDs can easily be changed.
BSSID: This is a number identifying a specific Wi-Fi access point. In home Wi-Fi networks, the access point and the router are the same, but larger Wi-Fi networks often use more than one access point. Like the SSID, the BSSID is broadcast to all local devices whether they're connected to the Wi-Fi network or not.
However, there are two important things to know about BSSIDs. In most cases, the BSSID of an access point or router is the same as the MAC address of its Wi-Fi interface. And unlike the SSID, the BSSID generally does not change.
SSID/BSSID mapping: Hundreds of millions of Wi-Fi networks worldwide have been located and logged, and their SSIDs, BSSIDs and physical locations can be looked up online or by getting developer access to Apple or Google's databases of Wi-Fi networks. If the signal from your home Wi-Fi network can be picked up by a laptop in a passing car, then your network name, BSSID and location is probably in at least one of those databases.
Home internet gateway, residential gateway or gateway device: A single device that combines a cable or DSL broadband modem and a Wi-Fi router. It's often leased to the customer by the ISP.
A huge security hole for more than 20 years
This complicated system is pretty private and secure, and there's usually no way to link the internet-facing IPv4 or IPv6 address of a home internet gateway to the router's BSSID. Your IP address shouldn't be able to narrow down your location to anything more specific than a state or city.
Likewise, your neighbors can see your Wi-Fi network name and the BSSID of your home Wi-Fi router, but they can't use that information to figure out your internet-facing IP address.
But there's a loophole in this system that's big enough to drive a truck through.
Back in the late 1990s when the IPv6 protocol was being developed, Beverly and Rye explained, someone decided to insert device MAC addresses into IPv6 addresses using the EUI-64 algorithm mentioned above.
That's easy and convenient, especially when a device has limited processing power and just wants to have an IPv6 address it can use alongside its IPv4 one. And because MAC addresses are unique, it means that there's little or no risk of a duplicate IPv6 address.
But remember, EUI-64 is based on the 48-bit MAC address, the unique hardware identifier that no one on the internet is supposed to see.
As Beverly and Rye explained, experts quickly realized that devices were embedding their MAC addresses right into their IPv6 addresses, which creates a huge privacy risk. A newer, more randomized method of creating IPv6 addresses was made available in 2001.
"This was recognized as a problem 20 years ago, and a short-lived randomization process was introduced as a privacy extension" for IPv6 addresses, Beverly explained. "But a lot of devices still use the older format."
An internet problem with physical consequences
The problem, as Beverly said, is that many makers of networking devices didn't get the memo. At least 60 million internet-facing devices, their research found, including as least 12 million home residential gateways in 147 different countries around the world, still use EUI-64 MAC addresses as part of their IPv6 addresses.
If you use a home residential gateway, this is like including a photo of your driver's license with every email you send.
Plus, because the MAC address is permanent, the second half of your IPv6 address may never change, meaning you can be tracked online.
Even worse, if you're using a gateway rather a separate modem and router, then the MAC address for your router's internet connection is likely very similar to the Wi-Fi MAC address that's part of your network's BSSID.
That's because different MAC addresses in the same device are often very close to each other. (On my own smartphone, the Bluetooth and Wi-Fi MAC addresses differ by a value of 1.)
So the MAC address of the internet interface of your home gateway router, the one that may be being broadcast to the entire internet as part of its IPv6 address, is probably very similar to the Wi-Fi MAC address used in your home wireless network's BSSID. That's the same BSSID whose precise geographic location may be a matter of public record.
All someone has to do is connect the dots by noticing that the two MAC addresses addresses are very similar. For example, the internet MAC address may be 00:6b:c7:55:4e:21, while the Wi-Fi MAC address and BSSID may be 00:6b:c7:55:4e:20.
So now, an attacker can get your IPv6 address using common software tools, derive your home gateway router's internet 48-bit MAC address, scan the online Wi-Fi maps for BSSIDs that are very close to the internet MAC address, and then come over and say hello in a very aggressive way.
Say hello to the neighbors
Not only that, but if your neighbors are using the same ISP (as is common in the U.S., where cable companies often have local monopolies), then they'll likely be connected to the same nearby router on the ISP end as you are.
"If we can geolocate the service provider's router," the researchers said, "then we can geolocate non-EUI-64 addresses attached to that router."
That ISP router will show up as the "last hop" on network traceroutes to both your own and your neighbors' routers. And if someone figures out your street address from your IPv6 address, they'll know that everyone who shares that last-hop ISP link lives within a few miles of your.
To prove the validity of their methods, Beverly and Rye got five volunteers who had home-gateway routers that used EUI-64-derived IPv6 addresses.
Their IPvSeeYou tool accurately located four of those routers to about 50 meters, or 150 feet, of precision. The fifth device couldn't be found, and it turned out that its internet and Wi-Fi MACs were not very similar.
The same thing worked on a much larger scale. Of those 12 million or so home gateway routers geolocated by IPvSeeYou, more than 1 million of them were Comcast Xfinity gateway routers located in the U.S.
Rye and Beverly mapped out the inferred geographic locations of those routers on a map of the continental U.S. and found that it corresponded almost exactly with the FCC's own map of Comcast broadband service.
Limitations and mitigations
The IPvSeeYou geolocation process doesn't always work. Beverly and Rye explained that some home-gateway routers issued by ISPs use better, more secure ways of generating IPv6 addresses that don't involve the MAC address.
Other gateway routers may be too far from a public street to show up on geolocated Wi-Fi-network lists. And sometimes the MAC addresses on a single device don't resemble each other, as in the example above.
The real solution to this problem, the researchers said, is for device manufacturers to stop using EUI-64 to generate IPv6 addresses. However, that won't help the millions of devices out there that won't be or can't be upgraded with a firmware update.
Beverly and Rye said they reached out to multiple device vendors about this issue, with mixed results.
Asked by Tom's Guide which vendors had the most vulnerable devices, the researchers replied that they'd rather praise the German router maker Fritz!Box, which has a large share of the German home-gateway market and was "extremely responsive" to their inquiries.
Beverly and Rye's IPvSeeYou tool is available for free online, and you can download it at github.com/6int/IPvSeeYou.