back to article Attack hijacks sensitive data using newer Windows features

Security researchers have outlined a way to hijack huge amounts of confidential network traffic by exploiting default behavior in Microsoft's Windows operating system. The MITM, or man-in-the-middle, attacks described on Monday take advantage of features added to recent versions of Windows that make it easy for computers to …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Hardly news

    Who needs to worry about introducing hardware to exploit this? I've dealt with virus's introduced via email in a v4 environment that act as rogue DHCP servers, making themselves the default gateway for clients so they get to see outgoing traffic from affected clients. Not really news because v6 is hardly more affected than v4

  2. Allicorn
    Thumb Down

    Title schmitle

    Dear dear, lets all worry about Windows and IP6 now because if somebody physically broke in and added custom hardware to my Linux and IP4 network, I'd be just fine.

    1. Vic

      You missed the point...

      > if somebody physically broke in and added custom hardware

      It doesn't need custom hardware - just something that acts as a router.

      That's a piece of software. It could easily be a piece of malware.

      Vic.

      1. Mark 65

        So the point is

        You get malware installed and things go to shit - hardly a revelation.

        1. Anonymous Coward
          Anonymous Coward

          re: You get malware installed and things go to shit

          ITYM you get one bit of malware on your network and the whole network's Internet traffic is vulnerable - that's a bit more worrying.

          1. Lee Dowling Silver badge

            Erm

            Only if your networking config is that bad in the first place. I.e. if it allows rogue DHCP servers, if it allows promiscuous traffic sniffing / injection, etc.

            Any decent network config with, literally, an off-the-shelf £100 switch will let you stop such things happening. And then "compromised PC" (of any ilk) is only able to contact things it was ALLOWED to contact anyway.

            Seriously, this isn't a Windows/Linux/etc. problem. It's a networking problem. If you have crap networking, this could affect the network. Otherwise it's a single rogue PC (and the implications of that, e.g. if it stores plaintext passwords, etc.)

  3. ElReg!comments!Pierre

    tainted router?

    "have physical access to the targeted network in order to install a tainted router"

    Something like a laptop with a wireless AP, perhaps?

    Agreed if you want to catch wired networks in big companies you'll have to borrow the janitor's set of keys (hardly unfeasible, but necessitates BOFH-like planning). But whip out Ye Olde dual-WiFi card laptop at your local Starbucks (or in the lobby of you main competitor's building) and I'm sure you can catch enough juicy data to keep your Nigeria-based startup busy (or to do very nasty things to your main competitor).

    1. Anonymous Coward
      Anonymous Coward

      Hmm...

      I don't think that a coprorate network would be vulnerable, unless they are already routing IPv6 packets, if they are the chances are that they are using IPv6 already and therefore wouldn't be vulnerable.

      If they have IPv6 turned on and weren't using it, routers would have to be configured to pass DHCP to your tainted router, which isn't very likely.

      If you install an IPv6 wireless router into a corporate environment, this will also probably not work becuase the laptops would not be configured to connect to this new AP, also more than likely not speak IPv6.

      I think this is a small company/home user problem, which requires physically installed hardware in a compromised site, or a wireless user to connect to a new AP.

      1. ElReg!comments!Pierre

        @ AC

        "or a wireless user to connect to a new AP."

        Yes, that was the problem I was referring to. Given that the vulnerable OSes also have a tendency to connect to whatever AP is "best" -without warning- by default, you'd catch a lot of people at Starbucks.

        Depending on how the corporate WiFi is set, you'll probably be able to also catch data from visitors and/or personal laptops from management at your competitor's. Probably enough to really harm them (you don't need much info to mount a devastating social engineering attack).

  4. Anonymous Coward
    Grenade

    Question

    ...but assuming the machine is already compromised how hard would it be for the attacker to put a self-signed Root CA on the machine to then allow the MITM to spy on SSL traffic?

  5. Joe Montana
    FAIL

    Whats new?

    So what this boils down to is that by inserting a rogue piece of hardware onto a network, you can hijack traffic and have it rerouted through your machine, using ipv6...

    Assuming ipv6 is turned on

    Assuming the application your hijacking is ipv6 aware

    Assuming you can create ipv6 dns records (afaik ipv6 stateless autoconfig doesnt set dns)

    Assuming the hosts someone is trying to access are looked up via dns and not referenced by ip

    Or, since you have access to the local network you could just stick to the traditional arp spoofing or dhcp hijacking attacks which have worked well for years.

    All this does is further impede the progress of ipv6 and spread fud.

    1. Vic

      This is new...

      > by inserting a rogue piece of hardware

      ...Or a rogue piece of software.

      > Assuming ipv6 is turned on

      It is, by default.

      > Assuming the application your hijacking is ipv6 aware

      No - that happens in the network stack. The application may neither know nor care that its transport is IPv6.

      > Assuming you can create ipv6 dns records

      If you're hijacking traffic, you can.

      > All this does is further impede the progress of ipv6 and spread fud

      Not entirely. There's a real story here, even if it's a problem that's quite easily solved.

      Vic.

    2. prathlev
      Boffin

      @ARP spoofing etc.

      One of the points here is that most exploits in IPv4 have been dealt with so you have no end of knobs to turn, e.g. "Dynamic ARP Inspection", "DHCP Snooping" et cetera. Features similar to these are much less common in IPv6, which is a shame. Though there's not much new in the article one can hope it helps forcing the vendors to supply RA Guard et cetera.

  6. jonathan 11
    Paris Hilton

    Or just use IPv6

    The attack works simply because IPv6 is preferred. So if you set up your own router to use IPv6 the problem is solved, yes? If IPv6 is already configured the attack would be ineffective as the computer would already be attached and not find the alternate router's proposal attractive.

    Paris, because your computer is just as promiscuous...

    1. Joe Earl
      Black Helicopters

      Conspiracy

      It's a collusion to force us to upgrade all network equipment to IPv6! Or to downgrade our OS! (not sure of the profit angle on that one)

      1. unitron

        re: Conspiracy

        "Or to downgrade our OS! (not sure of the profit angle on that one)"

        Have you seen what XP still sells for?

        Now imagine increased demand.

  7. Anonymous Coward
    Grenade

    Possible without physical access..

    Any other machine already plugged into the network could act as the evil router in this exploit if they can run a daemon to respond to the SLAAC requests. This means any compromised system could potentially become the gateway for this type of attack.

    Physically installing a router is not required to pull this off, it just makes it quite simple to do.

  8. HollyHopDrive
    Unhappy

    For those with a mac....

    Open System Preferences - Network. Go into the 'advanced' for your connection and click on the TCP/IP tab. Then click the Configure IPv6 drop down and set the menu to Off. Click OK and then Apply button.

    .

    IPv6, a whole new can of worms for us to worry about........

  9. Smelly Socks
    FAIL

    headless chickens

    danger level adequately summed up here:

    http://mailman.nanog.org/pipermail/nanog/2011-April/034957.html

    -ss

  10. Anonymous Coward
    Anonymous Coward

    SSL

    If you want to make sure you're actually connected to the machine you think you are then SSL is your friend (Comodo issued 'fake' certs aside) - good luck trying MITM if the traffic is encrypted anyway, and that applies to both v4 and v6.

  11. Peter 39
    Happy

    Mac users

    If you use command-line then the simple way to disable IPv6 for all interfaces is

    sudo ip6 -x

  12. Mike Flugennock
    Pint

    Thanks for the heads-up, El Reg...

    Under MacOSX (OS of the Gods):

    System Prefs > Network > Configure IPv6 > Choose "off" > click OK.

    There, easy as getting drunk. Speaking of which...

  13. david 12 Silver badge

    ipv6 on Windows Server

    Do NOT turn IPV6 off on a Windows 2008 server. IPV6 is used for the internal routing. Turning IPV6 off on a Windows 2008 server is like disconnecting 127.0.0.1 and LocalHost on an IPV4 machine: something will break.

    1. Anonymous Coward
      Anonymous Coward

      Err...

      Presumably you can unbind it from your NICs though? That's the way I do it and I haven't noticed any problems... yet...

  14. Shannon Jacobs
    Boffin

    NOW they tell us!

    Actually, I've seen some weird network stuff that makes me wonder if this is already going on in certain providers' networks, possibly on a large scale. Unfortunately, I'm not a network expert, and what looks quite anomalous to me might be perfectly reasonable and safe to someone who actually understands these things. In the situation where a legitimate IPv6 network is in use, what should the configuration state of the IPv4 data look like?

    1. prathlev
      Happy

      @Shannon Jacobs

      It depends on what you mean by "configuration state". Most deployments are dual stack where IPv4 and IPv6 live together. Each one is configured just like if it was the only one. In some deployments you could have tunnelling here and there, but for most users/uses this should appear transparent.

      If you suspect your ISP is incapable of handling issues like these you really should choose another. Protecting customers from each other has long been a standard ISP practice and IPv6 doesn't change this at all.

  15. Oliprof
    FAIL

    Yet more Non-news FUD

    Just a protip: turning off IPv6 on your machines is both pointless and silly unless there's a possibility of someone plugging their own router into your stuff, in which case, why not just go with the good old tried and tested IPv4 attacks... hell, a rogue radvd + DHCPv6 server will work just as well as a rogue DHCPv4.

    Correct mitigation? don't let people install crap inside your network.

    1. yossarianuk
      Linux

      I agree

      'don't let people install crap inside your network.'

      Like Windows.

    2. 4ecks
      FAIL

      Problem solved

      So if you put up a notice that states "No Crap allowed on the network" everything will be ok?

  16. Anonymous Coward
    Thumb Up

    Or just purchase switches that implement RA Guard / RFC 6105

    RA Guard is a switch feature that allows the sysadmin to configure an L2 switch so as to only accept RA messages from specified ports. Obviously you'd only accept RAs from the port with the router on it.

    Unfortunately that's only available on rather upmarket kit (e.g. Cisco with rather recent IOS loads) at the moment.

    Never mind, by the time I get around to rolling out IPv6, even cheap switches should have that feature. Or my employer won't be buying them!

  17. Mage Silver badge

    Router?

    many PCs are connected to cable modems or 3G modems that have no router or firewall. Presumably the ISP though would need to be providing you with IP6 though.

    So it's hard to see that many people would be vulnerable as almost no 3G connections provide IP6

    It's hard to see how this can work easily.

  18. TRT

    I turn off IPv6 anyway

    on any new macs I hook up, just to cut out a few packets worth of useless chatter, but I can't see a simple switch for the Windows 7 machines. Any pointers anyone?

    1. Anonymous Coward
      Anonymous Coward

      Yes...

      Start -> Control Pannel -> Network and Sharing Centre

      Click on 'Connections: Local Area Connection' (unless you've renamed the default NIC), then Properties.

      In the "Networking" tab that pops up deselect "Internet Protocol Version 6 (TCI/IPv6)"

      Then ok.

      This unbinds IPv6 from your NIC, if you've got multiple NICs, do it for each NIC.

  19. launcap Silver badge
    Stop

    Some people are hoping IPV6 fails..

    For good, technical reasons!

    See here:

    http://apenwarr.ca/log/?m=201103#28

    And (as an IT manager working with a large network I tend to agree..) And this vulnerability makes me even less enthusiastic..

    1. SImon Hobson Silver badge

      Well I'm hoping it doesn't fail

      >> For good, technical reasons!

      >> http://apenwarr.ca/log/?m=201103#28

      Most of those "good reasons" are (IMO) actually good arguments FOR IPv6. Much of what is written is simply drivel written by someone who has never had to deal with the problems caused by s**t like NAT. IMNSHO, if you think NAT is a good idea, you are completely unqualified to talk about networking.

      Part of the problem getting IPv6 off the ground is that some f**kwit invented NAT and made people believe the problem was "solved". We'd be far better off now if the effort that's gone into sorting out the s**t caused by NAT has been invested in fixing the real problem instead of new artificial problems.

      If you think NAT is easy to deal with (just use STUN I hear being uttered), try it with a Zyxel router and see how well it doesn't work ! uPnP isn't an answer unless you think having a service designed to allow an untrusted bit of software to completely bypass your security is a good thing.

      True there are going to be some adjustments needed, and issues to work out. The subject of this article is **NOT** one of them - it's simply an old problem using the new protocol and the tools haven't caught up *YET*. For example, our helpdesk aren't looking forward to diagnosing connection problems with users who struggle to : "type ping 192.168.1.1 and press the return key" even when you spell it out keypress by keypress.

      PS - yes I do think some aspects of IPv6 are sub optimal, but that is just detail - there's nothing fundamentally wrong.

  20. The Fuzzy Wotnot
    Pint

    All well and good, but...

    While this is worth pursuing and holes need to be filled, sadly the biggest threat to computer security is still the dingbat sitting at the keyboard clicking away with wild abandon. Until everyone is educated to take precautions, the nasties will find the easiest route into a system.

    We're the weakest link, goodnight!

  21. thecakeis(not)alie

    But...but...

    IPV6 was going to solve everything! Every implementation is beyond question and it makes PERFECT SENSE to give every bloody device on your network a publicly routable address! This didn't happen; it's obviously been reported wrong. Nothing bad could ever happen to anything involving IPV6 or any of it's implementations because the END-TO-END MODEL IS SACRED AND IT REALLY, REALLY, MATTERS (tm)!!!

    Go IPV6 now and unicorns will fall from the sky, ensuring peace, love and the continuation of God's Own End-To-End Model.

  22. OziWan
    FAIL

    Stunned

    Guys and gals, do some research and then post, not the other way around!

    1. OziWan

      Re; Stunned

      Got some private replies which suggest my comment was not constructive :).

      http://sourcedaddy.com/windows-7/understanding-isatap.html

      Is a good place to start. You really do not need dhcp, dns or any of the protocols you are used to. You need a machine to answer wth a certain name (which can be auto discovered in an ipv6 network).

      The 'exploit' described in the article remains a corner case to a large extent but let's face it, our hacker/malware friends have demonstrated their imagination too many times for us to not take all threats seriously.

  23. Anonymous Coward
    Anonymous Coward

    SANS ISC comment

    http://isc.sans.edu/diary.html?storyid=10660

This topic is closed for new posts.

Other stories you might like