For all those sysadmins tired of having to make excuses for why they haven't moved to IPv6, worry no more: the new protocol brings with it the risk of network infiltration.
That's according to NATO's Cooperative Cyber Defence Centre of Excellence, which has published a research paper [PDF] claiming it is possible to set up undetectable communications channels across networks that could be used to pull out data and control systems remotely.
There's only one downside for IPv6 laggards: the security holes come as a result of IPv4 to IPv6 transition tools.
"Tunnel-based IPv6 transition mechanisms could allow the setup of egress communication channels over an IPv4-only or dual-stack network while evading detection by a network intrusion detection system," the authors – who also came from Estonia's Tallinn University of Technology – wrote in the paper titled Hedgehog in the Fog: Creating and Detecting IPv6 Transition Mechanism-Based Information Exfiltration Covert Channels.*
For their research, they dug into a range of transition technologies and focused on two tools for creating covert communications channels; tools that they describe as "proof-of-concept."
The results were produced in a virtualized environment rather than the real world and assumed an insider threat, ie, that someone already had access to your network and wanted to push information outside without being noticed.
As such, the threat is not a huge one, we are sorry to inform lackadaisical network operators. But it does reflect a real risk, largely because network intrusion and monitoring tools were found not to work (in some cases because the tools simply don't support IPv6).
Although the main threat comes from an insider – and let's be honest, there are plenty of other ways someone trusted inside your network could get information out unnoticed – there is a real risk that hackers could use the approach outlined to escape notice once inside a network.
The researchers used a range of intrusion detection systems from Bro, Moloch, Snort and Suricata to see if the tunneling approach could be detected. Thanks to the combination of connections and protocols, they failed to do so most of the time.
The researchers used four indicators: Y for clear identification of malicious activity; P for partial identification – an alert with little or no description; V for visible detection, ie, included in logs but one that required a person to identify and analyze; and N for no alerts or logs.
The best-performing software in this case managed to actively recognize the threat about a third of the time; the worst picked up nothing at all.
What's the solution? According to the authors, nothing short of a wholesale review of how network traffic is interpreted. Sysadmins need to look at how their security systems are configured to make sure they pick up any unusual traffic flows made using this technique. ®
* Why "Hedgehog in the Fog"? There is no explanation in the paper itself but we suspect it has something to do with a famous 1975 Russian animation about a hedgehog that gets lost in the fog on the way to see a friend for tea and comes across what look like various terrifying animals, although it's hard to be sure what they are. That's what happens when you team up with Estonians for your research.