Gânduri Eclectice – Eclectic Thoughts

For the busy, a TL;DR: If you are using Starlink^[1] and various home networking devices in their default configurations, you may well be exposing your internal network directly to Evil Internet h4x0rs without even realising it

This item held over from yesterday – I didn’t want to post it on 2023-04-01^[10] and have it confused for an April Fool. It’s too serious and too real for that.

Starlink have recently enabled IPv6 on their satellite access equipment (to be more precise, some of their terminals in some regions). Now, I’m no luddite, but it is usually a good idea to apply a few “coats of thinking” before introducing such radical changes – because unintended consequences can, and will, tend to bite one where it hurts most.

This Starlink change has exactly those types of unintended consequences. The risks are not obvious until you understand what is going on and the consequences of that. Mitigating the risks is non-trivial and requires some ongoing thought and care, because each and every new device on your internal network may catastrophically undermine the entire security of your internal network.

It isn’t really possible to put a CVSS score on this, because it depends what is on your internal network, and upon how well-configured is each individual device. But in general this is equivalent to letting anyone who wants it to have a direct connection to your internal network, along with unfettered access back out to the Internet. You can assess for yourself how scary that is; for most such networks that I see, this is fairly high on the scaryscale™.

Let’s walk through this step by step; the individual pieces are straightforward – it’s just the combination that makes for a complex and highly risky mess.

Your Internal Network – A Safe Place™

We’re all used to the relative safety of our home internal network. Most devices we attach to it, whether through wired or wireless connections, get an RFC1918 IP Address[3] via DHCP[4]. They are not directly addressable from the Internet, and when they talk out to the Internet they “hide” behind a single public IP Address. This hide NAT[5] is carried out by your internet router – whether it is connected to DSL, cellular services (3G/4G/5G), fibre links FTTP/FTTC[0], or satellite access devices.

A handy consequence of this is that, whilst your devices can talk out to services on the Internet and receive replies, the Internet “sees” all of your devices as coming from a single IP address. If something on the Internet attempts to open a connection to this IP address, your router will not send it on to any of your devices unless you have specifically configured it to do this. So, for free, you get some level of protection from malicious traffic simply by being behind a hide NAT.

What You NEED To Know About IPv6

There are only 7 things you NEED to know about IPv6 at this point.

1. The First Rule of IPv6 Club is that there is no NAT with IPv6
2. The Second Rule of IPv6 Club is that there is NO NAT with IPv6
3. IPv6 Addresses look rather different, all hexadecimal and colons[6]
4. IPv6 Addresses are big, 128 bits each, cf 32 bits for IPv4
5. A device may have both an IPv4 network stack AND an IPv6 network stack, and if it does they are separately configured.
6. DHCP is used for IPv4, but there is a separate but functionally equivalent DHCP6 used for IPv6
7. If a device has dual stacks which are both configured, and the service on the Internet to which the device wishes[8] to connect publishes (via DNS) both IPv4 and IPv6 service addresses, then the device will tend in most cases to use IPv6 to communicate with the service.

And here is where the consequences start to pile up into an unhealthy security nightmare.

So Just How Bad Can It Be™?

Let’s consider the NAT issue first[7]. If you have devices on your home network which use IPv6 to talk to services on the Internet, they no longer get “hidden” behind a single address. Their real routable IPv6 address – world unique – will appear as the source address. Your local router doesn’t need to perform any clever magic to get reply packets back to the original device – the real addressing is used throughout.

BUT, and it’s a big but, any device out there on the IPv6 Internet can also initiate connections directly to your individual devices on your internal network for exactly the same reason – there is no hide NAT preventing this, so no specific configuration needs to be created for this to work. The protection you have in the IPv4 world through being behind a hide NAT evaporates completely.

Surely we don’t need to worry though, since you’ve not configured any of your devices to use IPv6, right? Wrong. Items (5), (6) and (7) conspire here. LOTS of systems / devices have dual networking stacks which are both enabled by default. These will tend to default to using DHCP for configuration, but that also means using DHCP6 too. And the tendency to prefer IPv6 communications will tend to reveal your actual IPv6 address – world unique, and world routable – to things out on the Internet. Which is a shame, because the only defence you are left with is the obscurity of trying to find your address within the network since scanning could take unfeasibly long given the size of the network ranges.

Windows, out of the box, will be running dual network stacks for IPv4 & IPv6 unless you explicitly switch off the IPv6 one. This means that Windows will, as well as DHCPing by default for an IPv4 address, also DHCP6 for an IPv6 address – and if you are using Starlink, then it will receive an IPv6 address from the Starlink router.

Mobile phones, both Android and IOS, will do the same but somehow worse – whilst you can turn off IPv6 for cellular communications (per named APN), most devices give you no options to do this for WiFi. If you try to set static IP Addressing for your WiFi on your phone, you will find it lets you set up static IPv4 information, but not IPv6. And it continues to DHCP6 for IPv6 addressing without an option to stop it.

Many IoT and larger devices support dual networking stacks and have them both switched on by default.

The default configuration of many home NAS[9] devices is the same as with Windows; even if you configure static IPv4 Addressing, unless you explicitly turn off IPv6 then your device will DHCP6 for Address information and then happily use it, including for inbound connections from the Internet. Any “public” network shares you have (for the kids to view films or listen to music) which don’t require authentication are suddenly viewable (and possibly writable too if that’s how you configured them) from the entire IPv6 Internet. Authenticated shares are just a bit of password grinding away from revealing their secrets remotely.

Samsung TVs, interestingly, appear to come with IPv6 support but have it switch OFF by default. Whether this is true across all their TVs I don’t know, and whether it will remain that way in the future, who knows.

Just Turn Off IPv6 In The Starlink Config!

This would be ideal. Unfortunately, the Starlink Configuration offers no such option.

Thus mitigation has to be carried out for each and every device on your network because one such device, if compromised via its direct routability from the public Internet, can offer a jumping off point for other attacks against your privacy, wallet and data. And don’t forget new devices which get added later!

Were Starlink Wise To Do This?

No, in my considered opinion. Providing a single configuration option to “Turn off IPv6” in their Starlink App or the GUI would have made this a lot simpler to mitigate. But even then, switching it on by default is really asking for trouble.

Sometimes even very smart people cannot see the consequences of their actions.

In Summary

Footnotes, References, et al

[0] FTTC = Fibre To The (street) Cabinet. FTTP = Fibre To The Premises

[1] This affects Starlink now. But may easily affect other internet access services in the near future. Quite literally, caveat emptor!

[2] Seems to vary around the world, but from as recently as November 2022

[3] RFC1918 defines ranges of “private use” IP Addresses which will never be routable on the public Internet: 10.0.0.0/8, 172.16.0.0/12 , and 192.168.0.0/16 or if you prefer to think of the ranges this way: 10.0.0.0 – 10.255.255.255, 172.16.0.0 – 172.31.255.255, and 192.168.0.0 – 192.168.255.255

[4] DHCP is the Dynamic Host Configuration Protocol. A device broadcasts (think of it as shouting, it’s a reasonable analogy) a message saying “here I am on your network, please can I have address information?” and a DHCP server (usually built in to your router) replies supplying it with an IP Address, netmask, default gateway, lease lifetime and (optionally) all sort of other gubbins.

[5] NAT is Network Address Translation. Most home routers will perform hide NAT on outbound packets, substituting the real (Internet routable) IP Address of your service for the private source IP Address of the individual device before packets are sent out over the Internet. This allowed Internet-based services to send reply packets which will route their merry way to your router which uses a little technical magic to re-address the packets to the device which originated the connection.

[6] With different rules for writing them. Here’s one which used to be the address of a server of mine at home: 2a01:348:29d:affa:b1e:feed:0:1 – note that in this particular address, 48 bits are the network number (making this a /48 network – the smallest fiddly bit of IPv6 addressing you tend to use), and 80 bits are the host number, making this tiny little IPv6 network almost mind-bogglingly big having the capacity for 65536 times the entire IPv4 address space squared.

[7] There are complex historical/hysterical reasons why IPv6 has no NAT. Suffice it to say that it was deliberately designed-out of the standard which was written as RFC2460 published in December 1998 and does not hugely differ (especially with respect to NAT) from the final standard ratified in 2017 in RFC8200. If you want to hide your internal IPv6 addresses from the outside world, the way to do it is with PROXIES. However, these are protocol specific, require maintenance and configuration, and are for most home users impractical.

[8] I know, I shouldn’t personify inanimate devices and computers. I know they hate that <grin>

[9] NAS is Network Attached Storage. Useful for home media and other file storage.

[10] “04-01-23” for those across the Big Pond. But if that’s how you write dates, then your clocks should look like this!😏