Flaw Label: Exploiting IPv6 Flow Label

Flaw Label: Exploiting IPv6 Flow Label—Jonathan Berger, Amit Klein, Benny Pinkas

The IPv6 protocol was designed with security in
mind. One of the changes that IPv6 has introduced over IPv4 is
a new 20-bit flow label field in its protocol header.

We show that remote servers can use the flow label field in
order to assign a unique ID to each device when communicating
with machines running Windows 10 (versions 1703 and higher),
and Linux and Android (kernel versions 4.3 and higher). The
servers are then able to associate the respective device IDs with
subsequent transmissions sent from those machines. This identification is done by exploiting the flow label field generation logic
and works across all browsers regardless of network changes.
Furthermore, a variant of this attack also works passively, namely
without actively triggering traffic from those machines.

To design the attack we reverse-engineered and cryptanalyzed
the Windows flow label generation code and inspected the
Linux kernel flow label generation code. We provide a practical
technique to partially extract the key used by each of these
algorithms, and observe that this key can identify individual
devices across networks, VPNs, browsers and privacy settings.
We deployed a demo (for both Windows and Linux/Android)
showing that key extraction and machine fingerprinting works
in the wild, and tested it from networks around the world.

source
ipv6