, 7 tweets, 2 min read Read on Twitter
1/ If you care about IoT security, the thing you should be promoting isn't "no default passwords", but "randomized IPv6 addresses". I mention this because this is my current IPv6 configuration at this bar I'm at. One of the addresses is predictable.
2/ Typical IPv6 will give a device three addresses. It grabs the prefix (2603:3001:2d00:da00:: in my case) and creates a "static" address, a "temporary" address, and asks the router for a DHCPv6 assignment.
3/ The "temporary address" is used as the default address for creating outbound connection, and changes every few minutes. Even as I write these tweets, it's changed.
4/ The static "secured" address will accept incoming connections, but chances are you can never guess it. It's a 64-bit random number. The DHCPv6 "dynamic" address, though, can easily be guessed.
5/ That's a problem. You can reasonably scan Comcast's prefix space, and then scan the lower bits of the addresses. It's a lot of guesses, but combined, it's still fewer than the 32-bit address space we regularly scan for with IPv4.
6/ The various RFC recommend that your DHCPv6 servers don't do this, that they choose a random address to assign, but routers aren't following the recommendations. This is going to lead to security problems in the future.
7/ Anyway, since I'm at a bar, and not revealing my real addresses, I thought I'd document it.

Also, that's not my real MAC address, in case you google it and think it's a good reason to arrest me. :-)
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Robᵇᵉᵗᵒ Graham
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!