IPv6 on Your Mobile Phone

You may have IPv6 capabilities on your mobile phone and not even realize it. It has become apparent in 2008 that several mobile phone providers in the U.S. have started to include IPv6 capabilities in their phones. While this is great it has also caused the mobile phone providers to receive a wake-up call about the security implications of IPv6.

The issue is that if the security of a new communications protocol is not considered before it is deployed unforeseen consequences can result. In fact, those service providers who have deployed IPv6 connectivity to their subscribers phones have pulled back some support because of the security issues encountered. I have a HTC 6800 phone from SprintPCS running Windows Mobile 6.1 CE OS 5.2.19208 (Build 19208.1.0.1). Even though my phone has IPv6 connectivity it has less capabilities than when it had CE OS 5.2.1629 (Build 18136.0.4.8).

There is a tool that you can use for your Windows Mobile devices called the Windows Mobile Network Analyzer PowerToy that can tell you about the IP addresses your phone has. This utility has been available for quite some time but it can still be used to help you find out valuable information about how your mobile phone is connected to the Internet. Here is the Windows Network Analyzer output from when I ran it on my SprintPCS HTC 6800. You can see the phones IPv4 address, its 6to4 tunnel interface and address, the beginnings of an ISATAP interface, and the packet statistics for IPv4 and IPv6 protocols.

*** 1\10\2009, 18:50:11 *** Network Analyzer running...

+++ AnalyzerIPconfig.dll +++ Windows IP configuration Ethernet adapter Local Area Connection: IP Address ........ : 0.0.0.0 Subnet Mask ....... : 0.0.0.0 Adapter Name ...... : TNETW12511 Description ....... : TNETW12511 Adapter Index ..... : 2 Address............ : 00 18 41 5a 3a 65 DHCP Enabled....... : YES DHCP Server........ : Primary WinsServer : Secondary WinsServer: Lease obtained on : Saturday, February 6 ,2106 23 : 28 : 15 Lease expires on : Tuesday, November 10 ,1970 23 : 50 : 23 AutoConfig Enabled : YES

PPP Adapter [Cellular Line]: IP Address ........ : 173.117.187.133 Subnet Mask ....... : 255.255.0.0 Default Gateway ... : 173.117.187.133 Adapter Name ...... : Cellular Line Description ....... : Adapter Index ..... : 1376259 Address............ : 00 00 00 00 00 00 DHCP Enabled....... : NO

Tunnel adapter []: Interface Number .. : 4

Tunnel adapter [6to4 Tunneling Pseudo-Interface]: Interface Number .. : 3 IP Address ........ : 2002:ad75:bb85::ad75:bb85 Default Gateway ... : 2002:c058:6301::c058:6301

Tunnel adapter [Automatic Tunneling Pseudo-Interface]: Interface Number .. : 2 IP Address ........ : fe80::5efe:173.117.187.133

Host name.......... : scottsipphone Domain Name........ : DNS Servers........ : 68.28.58.92 68.28.50.91 NODETYPE........... : 8 Routing Enabled.... : NO Proxy Enabled...... : NO Test Module Result: True --- AnalyzerIPconfig.dll ---

+++ AnalyzerPing.dll +++ Ping(Logger, localhost) PingLink: Reply from 127.0.0.1:Echo size=32 time=31ms TTL=128 PingLink: Reply from 127.0.0.1:Echo size=32 time=1ms TTL=128 PingLink: Reply from 127.0.0.1:Echo size=32 time<10ms TTL=128 PingLink: Reply from 127.0.0.1:Echo size=32 time=1ms TTL=128 Test Module Result: True --- AnalyzerPing.dll ---

+++ AnalyzerHTTPPing.dll +++ HTTPPing(Logger, http://www.microsoft.com) dwBytesToRead=128 dwBytesRead=128 InternetCheckConnection() --> TRUE Test Module Result: True --- AnalyzerHTTPPing.dll ---

+++ AnalyzerDeviceInfo.dll +++ OSVERSIONINFO.dwMajorVersion = 5 OSVERSIONINFO.dwMinorVersion = 2 OSVERSIONINFO.dwBuildNumber = 19208 OSVERSIONINFO.dwPlatformId = 3 OSVERSIONINFO.szCSDVersion = Test Module Result: True --- AnalyzerDeviceInfo.dll ---

+++ AnalyzerNetStats.dll +++

Interface Statistics Received Sent Bytes 0 0 Unicast Packets 0 0 NonUnicast Packets 0 0 Discards 0 0 Errors 0 0 Unknown Protocols 0 Name = Index =2 Physical Addrress =0018415A3A65 Description =TNETW12511 Type =6 Mtu =1500 Speed - bps =54000000 Administrative Status =1 Oprerational Status =0 Output Queue Length =0

Interface Statistics Received Sent Bytes 2769 3237 Unicast Packets 28 28 NonUnicast Packets 0 0 Discards 0 0 Errors 0 0 Unknown Protocols 0 Name = Index =1376259 Physical Addrress =000000000000 Description = Type =23 Mtu =1500 Speed - bps =28800 Administrative Status =1 Oprerational Status =1 Output Queue Length =0

TCP TABLE Loc Addr Loc Port Rem Addr Rem Port State 192.168.55.101 1528 192.168.55.100 990 ESTAB 192.168.55.101 1533 192.168.55.100 990 ESTAB 192.168.55.101 1534 192.168.55.100 990 ESTAB 192.168.55.101 1540 192.168.55.100 990 ESTAB 192.168.55.101 1546 192.168.55.100 990 ESTAB 192.168.55.101 1554 192.168.55.100 990 ESTAB

UDP TABLE Loc Addr Loc Port 0.0.0.0 137 0.0.0.0 138 0.0.0.0 9204 127.0.0.1 1883

TCP6 Statistics: -------------- Active Opens = 0 Passive Opens = 0 Connect Attempt Fails = 0 Reset Connections = 0 Current Connections = 0 Segments Received = 0 Segments Sent = 0 Segments Retransmitted = 0 Errors Received = 0 Sgmnts sent w/Reset Flag= 0 Cumulative Connections = 0 Time-Out Algorithm = 4 Time-Out Minimim = 300 Time-Out Maximum = 240000 Maximum Connections = Dynamic (-1)

TCP Statistics: -------------- Active Opens = 260 Passive Opens = 0 Connect Attempt Fails = 1 Reset Connections = 188 Current Connections = 6 Segments Received = 11982 Segments Sent = 16572 Segments Retransmitted = 75 Errors Received = 0 Sgmnts sent w/Reset Flag= 79 Cumulative Connections = 6 Time-Out Algorithm = 4 Time-Out Minimim = 300 Time-Out Maximum = 120000 Maximum Connections = Dynamic (-1)

UDP6 Statistics: -------------- Datagrams Received = 0 No Ports = 0 Receive Errors = 0 Datagrams Sent = 0 Number UDP entries = 1

UDP Statistics: -------------- Datagrams Received = 2035 No Ports = 59 Receive Errors = 2 Datagrams Sent = 2142 Number UDP entries = 4

IP6 Statistics: -------------- Packets Received = 0 Received Header Errors = 0 Received Address Errors = 0 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 0 Output Requests = 17 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 0 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Fragmented OK = 0 Datagrams Fragmented Fail = 0 Fragments Created = 0 DefaultTTL = 128 Datagrams All Frgs Not Rcvd = 120 Number of Interfaces = 5 Number of Addresses = 5 Number of Routes in Table = 0 Forwarding Enabled = 1

IP Statistics: -------------- Packets Received = 28160 Received Header Errors = 0 Received Address Errors = 0 Datagrams Forwarded = 0 Unknown Protocols Received = 0 Received Packets Discarded = 0 Received Packets Delivered = 14080 Output Requests = 18815 Routing Discards = 0 Discarded Output Packets = 0 Output Packet No Route = 69 Reassembly Required = 0 Reassembly Successful = 0 Reassembly Failures = 0 Datagrams Fragmented OK = 0 Datagrams Fragmented Fail = 0 Fragments Created = 0 DefaultTTL = 128 Datagrams All Frgs Not Rcvd = 60 Number of Interfaces = 3 Number of Addresses = 3 Number of Routes in Table = 8 Forwarding Enabled = 2

ICMP6 Statistics Received Sent --------------- ------ ------ Messages 0 27 Errors 0 0 Destination Unreachable 0 0 Packet Too Big 0 0 Time Exceeded 0 0 Param Problem 0 0 Echo Request 0 17 Echo Reply 0 0 Membership Query 0 0 Membership report 0 2 Membership reduction 0 0 Router Solicitation 0 8 Router Advertisment 0 0 Neighbor Solicitation 0 0 Neighbor Advertisment 0 0 Redirect 0 0

ICMP Statistics Received Sent --------------- ------ ------ Messages 60 67 Errors 0 0 Destination Unreachable 52 59 Time Exceeded 0 0 Parmeter Problems 0 0 Source Quenches 0 0 Redirects 0 0 Echos 4 4 Echo Replies 4 4 Timestamps 0 0 Timestamp Replies 0 0 Address Masks 0 0 Address Mask Replies 0 0 Test Module Result: True --- AnalyzerNetStats.dll ---

*** 1\10\2009, 18:50:14 ***

Once we have this information we can try to communicate with the phone. An IPv4 ping doesn’t provide any results. This is probably a good thing because if we could send many packets to the mobile phones they might run out of battery life quickly. This might cause the phone to get hot to the touch because it is so busy communicating with the Internet. That hasn’t happened to you recently has it?

C:\Users\scott>ping 173.117.187.133

Pinging 173.117.187.133 with 32 bytes of data: Request timed out. Request timed out. Request timed out. Request timed out.

Ping statistics for 173.117.187.133: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

At this point we can also perform an nmap scan of the IPv4 address to see what protocols the phone is listening on. This provides some interesting results as we can see that the phone has several open TCP ports.

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-10 19:28 Mountain Standard Time Initiating Ping Scan at 19:28 Scanning 172.117.187.133 [2 ports] Completed Ping Scan at 19:28, 1.10s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 19:28 Completed Parallel DNS resolution of 1 host. at 19:28, 0.81s elapsed Initiating SYN Stealth Scan at 19:28 Scanning 172.117.187.133 [1000 ports] Discovered open port 25/tcp on 172.117.187.133 Discovered open port 80/tcp on 172.117.187.133 Discovered open port 8080/tcp on 172.117.187.133 Discovered open port 3128/tcp on 172.117.187.133 Completed SYN Stealth Scan at 19:28, 4.54s elapsed (1000 total ports) Initiating Service scan at 19:28 Scanning 4 services on 172.117.187.133 Completed Service scan at 19:30, 123.67s elapsed (4 services on 1 host) Initiating OS detection (try #1) against 172.117.187.133 Initiating Traceroute at 19:30 172.117.187.133: guessing hop distance at 1 Completed Traceroute at 19:30, 0.09s elapsed Initiating Parallel DNS resolution of 3 hosts. at 19:30 Completed Parallel DNS resolution of 3 hosts. at 19:30, 0.03s elapsed SCRIPT ENGINE: Initiating script scanning. Initiating SCRIPT ENGINE at 19:30 Completed SCRIPT ENGINE at 19:30, 20.77s elapsed Host 172.117.187.133 appears to be up ... good. Interesting ports on 172.117.187.133: Not shown: 996 filtered ports PORT STATE SERVICE VERSION 25/tcp open smtp? 80/tcp open http Apache httpd 3128/tcp open http Apache httpd 8080/tcp open http-proxy Squid webproxy 2.5.STABLE14 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose|router|firewall|VoIP phone Running: Linux 2.4.X, MikroTik RouterOS 2.X, Secure Computing embedded, WebVOIZE embedded OS details: Linux 2.4.18 - 2.4.32 (likely embedded), Linux 2.4.21 - 2.4.33, Linux 2.4.28 - 2.4.30, MicroTik RouterOS 2.9.46, Secure Computing SnapGear SG300 firewall, WebVOIZE 120 IP phone Uptime guess: 15.056 days (since Mon Dec 22 18:10:30 2008) TCP Sequence Prediction: Difficulty=200 (Good luck!) IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 29.00 172.117.187.133

Read data files from: C:\Program Files\Nmap OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 155.48 seconds Raw packets sent: 2042 (92.272KB) | Rcvd: 27 (1252B)

However, from my IPv6 Internet-attached laptop I can ping IPv6 sites on the Internet as well as the IPv6 address of the phone. C:\Users\scott>ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:0:2001::68] from 2001:5c0:1000:b::17b3 with 32 bytes of data: Reply from 2001:4860:0:2001::68: time=139ms Reply from 2001:4860:0:2001::68: time=136ms Reply from 2001:4860:0:2001::68: time=137ms Reply from 2001:4860:0:2001::68: time=145ms

Ping statistics for 2001:4860:0:2001::68: Packets: Sent = 4, Received = 4, Lost = 0 (0% loss), Approximate round trip times in milli-seconds: Minimum = 136ms, Maximum = 145ms, Average = 139ms

As you may know, the IPv4 address of a device is used when forming its 6to4 IPv6 address. The IPv4 address of my phone is 172.117.187.133 and if we convert each of these octets into hex characters we then get something that can be used inside an IPv6 address notation. (172 = 0xAC, 117 = 0x75, 187 = 0xBB, 133 = 0x85) Therefore, the 6to4 address of my phone is 2002:ad75:bb85::ad75:bb85.

C:\Users\scott>ping -6 2002:ad75:bb85::ad75:bb85

Pinging 2002:ad75:bb85::ad75:bb85 from 2001:5c0:1000:b::17b3 with 32 bytes of data: Request timed out. Reply from 2002:ad75:bb85::ad75:bb85: time=441ms Reply from 2002:ad75:bb85::ad75:bb85: time=432ms Reply from 2002:ad75:bb85::ad75:bb85: time=531ms

Ping statistics for 2002:ad75:bb85::ad75:bb85: Packets: Sent = 4, Received = 3, Lost = 1 (25% loss), Approximate round trip times in milli-seconds: Minimum = 432ms, Maximum = 531ms, Average = 468ms

There are others within the North American IPv6 Task Force (NAv6TF) who are trying to determine which manufacturers of mobile phones and service providers have and permit IPv6 communications. Jeff Doyle recently got a T-Mobile G1 Google Android phone and found that it didn’t have any IPv6 connectivity. David Green and Joe Klein of Command Information have also been experimenting with IPv6-enabled phones and described the security implications of this type of IPv6 connectivity in their recent presentations.

You can use these techniques to experiment with your own mobile phone. You may be surprised by what you find. Please feel free to share with us if your mobile phone has IPv6 connectivity and what capabilities it has.

Scott

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10