It may be years before the new internet protocol IPv6 takes over from the current IPv4, but a security researcher is warning that many systems – corporate and personal – are already open to attack through channels that have been enabled on their machines to support IPv6 traffic.

Joe Klein, a security researcher with Command Information, says many organizations and home users have IPv6 enabled on their systems by default but don't know it. They also don't have protection in place to block malicious traffic, since some intrusion detection systems and firewalls aren't set up to monitor IPv6 traffic, presenting an appealing vector through which outsiders can attack their networks undetected.

"Essentially, we have systems that are wide open to a network," says Klein, who is a member of an IPv6 task force and will be speaking about the issue tonight at the HOPE (Hackers on Planet Earth) conference in New York. "It's like having wireless on your network without knowing it."

The internet is moving to IPv6 because IPv4 is running out of addresses. Estimates of when IPv4 addresses will be exhausted have varied. Command Information has a widget on its web site counting down the number of IPv4 addresses still available each time the American Registry for Internet Numbers assigns an address or block of addresses. By the widget's count, the supply of IPv4 addresses – currently at around 620 million – will run out in about 917 days, or about two and a half years.

Klein says many organizations and home users have installed operating systems and other software on their networks and machines that have been set up to enable IPv6 connections by default, despite the fact that there's very little IPv6 traffic on the net as of yet. Because IPv6 traffic isn't common yet, many protection systems aren't set up to guard against malicious IPv6 traffic. (China will be using IPv6 to provide coverage of the Beijing Olympics this year.)

Attacking a system with inbound malicious IPv6 traffic isn't the only risk to a network. Just having IPv6 enabled on a system – whether it's turned on by default or not – can also allow an attacker who gets in through traditional means (or an insider for that matter) to transmit data out of the system undetected through IPv6.

In 2002, Lance Spitzer of the Honeynet Project revealed that one of the Honeynet's Solaris honeypots in the U.S. was compromised by an intruder who entered the system by traditional means, then enabled IPv6 to tunnel data out of the network to a host in another country. The researchers uncovered the data transfer only because they were using Snort, but they were unable to decode the data. [A discussion thread to Spitzer's post at the link I provided gives additional information about IPv6 attacks and protection.]

The issue should be of particular concern to the U.S. government, since it's leading the way in transitioning to IPv6. The federal government required that the backbone networks of all of its agencies be moved to IPv6 by the end of June 2008. Last year the Defense Department grabbed a block of about 281 trillion IPv6 network addresses. The government is also requiring vendors to produce products that enable IPv6, though it's unclear how many security products are up to date in monitoring and protecting IPv6 connections.

Calls to the Department of Defense were not immediately returned. An IT security specialist who works for a DoD agency, however, says he is not aware of any security guidelines that have been passed down yet from the DoD's Defense Information Systems Agency with regard to IPv6 and says no one should assume the DoD is on top of things with regard to the security of IPv6-enabled networks.

"Certainly awareness of the considerable differences between IPv4 and IPv6 is an integral part of securing IP network traffic as the switchover progresses," says the worker, who asked to remain anonymous because he's not authorized to speak with the press. "But self-awareness has never been a strong suit of federal IT infrastructure."

It's not just networks and home PCs that are vulnerable, however. Klein says thousands of mobile phones use operating systems that enable IPv6 as well. People with phones that operate with Windows Mobile 5 or 6 are particularly vulnerable, he says, because the operating system doesn't come with a firewall to protect them.

"If you can identify the address, you have the ability to portscan and exploit a handset," Klein says.

Josh Rhodes, a spokesman for Microsoft, couldn't confirm that Mobile 5 and 6 come with IPv6 enabled by default but said that if a hacker manages to get into a phone, passwords and other safeguards would protect data on the device. When asked what those safeguards might be, he pointed out Mobile 6's memory card encryption feature and the remote wipe capability that allows an organization to remotely erase data on a phone that's been compromised. The latter, of course, assumes that a phone owner or his company knows when a phone has been compromised.

With regard to the number of users this might affect, Rhodes didn't have a total number for Windows Mobile 5 and 6 users but said that Microsoft sold more than 11 million licenses for Windows Mobile in the last year alone.

In addition to Windows Mobile 5 and 6, Klein says other mobile phone systems are vulnerable as well, though he declined to name them until he's had a chance to contact the companies. He did say, however, that Blackberries and iPhones are not vulnerable.

Klein has prepared a list of other general systems that have IPv6 enabled by default – such as Windows Vista – which you can see in the screenshots at right. Mac OSX is IPv6-enabled by default, but the Mac firewall should protect users as long as they don't enable file-sharing or web server on their system, Klein says.

To determine if your phone, laptop or desktop has IPv6 enabled, you can go to this page. Click on the hyperlink on the right side of the page for the IPv6 test. If no page loads, you're fine. If the page returns an IP address for your machine, then you have IPv6 enabled.

Klein says system administrators who don't map their systems to know what they have and what's enabled on their networks are not only opening themselves to attack, but could be considered non-compliant under Sarbanes-Oxley, HIPPA and other regulations if they haven't secured IPv6, even though these regulations don't require auditors to validate that IPv6 is turned off.

Networks that currently use bridging technologies such as Teredo or 6to4 that allow IPv4 systems to handle IPv6 traffic are particularly vulnerable, since they're often configured to work traffic around a firewall, Klein says.

The DoD security specialist agrees.

"Teredo/ISATAP is currently and will continue to be a major red flag for networks that have both IP versions enabled, because tunneling confuses the heck out of a lot of firewalls and IDS deployments," he says. "For that reason, organizations absolutely must . . . be very much aware of which systems in their networks are IPv6 enabled. I don't personally think most of them have anywhere near a good enough handle on that particular intelligence tidbit."

Klein hasn't checked every firewall product to determine if it's protecting IPv6 traffic but says older versions of ZoneAlarm and other tools do not support IPv6, though newer ones do. Customers should check with vendors to determine if they're protected.