IPv6 on Your Mobile Phone

From: http://www.networkworld.com/community/node/37125

 

By Scott Hogg on Sun, 01/11/09 - 9:32pm.

 

You may have IPv6 capabilities on your mobile phone and not even realize it. It has become apparent in 2008 that several mobile phone providers in the U.S. have started to include IPv6 capabilities in their phones. While this is great it has also caused the mobile phone providers to receive a wake-up call about the security implications of IPv6.

The issue is that if the security of a new communications protocol is not considered before it is deployed unforeseen consequences can result. In fact, those service providers who have deployed IPv6 connectivity to their subscribers phones have pulled back some support because of the security issues encountered. I have a HTC 6800 phone from SprintPCS running Windows Mobile 6.1 CE OS 5.2.19208 (Build 19208.1.0.1). Even though my phone has IPv6 connectivity it has less capabilities than when it had CE OS 5.2.1629 (Build 18136.0.4.8).

There is a tool that you can use for your Windows Mobile devices called the Windows Mobile Network Analyzer PowerToy that can tell you about the IP addresses your phone has. This utility has been available for quite some time but it can still be used to help you find out valuable information about how your mobile phone is connected to the Internet. Here is the Windows Network Analyzer output from when I ran it on my SprintPCS HTC 6800. You can see the phones IPv4 address, its 6to4 tunnel interface and address, the beginnings of an ISATAP interface, and the packet statistics for IPv4 and IPv6 protocols.

*** 1/10/2009, 18:50:11 ***
Network Analyzer running...

+++ AnalyzerIPconfig.dll +++
Windows IP configuration
Ethernet adapter Local Area Connection:
IP Address ........ : 0.0.0.0
Subnet Mask ....... : 0.0.0.0
Adapter Name ...... : TNETW12511
Description ....... : TNETW12511
Adapter Index ..... : 2
Address............ : 00 18 41 5a 3a 65
DHCP Enabled....... : YES
DHCP Server........ :
Primary WinsServer :
Secondary WinsServer:
Lease obtained on : Saturday, February 6 ,2106 23 : 28 : 15
Lease expires on : Tuesday, November 10 ,1970 23 : 50 : 23
AutoConfig Enabled : YES

PPP Adapter [Cellular Line]:
IP Address ........ : 173.117.187.133
Subnet Mask ....... : 255.255.0.0
Default Gateway ... : 173.117.187.133
Adapter Name ...... : Cellular Line
Description ....... :
Adapter Index ..... : 1376259
Address............ : 00 00 00 00 00 00
DHCP Enabled....... : NO

Tunnel adapter []:
Interface Number .. : 4

Tunnel adapter [6to4 Tunneling Pseudo-Interface]:
Interface Number .. : 3
IP Address ........ : 2002:ad75:bb85::ad75:bb85
Default Gateway ... : 2002:c058:6301::c058:6301

Tunnel adapter [Automatic Tunneling Pseudo-Interface]:
Interface Number .. : 2
IP Address ........ : fe80::5efe:173.117.187.133

Host name.......... : scottsipphone
Domain Name........ :
DNS Servers........ : 68.28.58.92
68.28.50.91
NODETYPE........... : 8
Routing Enabled.... : NO
Proxy Enabled...... : NO
Test Module Result: True
--- AnalyzerIPconfig.dll ---

+++ AnalyzerPing.dll +++
Ping(Logger, localhost)
PingLink: Reply from 127.0.0.1:Echo size=32 time=31ms TTL=128
PingLink: Reply from 127.0.0.1:Echo size=32 time=1ms TTL=128
PingLink: Reply from 127.0.0.1:Echo size=32 time<10ms TTL=128
PingLink: Reply from 127.0.0.1:Echo size=32 time=1ms TTL=128
Test Module Result: True
--- AnalyzerPing.dll ---

+++ AnalyzerHTTPPing.dll +++
HTTPPing(Logger, http://www.microsoft.com)
dwBytesToRead=128 dwBytesRead=128
InternetCheckConnection() --> TRUE
Test Module Result: True
--- AnalyzerHTTPPing.dll ---

+++ AnalyzerDeviceInfo.dll +++
OSVERSIONINFO.dwMajorVersion = 5
OSVERSIONINFO.dwMinorVersion = 2
OSVERSIONINFO.dwBuildNumber = 19208
OSVERSIONINFO.dwPlatformId = 3
OSVERSIONINFO.szCSDVersion =
Test Module Result: True
--- AnalyzerDeviceInfo.dll ---

+++ AnalyzerNetStats.dll +++

Interface Statistics Received Sent
Bytes 0 0
Unicast Packets 0 0
NonUnicast Packets 0 0
Discards 0 0
Errors 0 0
Unknown Protocols 0
Name =
Index =2
Physical Addrress =0018415A3A65
Description =TNETW12511
Type =6
Mtu =1500
Speed - bps =54000000
Administrative Status =1
Oprerational Status =0
Output Queue Length =0

Interface Statistics Received Sent
Bytes 2769 3237
Unicast Packets 28 28
NonUnicast Packets 0 0
Discards 0 0
Errors 0 0
Unknown Protocols 0
Name =
Index =1376259
Physical Addrress =000000000000
Description =
Type =23
Mtu =1500
Speed - bps =28800
Administrative Status =1
Oprerational Status =1
Output Queue Length =0

TCP TABLE
Loc Addr Loc Port Rem Addr Rem Port State
192.168.55.101 1528 192.168.55.100 990 ESTAB
192.168.55.101 1533 192.168.55.100 990 ESTAB
192.168.55.101 1534 192.168.55.100 990 ESTAB
192.168.55.101 1540 192.168.55.100 990 ESTAB
192.168.55.101 1546 192.168.55.100 990 ESTAB
192.168.55.101 1554 192.168.55.100 990 ESTAB

UDP TABLE
Loc Addr Loc Port
0.0.0.0 137
0.0.0.0 138
0.0.0.0 9204
127.0.0.1 1883

TCP6 Statistics:
--------------
Active Opens = 0
Passive Opens = 0
Connect Attempt Fails = 0
Reset Connections = 0
Current Connections = 0
Segments Received = 0
Segments Sent = 0
Segments Retransmitted = 0
Errors Received = 0
Sgmnts sent w/Reset Flag= 0
Cumulative Connections = 0
Time-Out Algorithm = 4
Time-Out Minimim = 300
Time-Out Maximum = 240000
Maximum Connections = Dynamic (-1)

TCP Statistics:
--------------
Active Opens = 260
Passive Opens = 0
Connect Attempt Fails = 1
Reset Connections = 188
Current Connections = 6
Segments Received = 11982
Segments Sent = 16572
Segments Retransmitted = 75
Errors Received = 0
Sgmnts sent w/Reset Flag= 79
Cumulative Connections = 6
Time-Out Algorithm = 4
Time-Out Minimim = 300
Time-Out Maximum = 120000
Maximum Connections = Dynamic (-1)

UDP6 Statistics:
--------------
Datagrams Received = 0
No Ports = 0
Receive Errors = 0
Datagrams Sent = 0
Number UDP entries = 1

UDP Statistics:
--------------
Datagrams Received = 2035
No Ports = 59
Receive Errors = 2
Datagrams Sent = 2142
Number UDP entries = 4

IP6 Statistics:
--------------
Packets Received = 0
Received Header Errors = 0
Received Address Errors = 0
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 0
Output Requests = 17
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 0
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Fragmented OK = 0
Datagrams Fragmented Fail = 0
Fragments Created = 0
DefaultTTL = 128
Datagrams All Frgs Not Rcvd = 120
Number of Interfaces = 5
Number of Addresses = 5
Number of Routes in Table = 0
Forwarding Enabled = 1

IP Statistics:
--------------
Packets Received = 28160
Received Header Errors = 0
Received Address Errors = 0
Datagrams Forwarded = 0
Unknown Protocols Received = 0
Received Packets Discarded = 0
Received Packets Delivered = 14080
Output Requests = 18815
Routing Discards = 0
Discarded Output Packets = 0
Output Packet No Route = 69
Reassembly Required = 0
Reassembly Successful = 0
Reassembly Failures = 0
Datagrams Fragmented OK = 0
Datagrams Fragmented Fail = 0
Fragments Created = 0
DefaultTTL = 128
Datagrams All Frgs Not Rcvd = 60
Number of Interfaces = 3
Number of Addresses = 3
Number of Routes in Table = 8
Forwarding Enabled = 2

ICMP6 Statistics Received Sent
--------------- ------ ------
Messages 0 27
Errors 0 0
Destination Unreachable 0 0
Packet Too Big 0 0
Time Exceeded 0 0
Param Problem 0 0
Echo Request 0 17
Echo Reply 0 0
Membership Query 0 0
Membership report 0 2
Membership reduction 0 0
Router Solicitation 0 8
Router Advertisment 0 0
Neighbor Solicitation 0 0
Neighbor Advertisment 0 0
Redirect 0 0

ICMP Statistics Received Sent
--------------- ------ ------
Messages 60 67
Errors 0 0
Destination Unreachable 52 59
Time Exceeded 0 0
Parmeter Problems 0 0
Source Quenches 0 0
Redirects 0 0
Echos 4 4
Echo Replies 4 4
Timestamps 0 0
Timestamp Replies 0 0
Address Masks 0 0
Address Mask Replies 0 0
Test Module Result: True
--- AnalyzerNetStats.dll ---

*** 1/10/2009, 18:50:14 ***

Once we have this information we can try to communicate with the phone. An IPv4 ping doesn’t provide any results. This is probably a good thing because if we could send many packets to the mobile phones they might run out of battery life quickly. This might cause the phone to get hot to the touch because it is so busy communicating with the Internet. That hasn’t happened to you recently has it?
C:/Users/scott>ping 173.117.187.133

Pinging 173.117.187.133 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 173.117.187.133:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

At this point we can also perform an nmap scan of the IPv4 address to see what protocols the phone is listening on. This provides some interesting results as we can see that the phone has several open TCP ports.

Starting Nmap 4.76 ( http://nmap.org ) at 2009-01-10 19:28 Mountain Standard Time
Initiating Ping Scan at 19:28
Scanning 172.117.187.133 [2 ports]
Completed Ping Scan at 19:28, 1.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:28
Completed Parallel DNS resolution of 1 host. at 19:28, 0.81s elapsed
Initiating SYN Stealth Scan at 19:28
Scanning 172.117.187.133 [1000 ports]
Discovered open port 25/tcp on 172.117.187.133
Discovered open port 80/tcp on 172.117.187.133
Discovered open port 8080/tcp on 172.117.187.133
Discovered open port 3128/tcp on 172.117.187.133
Completed SYN Stealth Scan at 19:28, 4.54s elapsed (1000 total ports)
Initiating Service scan at 19:28
Scanning 4 services on 172.117.187.133
Completed Service scan at 19:30, 123.67s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 172.117.187.133
Initiating Traceroute at 19:30
172.117.187.133: guessing hop distance at 1
Completed Traceroute at 19:30, 0.09s elapsed
Initiating Parallel DNS resolution of 3 hosts. at 19:30
Completed Parallel DNS resolution of 3 hosts. at 19:30, 0.03s elapsed
SCRIPT ENGINE: Initiating script scanning.
Initiating SCRIPT ENGINE at 19:30
Completed SCRIPT ENGINE at 19:30, 20.77s elapsed
Host 172.117.187.133 appears to be up ... good.
Interesting ports on 172.117.187.133:
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
25/tcp open smtp?
80/tcp open http Apache httpd
3128/tcp open http Apache httpd
8080/tcp open http-proxy Squid webproxy 2.5.STABLE14
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|router|firewall|VoIP phone
Running: Linux 2.4.X, MikroTik RouterOS 2.X, Secure Computing embedded, WebVOIZE embedded
OS details: Linux 2.4.18 - 2.4.32 (likely embedded), Linux 2.4.21 - 2.4.33, Linux 2.4.28 - 2.4.30, MicroTik RouterOS 2.9.46, Secure Computing SnapGear SG300 firewall, WebVOIZE 120 IP phone
Uptime guess: 15.056 days (since Mon Dec 22 18:10:30 2008)
TCP Sequence Prediction: Difficulty=200 (Good luck!)
IP ID Sequence Generation: All zeros

TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 29.00 172.117.187.133

Read data files from: C:/Program Files/Nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 155.48 seconds
Raw packets sent: 2042 (92.272KB) | Rcvd: 27 (1252B)

However, from my IPv6 Internet-attached laptop I can ping IPv6 sites on the Internet as well as the IPv6 address of the phone.
C:/Users/scott>ping -6 ipv6.google.com

Pinging ipv6.l.google.com [2001:4860:0:2001::68] from 2001:5c0:1000:b::17b3 with 32 bytes of data:
Reply from 2001:4860:0:2001::68: time=139ms
Reply from 2001:4860:0:2001::68: time=136ms
Reply from 2001:4860:0:2001::68: time=137ms
Reply from 2001:4860:0:2001::68: time=145ms

Ping statistics for 2001:4860:0:2001::68:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 136ms, Maximum = 145ms, Average = 139ms

As you may know, the IPv4 address of a device is used when forming its 6to4 IPv6 address. The IPv4 address of my phone is 172.117.187.133 and if we convert each of these octets into hex characters we then get something that can be used inside an IPv6 address notation. (172 = 0xAC, 117 = 0x75, 187 = 0xBB, 133 = 0x85) Therefore, the 6to4 address of my phone is 2002:ad75:bb85::ad75:bb85.

C:/Users/scott>ping -6 2002:ad75:bb85::ad75:bb85

Pinging 2002:ad75:bb85::ad75:bb85 from 2001:5c0:1000:b::17b3 with 32 bytes of data:
Request timed out.
Reply from 2002:ad75:bb85::ad75:bb85: time=441ms
Reply from 2002:ad75:bb85::ad75:bb85: time=432ms
Reply from 2002:ad75:bb85::ad75:bb85: time=531ms

Ping statistics for 2002:ad75:bb85::ad75:bb85:
Packets: Sent = 4, Received = 3, Lost = 1 (25% loss),
Approximate round trip times in milli-seconds:
Minimum = 432ms, Maximum = 531ms, Average = 468ms

There are others within the North American IPv6 Task Force (NAv6TF) who are trying to determine which manufacturers of mobile phones and service providers have and permit IPv6 communications. Jeff Doyle recently got a T-Mobile G1 Google Android phone and found that it didn’t have any IPv6 connectivity. David Green and Joe Klein of Command Information have also been experimenting with IPv6-enabled phones and described the security implications of this type of IPv6 connectivity in their recent presentations.

You can use these techniques to experiment with your own mobile phone. You may be surprised by what you find. Please feel free to share with us if your mobile phone has IPv6 connectivity and what capabilities it has.

Scott