IPv6: Smartphones compromise users' privacy

Since version 4 of the iOS operating system, Apple's iPhones, iPads and iPods have been capable of handling IPv6, and most Android devices have been capable since version 2.1. However, the operating systems transfer an ID that discloses information about their users: devices usually determine half of their IPv6 address (the "interface identifier") themselves. On a wireless network, the smartphones don't appear to be careful enough with this task; they simply add the same two bytes to their globally unique MAC address and use it as their identifier. As a result, they transfer a unique hardware ID whenever they communicate with an IPv6-enabled server.

The issue is particularly sensitive because such devices tend to be used by one specific person. As a result, the MAC address, which is accessible to any server operator and network monitor, allows this user to be identified.

The basic problem isn't an IPv6 issue, because various other methods for generating the address are available. For instance, a device can generate a random interface identifier and replace it on a regular basis. This method is called Privacy Extensions and is the factory-set option in Windows; it can also be enabled in other operating systems.