In this talk, we will present public services that expose previously-hidden client devices, making them measurable and vulnerable. First, we will show that by participating in the NTP Pool—a public, volunteer-run collection of Network Time Protocol servers—we can learn billions of live, mostly client IPv6 devices. Using this dataset, we show that the transition from v4 to v6 has resulted in the removal of the de facto firewall of the Internet—NAT boxes— thus permitting us to connect to more phones, lights and printers over v6 than is possible over v4. Second, we will show that Apple’s public WiFi-based Positioning System reveals the locations and Basic Service Set Identifiers of billions of WiFi access points around the world, permitting us to track the locations of high-value targets like military deployments across the world. Collectively, these findings demonstrate the dangers of public services and the challenges involved in using them safely.
Dave Levin is an associate professor of computer science at UMD who specializes in network security. His work has been recognized with the Institute of Electrical and Electronics Engineers Cybersecurity Award for Innovation, a National Science Foundation Faculty Early Career Development award, multiple Internet Engineering Task Force Applied Networking Research Prizes, and multiple best paper awards. Levin also
serves on the National Academies of Sciences, Engineering, and Medicine Forum on Cyber Resilience. He is extremely dedicated to expanding diversity and inclusion in undergraduate research, for which he received a National Center for Women & Information Technology Undergraduate Research Mentoring Award.