The global shift from IPv4 to IPv6, long championed for expanding address space, is inadvertently weakening a quiet but effective defence in residential cybersecurity. A recent academic study titled “Where Have All the Firewalls Gone?” finds that the disappearance of Network Address Translation (NAT) in IPv6 networks has exposed millions of household devices—ranging from printers to smart lights—to unsolicited internet traffic, raising the spectre of more potent IoT botnets.

NAT, a staple of IPv4 networks, acts as an unintentional firewall, blocking inbound connections unless explicitly permitted by users. With IPv6, each device can possess a globally routable address, eliminating the need for NAT and, in many cases, this protective buffer. Researchers from Johns Hopkins, the University of Maryland, and San Diego State University conducted the largest measurement of residential IPv6 exposure to date, scanning over two million network prefixes to assess vulnerability.

Device exposure: Their findings are concerning. Of the 66.9 million IPv6 addresses that responded to their scans, 14 million were internal devices within residential networks—devices that, under IPv4’s NAT regime, would likely have been shielded. Notably, services such as Telnet, FTP, and even Apple’s iPhone-Sync were accessible directly, often without the user’s knowledge. A striking 8.6% of internally responding IPv6 devices ran at least one exposed network service.

Monitoring gap: What makes the situation more worrying is that IPv6 traffic appears to be less monitored than its IPv4 counterpart. The researchers’ IPv4 scans frequently triggered intrusion detection systems within minutes. Their IPv6 scans, despite being similarly aggressive, went unnoticed. This monitoring gap may offer would-be attackers an easier path through the IPv6 ecosystem.

Low barrier: The team also demonstrated that sophisticated AI techniques are not required to find vulnerable IPv6 targets. A simple scanning approach, feasible even for low-powered IoT devices, was enough to locate millions of accessible endpoints. This implies that the next wave of botnets could become significantly more virulent simply by going where defences are weakest.

Despite the bleak outlook, the authors suggest that not all is lost. Most exposure stems from default configurations on consumer-grade routers, some of which allow unsolicited inbound traffic. Stronger default firewall settings, better vendor practices, and more vigilant monitoring of IPv6 networks could stem the tide.