from Hacker News

ISP Spying

by early on 2/16/18, 8:07 AM with 129 comments

  • by wepple on 2/16/18, 1:41 PM

    I’ve pulled apart router firmware plenty of times, and am never surprised to see nbtscan, nmap, and all sorts of other tools on there.

    A lot of ISPs will perform remote diagnosis by connecting into your router and scanning your internal hosts to see if there are any problems.

    Between that capability and general appalling security of routers, you’re basically on Starbucks WiFi from a security perspective even at home.

    important note: buying an off the shelf netgear/tplink/linksys/whatever might stop your ISP remoting in, but is still wildly full of vulnerabilities.

  • by aus_ on 2/16/18, 2:53 PM

    There is varying levels of difficulty when you want to BYO router. The situation for AT&T U-Verse isn't too fun. If you want to use your own hardware, you only have a few options:

    1. They offer "IP Passthrough" which is fake Bridge Mode. They still do routing and you'll still hit NAT table limits of 4096. Connection falls apart for anything over 3000.

    2. You can dump and reverse the router-gateway firmware and 802.1X/EAP authentication. Oh goodie.

    3. There's a history of exploits for the NVG510, NVG589 and NVG599. Try your luck. [1] [2]

    4. Create some "magic" to split the 802.1X and untag VLAN0. Works in Linux at least. [3]

    5. But good luck if you want to do this in pfSense or FreeBSD. There's an open BTC bounty if you've got any netgraph / networking chops. [4]

    [1]: http://earlz.net/view/2012/06/07/0026/rooting-the-nvg510-fro...

    [2]: https://www.nomotion.net/blog/sharknatto/

    [3]: http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NA...

    [4]: https://forum.pfsense.org/index.php?topic=111043.0

  • by jstanley on 2/16/18, 10:01 AM

    In the UK, they're legally required to spy on you (but not through your router).

    https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016

  • by liotier on 2/16/18, 2:25 PM

    I plugged French Orange's GPON FTTH ONT into my Debian router's RJ-45 port, added a VLAN interface, added a couple of lines to my DHCP client configuration to pretend my router is some Sagem device and pass authentication to the server... And that's all - sweet 500/200 Mb/s throughput, no ISP CPE in sight (well, technically the ONT...) and Orange even waived the 3€/month CPE rental fee !

    Former provider offered FTTB and I used the coaxial cable CPE as a bridge - and even when I do not have that option, I insist on having a router of my own as my network's demarcation: it is basic hygiene.

    Other option for GPON would have been to plug a GPON SFP module into one of my switches - the friendly guy who laid the fiber to my apartment even left me one in case I changed my mind... But going through the switch to the router and back to the switch on a different VLAN is unnecessarily complicated in my case. Anyone wants a free GPON SFP module ?

  • by mmrezaie on 2/16/18, 9:39 AM

    Is there a portal like-place to share our findings of ISPs generally in the world so that others can work together with better transparency?

    I do data analytics and data engineering and a couple of months ago indirectly I have been contacted by an ISP in Spain and they literally were collecting every bit of data that their customers were seeing on internet (websites, timestamps, how much data were transferred and etcetera with the user's id and basically in another table name and address). I was shocked how easy they were talking about it. I didn't accept but for sure someone has done it! I never heard the name of the ISP, I wish I didn't bark at them so fast and I could collect more information about them.

  • by laveur on 2/16/18, 2:09 PM

    When I bought my fist house a few years ago here in the Bay. Comcast tried to give me one of their new routers wifi and everything built in. I let them but I wasn't happy. I hooked up my own router and ended up double natting it. After a few hours of frustration I went out bought my own cable modem. Installed that and returned the one comcast had provided. When asked why I sighted security and privacy concerns. Working for a fortune 500 means they could easily do some sneaking and see a lot of stuff that I worked on. Either way I use Ubiquity hardware throughout my house. Its a bit expensive but god is it good.

  • by LeoPanthera on 2/16/18, 10:26 AM

    I've been forwarding all outgoing connections on port 80 (and a selection of other commonly-unencrypted ports) through a VPN (in the router) for a while now - but leaving all other ports (including most importantly 443) connecting directly.

    It feels like a good compromise between privacy and speed.

    (I realise this is not the subject of the article exactly but I figured it's a related issue.)

  • by Cieplak on 2/16/18, 11:10 AM

    Another cool thing about WiFi routers is that you can use them as radars to monitor people in a home. The 2.4ghz frequency is perfect for reflecting off water bodies while having great penetration through walls.

  • by Buge on 2/16/18, 9:54 AM

    That router looks like its control panel is hosted on an external server. Router control panels usually show what devices are connected. So for router control panel functionality, they need to have the router report all connected devices to the server. Obviously they should be doing this encrypted, not unecrypted.

    But ignoring encryption, this is the price you pay for cloud management: the could knows your data.

  • by javajosh on 2/16/18, 10:41 AM

    Is it just me or does this look like a huge opportunity? Last I checked we still have control over our devices, and if they are stupid enough to trust the data they collect, then we should feel free to poison the well. I'm talking about opening random connections to endpoints (either random or those we want to protect), to inject noise into the system. I call the idea "data flak". It could be something as simple as a daemon running in the background, or a browser plugin. You want to spy on my traffic? Fine, good luck picking out my real behavior from the gigabytes of utter crap I'm shoving into your sensors. This works not just at the ISP level, but at every intermediate host, too.

    The only counter is for an adversary to own your box, which is far more expensive.

  • by alxndr13 on 2/16/18, 11:00 AM

    In Germany you are able to use any router you want, regardless of which ISP you use.

    https://www.cr-online.de/bgbl116s0106.pdf

  • by mirimir on 2/16/18, 9:43 AM

    I always assume that they might be. So I always use my own perimeter router/firewall running pfSense. Plus I use VPN services. And so my ISps don't end up seeing anything except encrypted streams. And have no visibility into my vLANs.

  • by RoadieRoller on 2/16/18, 2:38 PM

    Somewhere someone could be selling your data for money. I can imagine the below happening. After all, all corporates are hand-in-glove with each other when it comes to public's privacy.

    This is probably what your ISP is doing. Take your MAC Addresses, try to find the phones in your house which is connected to the wifi, take those MAC addresses to all the telecoms, get the SIM card number and the phone number associated with those MAC numberss, send those phone numbers to the banks to find matching bank accounts and the associated credit card number, along with your registered email address, get the purchase history from the bank on the credit card number, compare it with your browsing history and sell all of this to another company and make money.

  • by philjohn on 2/16/18, 10:08 AM

    This isn't an issue if you're not using the ISP equipment, or put the ISP equipment into a bridge modem mode.

    For instance, BT in the UK do the same reporting over TR-069 if you use their home hub - however - if you connect a different VDSL modem/router you can disable TR-069, and if you use a dedicated VDSL modem in bridged mode and a wireless router behind that there's no TR-069 to worry about in the first place.

  • by slhck on 2/16/18, 10:41 AM

    I recently learned about this when I reported Internet speed issues to my home ISP (upload was basically impossible, while download was at 100 MBit/s).

    They said they'd look into it, but they couldn't process my claim unless they could prove something was connected via Ethernet to their router. (They apparently never trust customer WiFi speed test results, probably because WiFi on their crappy routers can be notoriously unreliable.)

    I ultimately had to connect something to the router's Ethernet port, so I grabbed another WiFi router, configured it as an access point, plugged it in, and voilà, they could verify that a device was connected and processed my complaint.

    Obviously customer service reps can easily get access to a list of what is connected to the router.

  • by dbolgheroni on 2/16/18, 3:47 PM

    Two huge cases from previous years:

    https://nakedsecurity.sophos.com/2012/10/01/hacked-routers-b...

    https://www.welivesecurity.com/2016/10/21/cybercriminals-tar...

    Your router is critical, and choosing them wisely is one of the most important things if you care about some security.

  • by wowamit on 2/16/18, 10:33 AM

    Every now and then, we are reminded that our router remains the prominent data collector for our online presence. And ISP, the prominent data aggregator. And neither are really too keen to protect our data online.

  • by rishabhd on 2/16/18, 9:41 AM

    well, who isn't? Even at the most basic level, my local ISP is injecting ads into browsers.

  • by 534b44a on 2/16/18, 2:09 PM

    My ISP provides an online user interface where I can remotely change my Wi-Fi password even if I haven't explicitly enabled port forwarding. If they have access to that, I don't see why they can't easily see my network shares and its contents (I don't password protect the directories for convenience reasons).

    I've long ago lost the PPPoE password and this same router gets it automatically somehow. When I install another router, it won't do that.

  • by floatboth on 2/16/18, 1:03 PM

    My ISP never gave me a router. Just an Ethernet cable coming into my apartment :)

  • by icc97 on 2/16/18, 10:27 AM

    Who didn't think they were being spied on?

    This is why you used https to hide the full URL, VPN to push the problem to a 3rd party who might care a bit more about privacy and then Tor on top of it all.

    Here's the good old EFF explanation [0]

    [0]: https://www.eff.org/pages/tor-and-https

  • by tzahola on 2/16/18, 10:06 AM

    I don't know if it's true, but I've heard that some ISPs route your entire traffic through their machines. They even have access to your IP packets. Very shady!

  • by jacksmith21006 on 2/16/18, 5:40 PM

    Problem is in the US ISP they can sell your data without telling you. So I prefer to keep my data away from them. I trust Google more to not sell my data and fine with them renting it out. Others might not. So use them for DNS for example so it does not go to my ISP.

    https://www.usatoday.com/story/tech/news/2017/04/04/isps-can... ISPs can now collect and sell your data: What to know about Internet ...

  • by jwilk on 2/16/18, 10:48 AM

    Please use the original title.

  • by nmeofthestate on 2/16/18, 12:22 PM

    ISP Spy: Hey boss, looks this guy in Oslo has a friend called Dave who owns an Android device. ISP CEO: This is it! We're gonna be rich boys! Arrange a meeting with GlobalAdvertCorp immediately.