
ISP Spying - early
https://harrisonsand.com/your-isp-is-spying-on-you/
======
wepple
I’ve pulled apart router firmware plenty of times, and am never surprised to
see nbtscan, nmap, and all sorts of other tools on there.

A lot of ISPs will perform remote diagnosis by connecting into your router and
scanning your internal hosts to see if there are any problems.

Between that capability and general appalling security of routers, you’re
basically on Starbucks WiFi from a security perspective even at home.

important note: buying an off the shelf netgear/tplink/linksys/whatever might
stop your ISP remoting in, but is still wildly full of vulnerabilities.

~~~
markwaldron
This is very informative! What router would you suggest purchasing?

~~~
alyandon
Usually, anything you can install a third party firmware on like openwrt, dd-
wrt or tomato (shibby's version of tomato is the one I used the most).

However, I gave up on consumer hardware and went with Ubiquiti for wifi AP and
Mikrotik as my router. It was a bit of a pain to set up all my NAT rules in
the Mikrotik router because unfortunately consumer devices do a lot of extra
work behind that scenes (like setting up NAT reflection) to facilitate having
NAT work painlessly. I'm perfectly content with the end result now though.

~~~
a012
Opposite on me, I'm having a Mikrotik hAp ac and considering to use it as AP
only then buy a Ubiquiti ER-X in front of it.

~~~
alyandon
I did consider going with a pure Ubiquti solution but after borrowing a
friends ER-Lite and comparing it to running RouterOS in a VM I decided that
Mikrotik was a better overall fit for me from a technical standpoint. The
RB3011 having a powerful cpu + the integrated 10 port (actually two different
switches) switch helped push me that direction.

There was something almost zen-like watching 300Mbps of traffic transiting my
RB3011 and seeing it utilize 6% cpu.

Ultimately, either is a fine solution and an ER-X is going to be a lot less
fiddly to setup.

~~~
swinglock
I would stay away from Ubnt routing. Which features that requires disabling
packet processing off-loads and the performance impact is not well documented
and varies between models and software versions.

There appears to be many bugs related to off-loading as well. The below
example is what finally made me decide not to consider Ubnt routers. It may be
fixed now, maybe, but even if it was broken for way too long and shrouded in
too much mystery, not even making it obvious which models are effected (the
thread title was not always that specific either). I can't take Ubnt
seriously, even for a home environment, after seeing how basic forwarding is
that poor and it's not even their highest priority.

The only good thing that this proves is that at least they don't censor their
forums, trying to hide issues.

[https://community.ubnt.com/t5/EdgeMAX/UDP-packet-loss-on-
Cav...](https://community.ubnt.com/t5/EdgeMAX/UDP-packet-loss-on-Cavium-based-
routers/td-p/1343012)

------
aus_
There is varying levels of difficulty when you want to BYO router. The
situation for AT&T U-Verse isn't too fun. If you want to use your own
hardware, you only have a few options:

1\. They offer "IP Passthrough" which is fake Bridge Mode. They still do
routing and you'll still hit NAT table limits of 4096. Connection falls apart
for anything over 3000.

2\. You can dump and reverse the router-gateway firmware and 802.1X/EAP
authentication. Oh goodie.

3\. There's a history of exploits for the NVG510, NVG589 and NVG599. Try your
luck. [1] [2]

4\. Create some "magic" to split the 802.1X and untag VLAN0. Works in Linux at
least. [3]

5\. But good luck if you want to do this in pfSense or FreeBSD. There's an
open BTC bounty if you've got any netgraph / networking chops. [4]

[1]: [http://earlz.net/view/2012/06/07/0026/rooting-the-
nvg510-fro...](http://earlz.net/view/2012/06/07/0026/rooting-the-nvg510-from-
the-webui)

[2]:
[https://www.nomotion.net/blog/sharknatto/](https://www.nomotion.net/blog/sharknatto/)

[3]: [http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-
NA...](http://blog.0xpebbles.org/Bypassing-At-t-U-verse-hardware-NAT-table-
limits)

[4]:
[https://forum.pfsense.org/index.php?topic=111043.0](https://forum.pfsense.org/index.php?topic=111043.0)

------
jstanley
In the UK, they're legally required to spy on you (but not through your
router).

[https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016](https://en.wikipedia.org/wiki/Investigatory_Powers_Act_2016)

~~~
gambiting
That is why I've been running all my devices exclusively through a VPN while
I'm in the UK. And yes, I'd much rather trust a commercial company with my
data than the British government and the ISPs.

~~~
jstanley
I do the same.

------
liotier
I plugged French Orange's GPON FTTH ONT into my Debian router's RJ-45 port,
added a VLAN interface, added a couple of lines to my DHCP client
configuration to pretend my router is some Sagem device and pass
authentication to the server... And that's all - sweet 500/200 Mb/s
throughput, no ISP CPE in sight (well, technically the ONT...) and Orange even
waived the 3€/month CPE rental fee !

Former provider offered FTTB and I used the coaxial cable CPE as a bridge -
and even when I do not have that option, I insist on having a router of my own
as my network's demarcation: it is basic hygiene.

Other option for GPON would have been to plug a GPON SFP module into one of my
switches - the friendly guy who laid the fiber to my apartment even left me
one in case I changed my mind... But going through the switch to the router
and back to the switch on a different VLAN is unnecessarily complicated in my
case. Anyone wants a free GPON SFP module ?

~~~
wil421
I thought about bridging an Ubiquit EdgeRouter and putting in front of the
AT&T gateway. You must pass authentication back to the gateway. Users were
also reporting around 100megs max speed which wasn’t acceptable for me since I
pay for gigabit.

There is a new line of EdgeRouters out and maybe it has some acceleration for
bridging. I would like this setup.

~~~
aus_
You might try this:
[https://github.com/jaysoffian/eap_proxy](https://github.com/jaysoffian/eap_proxy)

You have to enable `set system offload ipv4 vlan enable` else your routing
performance will suffer.

~~~
js2
Hey that’s me! I’m glad it’s working for you. All credit to the folks who
figured out this bypass. I just coded it up in Python when I couldn’t get some
of the other solutions to work for me.

~~~
aus_
Ha! Small world on HN. I haven't personally tried the Edgerouter solution.
I've been trying to replicate on pfSense/BSD, but it isn't as simple as you
might think. :/

[https://forum.pfsense.org/index.php?topic=111043.0](https://forum.pfsense.org/index.php?topic=111043.0)

~~~
js2
Yeah that seems like a bit of a headache. I appreciate your dedication to
sticking with pfSense.

------
mmrezaie
Is there a portal like-place to share our findings of ISPs generally in the
world so that others can work together with better transparency?

I do data analytics and data engineering and a couple of months ago indirectly
I have been contacted by an ISP in Spain and they literally were collecting
every bit of data that their customers were seeing on internet (websites,
timestamps, how much data were transferred and etcetera with the user's id and
basically in another table name and address). I was shocked how easy they were
talking about it. I didn't accept but for sure someone has done it! I never
heard the name of the ISP, I wish I didn't bark at them so fast and I could
collect more information about them.

------
laveur
When I bought my fist house a few years ago here in the Bay. Comcast tried to
give me one of their new routers wifi and everything built in. I let them but
I wasn't happy. I hooked up my own router and ended up double natting it.
After a few hours of frustration I went out bought my own cable modem.
Installed that and returned the one comcast had provided. When asked why I
sighted security and privacy concerns. Working for a fortune 500 means they
could easily do some sneaking and see a lot of stuff that I worked on. Either
way I use Ubiquity hardware throughout my house. Its a bit expensive but god
is it good.

~~~
EADGBE
Does not using their own routers make ISP traffic sniffing that much harder?

I'd assume if you're using their pipes, they can see what goes through it,
regardless.

Genuinely intrigued in this.

~~~
etskinner
End-to-end encryption like SSL (https) is meant to limit the middle man's
ability to 'see everything'. Instead of seeing the details of your Google
search, all they see is that you accessed Google at [x] time, and exchanged
[y] amount of data.

This is why there is such a push for end to end encryption on web traffic,
chat apps, etc.

~~~
Scottn1
ISP can very easily see what you searched for even with SSL. SSL encrypts the
TRAFFIC so they can't see the content of the webpages, But your search terms
are right there naked in the URL even though it is https secured. This is
unfortunately the case for Google, Bing and even DuckDuckGo. Try it and you
can see for yourself.

At least DDG offers in their options to scramble the URL but one has to know
about that feature AND enable it. It is in their settings under Privacy and
you have to turn OFF GET (2nd option).
[https://duckduckgo.com/settings#](https://duckduckgo.com/settings#)

~~~
tombrossman
> But your search terms are right there naked in the URL even though it is
> https secured

You are correct that the terms are in the URL, however only the browser and
endpoint can see them. All your ISP sees is that you accessed example.com, and
not example.com/search-terms-here. The TLS handshake is for the domain only,
then encryption kicks in, then everything after is encrypted.

Your ISP cannot see what you are searching for, they can only see which sites
you use for search.

------
LeoPanthera
I've been forwarding all outgoing connections on port 80 (and a selection of
other commonly-unencrypted ports) through a VPN (in the router) for a while
now - but leaving all other ports (including most importantly 443) connecting
directly.

It feels like a good compromise between privacy and speed.

(I realise this is not the subject of the article exactly but I figured it's a
related issue.)

~~~
brigade
Why do you feel that way? VPNs are vastly more likely to actually read your
traffic than any ISP.

~~~
oger
Not an issue when you run your own VPN with a cheap VPS - meaning the data is
exiting in a datacenter in a location of your choice. While they or their
upstream providers will certainly have some 'lawful interception' capability
they are usually not interested in analyzing / selling the data on their wires
as the consumer-facing ISPs.

------
Cieplak
Another cool thing about WiFi routers is that you can use them as radars to
monitor people in a home. The 2.4ghz frequency is perfect for reflecting off
water bodies while having great penetration through walls.

~~~
ourmandave
I wonder what kind of resolution you can achieve.

Would it be ghostly figures or more like black and white photos?

~~~
Fnoord
The URLs [1] [2] describe the content. I thought [1] was interesting but not
answering your question. [2] Answers your question, and shows black and white
and thermal pictures.

[1] [https://www.medgadget.com/2014/06/mits-wifi-system-
detects-p...](https://www.medgadget.com/2014/06/mits-wifi-system-detects-
peoples-breathing-heart-rate-even-through-walls.html) (June 2014)

[2] [https://hackaday.io/project/5452-wifi-thermal-
camera](https://hackaday.io/project/5452-wifi-thermal-camera) (2015)

[EDIT] I stand corrected, [2] is unrelated. My bad! Here's some good sources
as alternative.

"MIT turns Wi-Fi Into Indoor GPS New tech from CSAIL lab lets one Wi-Fi device
locate another to within centimeters" [3]

"RF-Capture: Capturing the Human Figure Through a Wall

It can know who the person behind a wall is. It can trace a person's
handwriting in air from behind a wall. It can determine how a person behind a
wall is moving." [4]

They also contain further resources.

[3] [https://spectrum.ieee.org/tech-talk/telecom/wireless/mit-
tur...](https://spectrum.ieee.org/tech-talk/telecom/wireless/mit-turns-wifi-
into-indoor-gps)

[4] [http://rfcapture.csail.mit.edu/](http://rfcapture.csail.mit.edu/)

~~~
zydeco
[2] is a thermal camera with WiFi connectivity, it's completely unrelated.

~~~
Fnoord
Thank you for the correction, I updated the post with new information whilst
keeping the discussion intact w/your post.

------
Buge
That router looks like its control panel is hosted on an external server.
Router control panels usually show what devices are connected. So for router
control panel functionality, they need to have the router report all connected
devices to the server. Obviously they should be doing this encrypted, not
unecrypted.

But ignoring encryption, this is the price you pay for cloud management: the
could knows your data.

~~~
philjohn
Remember, the TR-069 traffic starts at your device, and terminates at their
end, it's not making it out onto the public internet, it's entirely within the
ISP network.

That's not to say it still shouldn't be encrypted, but with a FTTH connection
using a PON network there's already physical layer encryption going on
typically, otherwise a custom configured ONT could snoop on other peoples
traffic on the same segment.

~~~
tinus_hn
> otherwise a custom configured ONT could snoop on other peoples traffic on
> the same segment.

Why would an ISP care about that?

------
javajosh
Is it just me or does this look like a huge opportunity? Last I checked we
still have control over our devices, and if they are stupid enough to trust
the data they collect, then we should feel free to poison the well. I'm
talking about opening random connections to endpoints (either random or those
we want to protect), to inject noise into the system. I call the idea "data
flak". It could be something as simple as a daemon running in the background,
or a browser plugin. You want to spy on my traffic? Fine, good luck picking
out my real behavior from the gigabytes of utter crap I'm shoving into your
sensors. This works not just at the ISP level, but at every intermediate host,
too.

The only counter is for an adversary to own your box, which is far more
expensive.

~~~
gruez
>The only counter is for an adversary to own your box, which is far more
expensive.

or require your clients to run your software, like in AOL days

~~~
javajosh
Well, in general, you'd want to draw a casual link between real physical
measurement and network traffic; so yeah, if you own the client (and can
accurately determine whether or not it's running in a VM, and/or manipulated
by a robot, which is tricky) you can filter out the data flak. If I worked for
a data-collection org I'd probably ignore (or blacklist, if I could get away
with it) a known source of noise.

------
alxndr13
In Germany you are able to use any router you want, regardless of which ISP
you use.

[https://www.cr-online.de/bgbl116s0106.pdf](https://www.cr-
online.de/bgbl116s0106.pdf)

~~~
gruez
Do ISPs actually prevent you from doing that? At the very leas you can hook
your router to the ISP's router and set up DMZ?

~~~
oger
No. DSL-providers are legally obliged to let the customers use their own
equipment (which includes the account details / passwords to establish the
connection). Most of them even provide the details for the SIP connection that
is included most of the times. If I remember correctly cable providers were
fighting this - not sure about the final outcome...

------
mirimir
I always assume that they might be. So I always use my own perimeter
router/firewall running pfSense. Plus I use VPN services. And so my ISps don't
end up seeing anything except encrypted streams. And have no visibility into
my vLANs.

~~~
moviuro
You're just paying some extra third-party that handles all your traffic now.
What's to prevent _them_ from doing the same? You're moving trust to another
actor.

~~~
jstanley
It's easy to move your VPN to an arbitrary VPS anywhere in the world, but
there's only a handful of residential ISPs available in any given area, and
they are almost univerally scummy.

~~~
Tijdreiziger
> and they are almost univerally scummy

Source? I do not think most of the ISPs in my area are particularly scummy.
They provide reliable plain internet service with no data caps (and also
TV/phone service if you so desire) for a reasonable monthly fee, and in my
experience, most of them hire enough customer service workers on their support
phone. All of them also resisted internet filtering until the legal system
forced them to do so. What more is there to ask of an ISP?

~~~
jstanley
Good for you.

In my area none of them provide reliable internet service, most of them
enforce some censorship and have poor customer service, and all of them
perform the legally-mandated surveillance.

------
RoadieRoller
Somewhere someone could be selling your data for money. I can imagine the
below happening. After all, all corporates are hand-in-glove with each other
when it comes to public's privacy.

This is probably what your ISP is doing. Take your MAC Addresses, try to find
the phones in your house which is connected to the wifi, take those MAC
addresses to all the telecoms, get the SIM card number and the phone number
associated with those MAC numberss, send those phone numbers to the banks to
find matching bank accounts and the associated credit card number, along with
your registered email address, get the purchase history from the bank on the
credit card number, compare it with your browsing history and sell all of this
to another company and make money.

~~~
madez
That is very soon illegal in the EU thanks to the GDPR, and it is _already_ in
some countries like Germany.

~~~
gcb0
absolutely not.

gdpr is a nightmare for websites, because of the consent rule.

but guess what is the first thing you with a ISP. You sign a contract. done.
it's all legal with gdpr or not.

~~~
madez
In Recital 43, the GDPR adds a presumption that consent is not freely given if
there is “a clear imbalance between the data subject and the controller, in
particular where the controller is a public authority.” Importantly, a
controller may not make a service conditional upon consent, unless the
processing is necessary for the service. Also, data subjects have the right to
withdraw given consent.

~~~
gcb0
they had similar wording to the cookie things. you had to say for what feature
the cookie would be used, at the time the user was actually starting use of
the feature. advertising? logging in? ....in the end everyone just says "to
use this website" and use for whatever (but mostly ads)

------
philjohn
This isn't an issue if you're not using the ISP equipment, or put the ISP
equipment into a bridge modem mode.

For instance, BT in the UK do the same reporting over TR-069 if you use their
home hub - however - if you connect a different VDSL modem/router you can
disable TR-069, and if you use a dedicated VDSL modem in bridged mode and a
wireless router behind that there's no TR-069 to worry about in the first
place.

~~~
mseebach
Or if you just use the provided router, either in bridge mode or in regular
mode, the only device it will ever see and report on is your own router, which
is hardly a critical leak.

------
slhck
I recently learned about this when I reported Internet speed issues to my home
ISP (upload was basically impossible, while download was at 100 MBit/s).

They said they'd look into it, but they couldn't process my claim unless they
could prove something was connected via Ethernet to their router. (They
apparently never trust customer WiFi speed test results, probably because WiFi
on their crappy routers can be notoriously unreliable.)

I ultimately had to connect something to the router's Ethernet port, so I
grabbed another WiFi router, configured it as an access point, plugged it in,
and voilà, they could verify that a device was connected and processed my
complaint.

Obviously customer service reps can easily get access to a list of what is
connected to the router.

~~~
book_mentioned
One time the next-tier tech shut off my WiFi while I was troubleshooting with
the entry-level phone support; I hadn't been warned this was an option or
would happen so it really rubbed me the wrong way.

------
dbolgheroni
Two huge cases from previous years:

[https://nakedsecurity.sophos.com/2012/10/01/hacked-
routers-b...](https://nakedsecurity.sophos.com/2012/10/01/hacked-routers-
brazil-vb2012/)

[https://www.welivesecurity.com/2016/10/21/cybercriminals-
tar...](https://www.welivesecurity.com/2016/10/21/cybercriminals-target-
brazilian-routers-default-credentials/)

Your router is critical, and choosing them wisely is one of the most important
things if you care about some security.

------
wowamit
Every now and then, we are reminded that our router remains the prominent data
collector for our online presence. And ISP, the prominent data aggregator. And
neither are really too keen to protect our data online.

------
rishabhd
well, who isn't? Even at the most basic level, my local ISP is injecting ads
into browsers.

~~~
mysterypie
The original title before the admins changed it was "Your ISP is Probably
Spying On You", and you wrote:

> well, who isn't?

I can understand that we all get weary from the constant news of yet another
privacy intrusion, surveillance method being discovered, or new government law
eroding privacy. But why be dismissive? When Snowden revealed what he knew, it
confirmed what I had already suspected. But I didn't go and say, "well of
course, we all knew that we were being illegally spied on us". I thought that
getting the specific information was very important.

~~~
icc97
As far as I can tell we should just be safety first. This does indeed mean
getting as much information about how to browse privately.

If we all use tor, it will help the tor project because then it's harder to
spot individuals using it.

Tor is slightly slower, but it's pretty much a perfect browser replacement.
The only reason I don't use it all the time is that I like my browser history.
Plus I've got a self built VPN which is about as good as I can hope for.

------
534b44a
My ISP provides an online user interface where I can remotely change my Wi-Fi
password even if I haven't explicitly enabled port forwarding. If they have
access to that, I don't see why they can't easily see my network shares and
its contents (I don't password protect the directories for convenience
reasons).

I've long ago lost the PPPoE password and this same router gets it
automatically somehow. When I install another router, it won't do that.

------
floatboth
My ISP never gave me a router. Just an Ethernet cable coming into my apartment
:)

~~~
kalleboo
I got a fiber cable coming in through a hole in the doorframe to the balcony,
and an ONU box to convert the fiber media to Ethernet. Everything else is my
own responsibility.

------
icc97
Who didn't think they were being spied on?

This is why you used https to hide the full URL, VPN to push the problem to a
3rd party who might care a bit more about privacy and then Tor on top of it
all.

Here's the good old EFF explanation [0]

[0]: [https://www.eff.org/pages/tor-and-https](https://www.eff.org/pages/tor-
and-https)

~~~
45h34jh53k4j
No, dont run Tor over VPN. Its VPN over Tor.

Tor provides anonymity, VPN provides privacy. You want anonymity between you
and the VPN, and privacy between you and internet hosts.

From the OpSec for xyz series:
[https://grugq.github.io/presentations/Keynote_The_Grugq_-
_OP...](https://grugq.github.io/presentations/Keynote_The_Grugq_-
_OPSEC_for_Russians.pdf) • TOR connection to a VPN => OK • VPN connection to
TOR => GOTO JAIL

~~~
icc97
This site [0] explicitly says that VPN over Tor is a bad idea. It's quite
possible it's wrong. But I don't understand why?

[0]: [https://www.expressvpn.com/how-to-use-vpn/tor-
vpn](https://www.expressvpn.com/how-to-use-vpn/tor-vpn)

------
tzahola
I don't know if it's true, but I've heard that some ISPs route your entire
traffic through their machines. They even have access to your IP packets. Very
shady!

~~~
rocqua
ISP's intercepting HTTP traffic to modify it is far from unheard of. In the
best case, this is to notify customers of required changes. This is actually
used by comcast [1]. In the worst case, this is a service sold to advertisers,
or a service that includes arbitrary java-script injection. For something
close to the worst case, see [2] (previously discussed on HN [3]).

[1] [https://tools.ietf.org/html/rfc6108](https://tools.ietf.org/html/rfc6108)

[2] [https://defplex.wordpress.com/2017/08/15/how-a-south-
african...](https://defplex.wordpress.com/2017/08/15/how-a-south-african-isp-
hacks-it-subscribers-each-month/)

[3]
[https://news.ycombinator.com/item?id=15423393](https://news.ycombinator.com/item?id=15423393)

~~~
tzahola
Why on Earth would you visit plain HTTP sites with JavaScript enabled?

~~~
drchickensalad
Because you have to be in the know-how and do work to achieve that?

------
jacksmith21006
Problem is in the US ISP they can sell your data without telling you. So I
prefer to keep my data away from them. I trust Google more to not sell my data
and fine with them renting it out. Others might not. So use them for DNS for
example so it does not go to my ISP.

[https://www.usatoday.com/story/tech/news/2017/04/04/isps-
can...](https://www.usatoday.com/story/tech/news/2017/04/04/isps-can-now-
collect-and-sell-your-data-what-know-internet-privacy/100015356/) ISPs can now
collect and sell your data: What to know about Internet ...

------
jwilk
Please use the original title.

~~~
dang
The HN guidelines ask: "Please use the original title, unless it is misleading
or linkbait." This one was linkbait—it used the linkbait "you" twice. We took
that out.

[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)

~~~
jwilk
I could figure out that "you" doesn't refer to me personally, and so can the
rest of HN. There's nothing "linkbait" about it.

You can express your opinion about the original title in a comment. There's no
need it impose this (twisted, IMO) view on everyone.

~~~
dang
As the people who read the most headlines here, probably by an order of
magnitude, I'm afraid we have to pull rank on that. Gratuitous "you" in titles
is one of the biggest linkbait tropes. Presumably we're all wired to direct
our attention to someone saying "hey you!"; headline writers figured this out
and have been milking it ever since.

------
nmeofthestate
ISP Spy: Hey boss, looks this guy in Oslo has a friend called Dave who owns an
Android device. ISP CEO: This is it! We're gonna be rich boys! Arrange a
meeting with GlobalAdvertCorp immediately.

