What Private Information Can Be Collected by your ISP-owned Routers And How to Avoid It?
The Internet is very important these days and can't be underestimated. Not just for shiny pictures on Instagram, but for work, education, dating, news, daily chats with friends and family, and many other things. So choosing a good and reliable ISP (Internet Service Provider) is also important - who's going to fix your broken internet connection when you've reached a work deadline or desperately want to check out new cat pics on Reddit? 😊
Jokes aside, there are plenty of ISPs to deal with. But there is a dark side of the business that many non-tech-savvy people don't know about - more, they can't even imagine it exists. We are talking about private data trading. ISPs collect private data and sell it to data traders, then any individual or organization can buy that data - just like you buy books on Amazon.
To simplify data collection, they often provide equipment for rent at a low cost: DOCSIS modem, router, or both. The customer often sees it as a great deal - getting equipment to rent for a low price, but it can be a trap.
This affects not only the users who signed the deal with ISP, but also their families and family guess who came and got access to guest Wi-Fi. ISP can constantly scan your local network and collect information about new devices, their MAC addresses, host names, OS versions, and more.
The data that can be collected
- Device information: ISP can see and record the MAC address of devices connected to the router, with their local addresses, OS and OS version, what ports are open on the device.
- Internet activity: Your ISP can track your Internet usage, including the websites you visit, even if they are opened in a private browser tab.
- Location data - based on IP address.
- Connection history: where, when, and from which device all connections to the Internet occurred.
- Information about access points and devices with Wi-Fi around: we can call it people tracking.
- Consumed traffic per each device.
Why ISP do this?
ISPs may spy on their users for a variety of reasons, not just for personal data:
- Data retention laws: In many countries, ISPs are required by law to collect and store user data for a certain period of time, such as 6 months or 1 year.
- Advertising: ISPs can sell user data to advertisers and help them create more targeted advertising campaigns.
- Copyright infringement: ISPs may be required by law to share user data with copyright authorities to identify and punish users who use torrent or warez sites with stolen intellectual property.
- National security: ISPs may be required to cooperate with government agencies for national security purposes, or "mass spying," depending on the country.
- User profiling: ISPs can create user profiles based on browsing history, attach them to real names with locations, and sell them to advertisers or data merchants for a big profit because profiled data is expensive.
Advantages of using your own router
- Better performance and wider coverage: Many routers on the market today can provide a more reliable connection and faster speed than the models provided by your ISP.
- Additional features: new routers come with advanced features like VPN support, hardware acceleration for networking, antivirus, advanced parental controls, and more.
- Customization: You can choose a router that meets your specific needs, not more or less, or pay extra for more powerful options instead of being limited to the one, two or three models provided by your ISP.
- No risk of future add-ons: Buy it and it's yours, no risk of price jumps for rental equipment.
- Better Support: Third party routers often get better customer support and more frequent firmware updates.
- Easy to migrate to a new ISP: no headaches with returning equipment by mail or in person and installing new equipment, all of which costs personal time.
Poor security and lack of updates in consumer routers
Most consumer routers have problems with security fixes that are slow to arrive or never appear. That's because development and testing costs money, and most companies prefer to invest those resources in enterprise models, which are more expensive and profitable than consumer devices.
Older routers may use the WPA2 protocol, which is less secure than the newer WPA3 standard. To stay protected, it's important to keep your router's firmware up to date with the latest security patches and features. Many router hardware is capable of handling the WPA3 standard, and even the drivers are already written, but they never receive a firmware upgrade. In addition, using strong and unique passwords for your Wi-Fi network is a must, and consider using a VPN to protect your data. If you're experiencing slow Internet speeds, it could be due to a weak router or interference, and upgrading to a newer router or using a Wi-Fi extender may be a viable solution.
ISP routers often come with short default passwords and default AP names (SSIDs) that can be identified outside the local network by ISP personnel with access to customers' personal information. It's definitely not going to add extra security points, more really in opposite way.
Remote management of ISP routers often goes through TR-069 protocol, which is HTTP based and often used with non-SSL connections and hardcoded short passwords. Here is a great post about this problem and how to detect it.
Near future threat: human body identification in 5G networks
The [researchers] (https://arxiv.org/abs/2301.00250) at Carnegie Mellon University have experimented with a system that uses standard Wi-Fi routers to track the location and orientation of human bodies without cell phones or other wireless devices in a room with standard walls and no hidden sensors inside. The test setup involved placing TP-Link Archer A7 AC1750 routers at opposite ends of the room with varying numbers of people present. These routers are popular and freely available on the market. AI-driven algorithms then analyzed the Wi-Fi signal interference caused by the people to determine their positions.
The wireframe images generated by the Wi-Fi monitoring system showed promising results, with the researchers claiming that its accuracy is comparable to image-based methods. Using Wi-Fi has several advantages, including a more discreet approach to tracking human poses because it doesn't require light and can detect body positions even when there are obstacles in the way. In addition, the low cost of Wi-Fi routers ($30 each) makes this technology more accessible than alternative solutions such as radar and LiDAR, which are expensive and power hungry.
Currently, it doesn't seem feasible to put AI into routers, but in the near future - who knows? AI can be located on a powerful cloud server and just accept & work with signals from the router. Again, this is not sci-fi, it's real working technology and it forces us to rethink the control of the hardware we use every day.
How to defend yourself and your family
- Buy your own router from a reputable vendor.
- OpenWrt or DD-WRT third-party firmware: faster security updates and additional features.
- Secure DNS: DoH (DNS over HTTPS) or DoT (DNS over TLS). Install and tell friends, plain text DNS is great for logging your browsing history through your ISP.
- VPN: highly recommended, a must have these days.
There's a great resource called Router Security that collects information about security and ISP infosec failures.
If you want to do more to fight this bad thing globally, join FSFE's Router Freedom program - together we are stronger.