Your ISP is probably spying on you

Posted on Feb 14, 2018

A while back I decided to no longer use the router given to me by my ISP. You may want to consider doing the same.

I had read one too many articles about the crappy security in consumer routers, and came to the conclusion that I wanted more control over my home network. I eventually landed on a pfSense-based solution, but this sparked my interest and I wanted to see how the ISP supplied router actually worked.

How my ISP Works

I live in Norway, and recieve FTTH services from Altibox (Norwegian). Services are delivered through three separate 802.1Q VLANs.

  • 100 - traditional phone and CPE (router) management
  • 101 - IPTV
  • 102 - internet

Additionally, customers can manage their router, wireless settings, etc. though the customer portal on the ISPs website.

altibox_portal

Right off the bat some questions come to mind about how that communication between the router and customer portal looks…

History

To give some background - most, if not all major ISPs source their customer premise equipment (CPE) from third party vendors. ZyXEL in my case. That is, they purchase pre-built, out of the box solutions to manage customer routers. This may include everything from the delivery of branded hardware, to the backend systems that centrally manage the vast number of devices.

Why? It normally comes down to cost. It doesn’t really make sense to start from scratch, hire your own developers, worry about support, etc… when you can just outsource the whole thing for a fraction of the cost. This doesn’t inherently have to be a bad business model; you don’t see too many people building their own cars to get to work. Though on the flip side, it’s absolutely critical that a company thoroughly understands what they are purchasing and that they have the in house technical expertise to actually follow up and challenge the vendor. You don’t just go to a dealership and purchase a car because the salesman said it was the best thing since sliced bread. You need to do your homework.

So, takeaways:

  • A lot of ISPs have similar solutions, and this problem won’t just affect my tiny ISP in Norway (430,000 customers in 2016)
  • Most ISPs don’t fully understand what they are selling

Traffic Analysis

Naturally, I set up a SPAN port on my switch and loaded up a packet capture. Honing in on the management traffic, I found a XML-based protocol called TR-069. This is a common protocol, used by ISPs around the world to manage customer routers.

Mixed somewhere in between the unencrypted HTTP traffic and plaintext admin passwords was something I found to be a bit more interesting. Altibox periodically collects a list of all devices that are/were connected to my private home network.

<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.X_ZyXEL_IconIndex</Name>
	<Value xsi:type="xsd:unsignedInt">0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.MACAddress</Name>
	<Value xsi:type="xsd:string">5C:E0:C5:[removed]</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.X_ZyXEL_DeviceName</Name>
	<Value xsi:type="xsd:string"></Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.LeaseTimeRemaining</Name>
	<Value xsi:type="xsd:int">0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.X_ZyXEL_SessionNum</Name>
	<Value xsi:type="xsd:unsignedInt">109</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.Active</Name>
	<Value xsi:type="xsd:boolean">0</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.IPAddress</Name>
	<Value xsi:type="xsd:string">192.168.10.172</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.AddressSource</Name>
	<Value xsi:type="xsd:string">DHCP</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.HostName</Name>
	<Value xsi:type="xsd:string">harrison-pc</Value>
</ParameterValueStruct>
<ParameterValueStruct>
	<Name>InternetGatewayDevice.LANDevice.1.Hosts.Host.18.InterfaceType</Name>
	<Value xsi:type="xsd:string">Ethernet</Value>
</ParameterValueStruct>

If that made your eyes hurt, a quick summary is that they collect:

  • The device’s hostname - this is whatever you set it to, but is often the name of the owner (for example “harrison-pc” or “Harrison’s iPhone”)
  • The device’s MAC address - a unique identifier tied to the network card
  • Active true/false - this reports if the device is activly connected to the network or not
  • The devices internal IP address

Consequences

There’s a reasonable chance you might be thinking “Why does this matter?” or “What does this mean for me?” Realistically speaking, chances are nothing bad will happen to you because of this. But there are several reasons to still be concerned.

In theory, there are some scenarios where this data could become interesting. With the data you could for example: infer the people you know based on who connects to your network, and which networks you connect to. You could also piece together behavior patterns based on when people are connected and at home.

It goes a bit further when you think about who has access to this data. To begin it might just be your ISP, but it could also be sold to third parties for marketing purposes or otherwise. Add the potential for data breaches in there and the consequences become slightly more interesting.

And to top it all off, there’s no real business requirement for this information to be collected in the first place. You could argue it’s for technical support or diagnostics, but that would only be a once-off requirement and not sent on regular intervals. You could also ask the customer for their approval first.

Chances are this data is being collected for marketing purposes, just because they can, or the functionality was on by default and they don’t know about it or just left it the way it was.

With all that said you probably wouldn’t want some dude sitting outside your house taking notes of when you leave and come home, and making lists of who your visitors are. It’s just plain creepy.

Legality

I have been in contact with the Norwegian Data Protection Authority - Datatilsynet in regards to my findings. They have provided helpful guidance on the matter.

In additon, I have contacted Altibox directly asking them explain the data collection. Their response was professional, though I don’t necessarily agree with all of their points. Potentially some gaps between policies and reality…

(Viken Fiber works to deliver Altibox services)

Hi, thanks for your inquiry

The following is collected from Altibox managed access point (WiFi router):
Software and hardware version, equipment Mac address, time up, temperature, CPU
statistics, memory statistics, connection statistics, number of processes running,
logical interface IP, uplink media type (fiber or copper), Altibox DNS time to
respond, switchport and radio error statistics aggregated and per connected device.


The information is used only for error checking and correcting activities, 
and only when initiated by end customer.
- Data is saved for a maximum of 21 days.
- Data is collected and stored using dedicated hardware.
- Data is limited and accessed using dedicated frontend software and individual user authorization.
- All data requests are logged
- All external data are encrypted

This is in accordance with the Norwegian Personal data act § 8 and Altibox general terms paragraph 26.
https://www.altibox.no/wp-content/uploads/2017/07/Altibox_almvilkaar2017.pdf
https://lovdata.no/dokument/NL/lov/2000-04-14-31/KAPITTEL_2#§8

Best regards
Viken Fiber AS

The new European data protection regulations (GDPR) that come into affect this year could also have influence on the legality of this.

In the end, there are some obvious areas for improvement from Altibox’s side, but at the same time I don’t have the means to make a determination either way on the matter. I do however know it’s just plain creepy.