Your ISP Modem-router Is Hostile Territory

Aug. 9, 2022 [technology] [privacy-security]

Even though most ISPs supply a “free” router, they should always be considered as external infrastructure not to be trusted. The line of demarcation in one’s local network should end at a device which is completely owned and controlled by oneself. There is just too much opportunity for underhanded abuse of the remotely managed ISP router-modem. And it certainly doesn’t help that many providers whitelist a strict set of approved third party devices for direct lease, if at all.

Providers are all too willing to change settings remotely and the settings exposed to end users are often inadequate. They also have a hard on for imposing firmware when it suits some new antifeature, like removing the local web administration functionality and moving it to their centrally managed cloud web panel. Or to use “your” router to supply wifi coverage to anyone out on the street, without your knowledge. Have fun trying to disable that malfeature. And, once they’ve decided that the router has been milked for all it’s worth, providers can refuse ever updating it again leaving the average user with no recourse but to obtain a new model.

All this in addition to the horrendous track record that SOHO router manufactures have in privacy and security. Some have been caught forwarding router traffic to partner organizations. Some exposed WAN exploitable backdoors. Many have been found with backdoor functionality implemented in such a way as to suggest plausible deniability [1] [2]. So even if an off the shelf router is still receiving updates, it cannot be assumed that the manufacturer themselves are acting in good faith.

Instead of staying on the hamster wheel, one should consider replacing the hostile equipment if possible. And if not, set it up in “bridge mode” or “modem mode” over to a trusted, user controlled router at the edge of the LAN. Consider placing the remaining ISP equipment inside a farady bag. Disable and opt out of as many antifeatures as you can on the provider’s modem-router and make sure the only attached device is your own router. It is not difficult to find a superior replacement.

Some possible options include:

Or something with any of the above preinstalled. The default configurations tend to be reasonable but could benefit from some customized DNS and firewalling rules. These options won’t stop your provider from intercepting traffic, but at least it denies them and others direct access to the heart of your local network.