My ISP offered me a ‘free upgrade’ which was literally just a new router (no change to bandwidth) and I got super paranoid about why they want me to have it. Probably because I recently read something Ed Snowdon wrote about how your ISP has access to all your info. Any bad actors on their side and all your private info is now public info.
Got me wondering what steps people here take to make their home network as secure as possible? Has anyone found a way to block their ISP from getting access to their info? Is it worthwhile (or even possible in UK) to install a 3rd party router instead of using the standard one they give you? I understand that some VPNs sell your data. Which ones are you guys using? Does anyone use Tor browsers and stuff like that?
This is a bit loaded. Can your isp see some of your traffic? Yeah. Are they probably snooping for certain traffic patterns? Yeah probably. Are they collecting a database of this? Probably not. Someone else is taking care of that ;). They’re your service provider. Anything passing through their network is going to be monitored to some degree.
You likely can use your own hardware or put theirs into a bridge mode and stack your own behind it. That in itself won’t change much. You could however configure your hardware to tunnel your traffic to some other egress. Like a VPN service. Mullvad and private internet access are highly recommended on Reddit. But you’re going to slow down your connection. How much depends on a lot of factors. Does this truly add security and privacy? Not really.
You’ll cover more ground by keeping passwords secure, systems up to date, 2fa all the things, and just generally being mindful of what you put on the internet. Personally I do run a fairly locked down firewall but that’s squarely security. You seem to really be asking about privacy. And you have none if you want to believe ole Ed.
Your ISP is not spying on you. You’re not that interesting mate, none of us are.
My first guess would be its mainly so the ISP can have better control over your router. Lowers the cost of support when someone inevitably calls up “I don’t know how to put my new iPad on the WiFi-s, what do you mean my password, I don’t remember having to use a password before” and now the ISP can just have the support person pull up the router and put it in WPS mode or tell you your password, reducing ticket time and increasing customer satisfaction from illiterate people.
I wouldn’t want it for myself, but I also have a day job that is a mix of software engineering, cybersecurity, and system administration…and my home network is more resembling a business network than a consumer device. You mean not everyone has a 42U rack in their basement and 40+ drops to almost every room of the house?
There is no reason to be paranoid about this situation. Your ISP can see everything you do no matter the router you use. Every packet goes through their servers. If you concerned you want to setup a VPN. It all still goes through their servers but it’s encrypted. The routers are only protecting things inside of your network.
Yes its very easy to use your own router in the UK, but they will still see the same traffic going through the network - these days most will be encrypted. As far as I am aware they wont be able to perform full DPI without installing a certificate on your personal devices - which as far as I am aware doesnt happen.
You have to assume at this point that all network and VPN providers are compromised by the likes of GCHQ. GCHQ have even compromised friendly country telecoms companies.
While VPN providers may not log - I am less convinced of their security than many. I have been told some are state sponsored and some sell your data.
imho if someone is upto to no good (and I dont just mean piracy) then a vpn or tor isnt going to save them in the long term.
ISP’s have full packet inspection. Even if you don’t use the ISP’s DNS servers they can still see all the traffic flowing in and out of your home. The only way to encrypt your connection is to use a VPN. Using a VPN at the router level using OpenVPN/Tailscale/Wiregaurd will ensure all traffic is encrypted. Now all your traffic will tunnel through the VPN at a cost of typically higher latency/ping and slower throughput speeds. But when dealing with VPN’s you are at the mercy of the VPN’s policy for privacy. Even then the government has access to all the VPNs stationed in the USA and can lawfully request records. Good luck trying to anonymize yourself. Typically if you want your trail to be clean you’ll use a bootable OS on USB like Tails that delete all data once unplugged also paired with multiple proxies.
Decide who your threat is.
If you think that is the NSA or MI-5 throw away all your electronic devices, your not sophisticated enough to hide from them, very few of us are. Those who can can’t do it indefinitely without making a mistake.
Behave as if Everything you send is being recorded.
Because it is.
For the vast majority of us that is not really a problem. We are not who they are interested in.
You use the term security in your title but in the body of your post you talk about privacy…
My ISP offered me a ‘free upgrade’
Believe it or not the only way it seems possible to get rid of cheap internet connected things is when you through them away. Heard of botnets?.. Haven’t seen ISPs who even flash DDWRT or OpenWRT which are open and can get updates. Hoping someone can share if they’ve experienced this with their provider …
Is it worthwhile (or even possible in UK) to install a 3rd party router instead of using the standard one they give you?
Now this is about security… Do that. More expensive but worthwhile would to put a firewall box in-front of your ISP provided router with routers/access points “behind” the firewall… It’s not only about cost but your time/learning-curve however you truly can conjure rules that do exactly what you want. Couple this with VLAN-tagging capable equipment and it’s the dream setup when having IOT things in your networks.
Coming back to your fears about your ISP I only see 1. Snooping on your DNS requests. Nowadays most sites are HTTPS but if your using your ISPs provided DNS resolver they can see which sites you visit.
You can set the resolver in that recommended 3rd party router or your firewall/router to something like cloudflare’s 1.1.1.1 or 1.0.0.1 or OpenDNS’s 208.67.222.222 or 208.67.220.220
Here’s a tool to benchmark which DNS resolver is closest to you - GRC's | DNS Nameserver Performance Benchmark
More challenging would be to setup your own recursive DNS resolver from the likes of NLnet lab’s Unbound - Unbound by NLnet Labs — Unbound 1.22.0 documentation
Edit: Forgot about PiHole can also run as your DNS resolver - https://pi-hole.net/
I got rid of my isp router because they could see how many devices i had on wifi
Yeah 2FA, password managers, changing passwords etc. Feels like it Isn’t enough. If someone cloned your device maybe they can access everything? If you downloaded spyware maybe someone can see everything?
What’s your opinion on the built-in firewall on Windows and Mac OS? I’m guessing you have an additional hardware firewall installed?
Privacy is a sticky one. Can’t do much about the flat above me pointing a mic at the floor or someone pointing a camera at my window.
They’re not the main issue TBH. Just one link in the chain of possibilities.
I mean they do collect data via DNS. And that data is useful to marketing folks. It says a lot about your interests etc from the websites you frequent, how often you visit, when you visit. You can extract a lot from metadata.
And you can bet your ass that data is sold to brokers.
We’re quite interesting to algorithms and databases sold to marketing firms
As a dev and cybersecurity guy, talk to me about your technology stack. I’m guessing there’s an impressive list of kit including hardware and software that I could consider doing my homework on. Maybe upgrading to a setup like yours will preserve what little sanity I have left.
Any tips on the best VPN to use?
How does changing DNS servers improve my security? Does switching to the Google DNS help for example?
OpenVPN is open source right? So does that make them a better choice over the others? I’m aware of dVPN solutions. What’s your opinion on installing one of those between my router and switch so all my devices run through it?
Multiple proxies? Is there specialist software for that? Or do you daisy chain your IP address via various VPN providers?
Bootable OS is overkill. I’m not a journalist investigating government or living in a country with severely restricted access. I just want to take as much control over my security as I possibly can. I’ve considered not using WIFI and going wired, but I can’t wire my smartphone. To some extent I think there’s some attack vectors I’ll just have to accept. A tradeoff between security and convenience.
I know they’re watching me. They don’t care unless I’m doing something horrible. It’s people like this guy who I don’t want watching me.
Yeah I have an ISP provided config where I can set static IP addresses and monitor all devices. If I can set that stuff on their system, they can definitely see what I’ve got going on. I suppose that’s one benefit of using your own router. Did you find that your speed was throttled at all?