8

I was just visited by some door-to-door salesmen from a local ISP/TV/Phone provider. During our conversation, I raised some concerns about the fact that I knew their help desk techs had back-door access to the home gateway devices. This access allowed them to update the router's firmware whenever they wanted, and even change security settings on the device. What had bothered me was that, during one particular call, they had done this despite my expressed objections.

Putting that aside, the salesperson diverted the discussion to the issue of their type of connection being more secure than other providers. Their logic seemed to make some sense, but I wanted to bounce it off you guys to see what actual protection there may be. The point broke down to one connection method being a shared medium among neighbors, versus their connection method which was dedicated to each home.

Are there any inherent security risks/benefits to the various forms of ISPs? If so, what?

I'm looking to see answers covering:

  • Fiber
  • Cable
  • DSL
  • Is dial-up even around anymore?
  • Satellite
  • Mobile (3G/4G/etc.)
Iszi
  • 26,997
  • 18
  • 98
  • 163

5 Answers5

6

For attackers who are "far away", the medium is irrelevant: such attackers act at the logical level, sending IP packets which must go through the facilities of your ISP. What could protect you at that point is a competent ISP, which is unrelated to the medium used to move the packets between the ISP and your home (and that's an oxymoron, too).

Medium matters only for attackers who are physically close. A motivated attacker with physical access to the premises could "work around" the medium by attacking either end. With an ill-tempered hound and a shotgun, you can take care of the physical security of your home, but there is little you can do for the other end, which is under the responsibility of the ISP. Radio-based links may be a bit more at risk here, because the ISP end of it must have an aerial antenna, thus exposed to the elements at large, and attackers with climbing skills.

If we consider only attackers with low motivation and unwilling to act physically, and yet for which the physical medium has any importance, then the question becomes "how can I prevent my neighbours from spying on my connections and leeching my bandwidth ?". There, the medium can make quite a lot of difference, because of the availability of the required tools. For instance, I would rate 3G connections as "quite secure" (in that context) because 3G includes encryption, and in any case 3G protocol analysis apparatus is neither cheap or off-the-shelf at any Best Buy-like franchise. At the other end of the scale, one may find WiFi-based ISP: WiFi has a long history of botching encryption and security, and all laptops have an on-board WiFi component which is easily amenable to protocol analysis (e.g. changing your MAC is standard issue and supported by any decent OS out-of-the-box).

In the "neighbour is the attacker" scenario, point-to-point mediums are also somewhat better than broadcast mediums; I know of some Cable providers where the cable is a thinly disguised carrier for ethernet frames, which are broadcasted throughout the building, the ISP "box" acting as a filter. On the other hand, DSL is normally point-to-point.

Some ISP use cryptography; at least, some DSL providers implement (or used to implement -- I saw that in France about 10 uears ago) PPTP or L2TP with encryption and strong authentication. Done correctly, this provides a high level of protection against neighbours, which abstracts away the details of the physical medium. This brings us back to the question of ISP competence...

Most of the security issues you will have will be with the router provided by the ISP, which can have backdoors and security holes; and, in the second place, security holes in the ISP network itself. As for the medium, in your list, I would rate 3G networks with the highest level of security because the protocol includes by default some decent protection, so a medium-related issue would need the ISP to be creatively incompetent; whereas for Cable, DSL or Fiber, basic crassness is sufficient to be vulnerable.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • +1 "With an ill-tempered hound and a shotgun, you can take care of the physical security of your home". – woliveirajr Feb 01 '12 at 19:30
  • I quoted a part of your answer in [my question](http://security.stackexchange.com/q/53645/12139). – unor Mar 18 '14 at 23:59
2

The level of risk in this particular case falls on a couple different things I think:

  • Can someone eavesdrop on the line and read or modify your data in transit?
  • Can someone impersonate your identity while connecting to the ISP?

The first question is kind of difficult to answer because it sometimes depends on the system you are accessing. Point to Point connections are more difficult to intercept than shared connections, so fiber or dial-up or T1 etc, are a harder (relatively) to attack. However, you could make the attack past the ISP where everything is on a shared medium and you bypass the line entirely.

Impersonating the user connecting to the ISP could be an interesting attack because it could show evidence of illegal actions and it might get you in trouble. It's relatively easy to do this on shared lines because then all you need is the credential. Any type of connection that requires special hardware like Fiber or Satelite is going to be relatively harder to attack because you need the credentials and the hardware.

Steve
  • 15,155
  • 3
  • 37
  • 66
  • 1
    My (domestic) cable modem (formerly NTL, now VirginMedia, which uses an optical fibre link from my house to the exchange) is CSMA/CD - I can see other peoples traffic. Indeed since the bandwidth is throttled locally I believe it was possible to steal other peoples bandwidth cap by sniffing their MAC and changing the MAC on the modem. Just because it's fibre doesn't mean it's point-2-point. – symcbean Feb 01 '12 at 11:11
  • Also risk of DDoS, the risk of DDoS against a higher bandwidth link is less as that much more traffic needs to be generated (particularly if router or endpoint is not susceptible to things like SYN flood attacks). – ewanm89 Feb 01 '12 at 16:41
  • @symcbean true, not all fibre is equal. – Steve Feb 01 '12 at 17:47
2

When cable internet first came out in our area, it was possible to see my neighbour's computers from my 'network neighbourhood' if I configured my network a certain way. It was corrected some time afterwards, but it does indicate that there is at least some concern about a 'shared' connection pool.

At lower layers of the stack, the connection type would affect the ability of someone to physically access your network, which brings up all the normal physical network access issues (man-in-the-middle, et al.).

As you move up the stack, the type of connection matters less.

schroeder
  • 123,438
  • 55
  • 284
  • 319
  • Ever since the days you could see your neighbours in network neighbourhood, ADSL salesmen have been using it as a marketing angle to sell ADSL instead of cable. Since the cable modem technology changed, The relevance of being technically able to sniff the other guy's traffic has dropped. Now it takes a motivated interloper on your segment. – mgjk Feb 01 '12 at 18:33
  • see further, 2002 vs. 2008 perspectives on this: http://www.sans.org/reading_room/whitepapers/hsoffice/sniffing-cable-modem-network-myth_623 http://www.defcon.org/images/defcon-16/dc16-presentations/defcon-16-martin.pdf tl;dr : you might be able to sniff the downstream if your provider opted not to encrypt traffic. Use a DVB-C card. Upstream is harder. Disclaimer: I haven't tried this. – mgjk Feb 01 '12 at 18:40
0

Just a minor aspect of comparing:

  • DSL
  • Mobile (3G/4G/etc.)

Here in Germany, most DSL customers use a router, which is a security improvement for the clients behind. If they have a service running, it isn't reachable from outside without intentional setup.

But using a mobile modem (UMTS/HSDPA/GPRS/...) means, that the IP of my device is exposed directly to the net, and so a running service can be reached from outside, if I don't take care.

user unknown
  • 484
  • 5
  • 11
-2

There is a big difference between something that is claimed to be secure and something that has passed an independent security audit. Your service provider may make lots of claims, but the fact remains that their technicians can apparently change the software in your router at will. Even if it is totally secure right now, what guarantee do you have that they will not change it and introduce a security vulnerability tomorrow?

What you should really do is take responsibility for your own security and install your own firewall between your computers and their equipment.

JonnyBoats
  • 1,143
  • 7
  • 8
  • I would disagree that my service provider can change the settings on my router. They might be able to change the settings of my cable/dsl modem but THEY CANNOT modify my router. I have to give you a downvote for bad information – Ramhound Feb 01 '12 at 17:36
  • 2
    Ramhound: That may be true for your router, but the person asking the question stated: "their help desk techs had back-door access to the home gateway devices." – JonnyBoats Feb 01 '12 at 19:37
  • What I mean by having access to the home gateway device is this: We are required, in order to use their TV/Internet/Phone service, to use their router as our perimeter device. We can put whatever routers/switches behind it we like, but in the end the Tier 1 techs still have access to the perimeter device which includes the ability to modify security settings and flash the firmware with their own malicious copy. – Iszi Feb 01 '12 at 21:41
  • I really don't understand why the down votes; but I stand behind my comments that everything they provide should be considered insecure and you should provide your own secure device between your network and their equipment. – JonnyBoats Feb 01 '12 at 22:12
  • 1
    @JonnyBoats While the security of the gateway device is what sparked the security discussion with the salesperson, it is not the topic of the question. Your answer does not address the risk profile comparison of different ISP connections, which is the core of the question. – Iszi Jul 12 '12 at 21:34