24
3
I rent a cable modem from my ISP that has its own Wi-Fi capability. Does my ISP have the ability to track various settings on their modem, such as wireless network SSIDs, etc?
Also, if I were to add an additional wireless access point, would my ISP have any visibility to the access point’s settings?
Brent Bollmeier
Posted 2016-07-30T08:42:48.880
Reputation: 241
38
Yes,
Modern routers in their firmware have a setting to support CWMP (Customer-Premises Equipment WAN Management Protocol) for remote management. This is also called TR-069 by its name on Technical Report 069 as it first introduced. This capability is also called zero-touch configuration and most providers are now using for remote-configure your router.
ebal
Posted 2016-07-30T08:42:48.880
Reputation: 579
Is it present even on non-ISP-provided routers? How do I disable it? – That Brazilian Guy – 2016-07-30T15:30:39.413
26that's upsetting and creepy :( – cat – 2016-07-30T15:31:30.683
5CWMP is a protocol, so if the hardware vendor has implemented to it's firmware -everything that have a network card (wireless or not) in the last decade- then you cant disable it. Almost every CPE (router) has it enabled by default to do zero-touch auto configuration. But a lot of IP cameras and IoT devices have it also. So yes, creepy as hell !!! especially with weak implementation/security. – ebal – 2016-07-30T15:55:38.783
1@The Brasilian Guy I got my router from my ISP and I did disable TR-069 in the settings - in Management section. It is worth checking if you have such or similar option in your device. – okolnost – 2016-07-30T21:14:18.003
3I worked for a large cable ISP in western North America, front line techs can see the name of the SSID you pick. Generally, if you are using equipment that has been issued to you by your ISP then you have to assume that they know everything about its configuration.
If this is a concern to you, you can have the cable modem set to bridge mode and connect your own wifi router through the ISP's device, they will still see your traffic but they won't know your ssid / password. – NiallJG – 2016-07-31T00:17:20.960
12@cat It is upsetting and creepy, but not because of privacy issues. It's upsetting, at least, because it reminds us that so few people understand how to manage their network hardware that ISPs had to switch to that to provide effective, low-cost support for the zillions of "I forgot my wifi password" and "I changed a setting and now my internet doesn't work" calls. – Jason C – 2016-07-31T03:30:28.773
They could put a hard switch on the outside of the box. Turn it on when you call support (and your accounting disk is not mounted, secrets are stowed); turn off TR-069 otherwise; without having to go into the admin pages. – JDługosz – 2016-07-31T13:29:23.993
@JDługosz Physical electrical switches cost real money for each and every device sold. A software setting controlling some behavior in the software only costs money to implement once (well, ideally). Thus, in a highly competetive environment, there is a drive to minimize the number of physical switches, because doing so reduces cost at scale, improving profit (which can be used to put food on engineers' tables, or to reduce per-item product cost for consumers, or to line stockholders' pockets or bank accounts). – a CVn – 2016-07-31T13:59:17.133
2Yet they keep including WPS buttons that everyine says should be disabled. – JDługosz – 2016-07-31T15:49:36.500
@JDługosz - not worth it for the tiny percentage of customers that want that level of control. It's just one more thing the customer has to be walked through to get support "Wifi router!? What's that? Where is it? Why do I have to flip a switch, I bought it from you, can't you just fix it!?!" Besides, do you really trust that the software to do the right thing when the "Privacy mode" switch is flipped? – Johnny – 2016-08-01T02:36:02.017
@ThatBrazilianGuy Generally, the ISP can only manage the cable modem, and any features embedded into it. If you have your own router connected to the cable modem by Ethernet, they have no management access to it. – Barmar – 2016-08-05T17:51:07.803
9
I rent a cable modem from my ISP that has its own wifi capability. Does my ISP have the ability to track various settings on their modem, such as wireless network SSIDs, etc?
Yes, see @ebal's answer.
Also, if I were to add an additional wireless access point, would my ISP have any visibility to the access point's settings?
If you added a second access point, then no. You should set a password on it to be sure(on the AP itself). However, if you added another SSID to your rented AP ( making the one hardware device appear as two wireless networks), then yes they would have access to those settings, as well as any others on their box.
rsaxvc
Posted 2016-07-30T08:42:48.880
Reputation: 191
9
If you use a device provided by someone you should take into account that they can customize the firmware as they wish - that includes leaving an SSH server with their key authorized to access the root account, so they can remote in at any time and do whatever they want on the router.
Even if they do not have direct remote access the firmware may be designed to periodically check for updates from the ISP's server, so they can add the remote access functionality at any time.
Now, this doesn't usually mean it will be used maliciously. I do it as well on the equipment I provide, and I feel it is fine as long as the customer is fully aware of it. This allows for quick fixes and diagnostics before the customer even realizes there was a problem in the first place. But you have to understand that the level of control your ISP can have is way beyond seeing what SSID and wireless key you set. With full root access it is possible to see and tamper with the traffic passing through the device.
Whether you trust that router depends on whether you trust your ISP and how their systems are secured (if an attacker steals the credentials used to log into your router or compromises the remote management/update infrastructure he will have the same level of control the ISP has).
Finally, with most ISP-provided routers, I would be more scared about the lack of updates and security built-into the firmware rather than the remote access functionality. Remote access is bad, but it's likely there are tons of other vulnerabilities that give full root access to an attacker no matter whether ISP-provided remote access is in place or not.
For your second question, no - your ISP will not be able to see your own equipment's settings unless they know your administrative password (and will login over the web interface just like you do when configuring the device). They could, however, still know which SSID you are broadcasting and what encryption type, as they have control over the router and the wireless card and nothing prevents them from running airodump-ng on it. I doubt they will do this (why is knowing your own SSID so important to them?) but they definitely can.
André Borie
Posted 2016-07-30T08:42:48.880
Reputation: 974
«why is knowing your own SSID so important to them?» because when calling for support, the first thing she does is note that it’s not all factory default settings and "fix" the wifi etc. The on-site service used a wifi tablet to access it, so naturally he needed to know and could not configure wifi to be off though I requested it. – JDługosz – 2016-07-31T13:34:04.243
7
In general, if someone gives you a communication-enabled device and you use it to do a thing, there's a very good chance that whoever gave it to you can use some kind of remote management to see exactly what kind of thing you're doing. Since your wireless network is managed by a device from your ISP, and that device obviously can communicate with your ISP, they could - and likely have - included features that send info about your WiFi to them.
If you use a device that's not supplied by your ISP - e.g. a separate wireless router - then your ISP can't fiddle around with it (without knowing the password) unless the router was specifically designed to smuggle configuration details out the data stream that passes through the ISP. I personally find that scenario unlikely. If you're still paranoid, you could flash on open-source router firmware like Tomato.
Of course, if your wireless router is broadcasting its SSID, a particularly sneaky ISP could capture it with a listening device placed near your house. That device could be hidden in the box where the cables come into your house, or it could even be embedded in the ISP-supplied cable modem.
Ben N
Posted 2016-07-30T08:42:48.880
Reputation: 32 973
16If your ISP can access your cable modem settings remotely - then yes they can see all settings you changed. If they can't access it remotely then no. – Darius – 2016-07-30T08:45:51.643
4Less sophisticated users will rely on the provider of their rented equipment to support it in all ways. To meet that consumer expectation, the provider will need to have total visibility/control over the on-premise equipment. If you want privacy, don't use the WiFi feature of their equipment; connect your own WiFi router via physical network cable. It adds an extra layer , but isolates your home network from anything your cable provider can see. – Zenilogix – 2016-07-30T14:18:00.693
1This is one reason my cable modem does not have Wi-Fi. – Michael Hampton – 2016-07-30T17:16:58.777