When ISPs keep a secret, it's a threat to us all

by Michael Tremer, January 25, 2013

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Recently, the German Bundesnetzagentur (Federal Network Agency) gave out a paper which basically allows Internet Service Providers (ISPs) in Germany not to disclose the user credentials to their customers ([1] and [2]). With that comes, that the customers have to use the router that is provided by the ISP.

Why are they doing that?

The ISP’s argumentation is that they need to have access to the routers to configure all the things that are running on it. Mainly VoIP account configuration. They also fear that other routers might harm the ISP’s networking infrastructure.

I think both reasons are stupid. It has never been a problem to use an other router, modem or what ever.
Most of the alternative solutions people use are a real improvement and those things your provider sends to you are the real trouble. It’s cheap Asian technology that often does not run very well, because the manufacturers don’t really care about quality but quantity. Hundreds of thousands or even millions of those devices are produced and then sent out into the world.

Broken firmware

They all come with the same bugs and firmware that is way outdated. There are some exceptions, but most of the software is shipped with software that has last been touched three, five or even more years ago. I don’t need to tell you that there are not only bugs in the sense of malfunction, but also bugs that are a security threat.

Let’s summarize that again: ISPs are shipping hardware with a lot of security issues in them to all their customers. They don’t differentiate between business customers and the rest. They all get the same hardware.

If you are still not angry, imagine this scenario:

  • Hackers only need to find one security issue they can use and then need to scan the address ranges of the ISPs to intrude all the networks behind the routers.
  • They could just steal all your data. The latest hardware is quite powerful to scan the traffic in real-time and find the interesting stuff.
  • They could create a very very huge botnet. We already had that in Brazil a couple of months ago where DSL modems have been hijacked.
  • It is also possible to hijack your browsers and your phones.

This things is an entire security threat. I don’t want to see this becoming reality.

Maybe this sounds like an exaggeration, but have you ever seen a single ISP that patches the routers? (I know that cable providers update the firmware on their cable modems from time to time.) I haven’t and I am sure that we won’t see that in the future neither. They are just not doing their homework.

What to do about it?

Push your ISP. They should not come through with this. If they won’t give in, change your ISP! Or even better: Don’t ever sign a contract with those who tend to do crazy stuff.

They all do a lot of things that don’t make it fun to be a customers like contracts that run at least for two years and you cannot escape from. They take ages to fix problems – most of them happen because some infrastructure is ridiculously old and it’s a total miracle that it did not catch fire, yet. They should invest more money to increase the bandwidth – oh no, not only in the big cities.

I’ll now go and continue waiting for IPv6…

ISPs that currently deny to get your hands on the credentials are at least Vodafone Germany, who are doing this for quite a while. 1&1 Germany hands out the username and password, but they cannot be used, because you’ll need to add some characters to the username that identify your way of accessing the internet.

I apologize for all the German links.