I’m planning to buy a router and modem and put OpenWrt on it for maximum control and privacy. While I could get a router with an integrated DSL modem, the previous tenants had cable internet so I’m not sure if the DSL connection even works and DSL internet is also more expensive (at least where I live). Fiber optic is not available. The problem is, there is apparently no open firmware for cable modems so I would have to buy a standalone router and a standalone cable modem. I would put OpenWrt on the router and use whatever proprietary firmware came with the modem.
So my question is:
Can a standalone modem that doesn’t do routing, spy on you?
If yes a rough explanation how would be appreciated.
It seems that modem and router are used interchangeably on the internet (probably because they are mostly combined) so it is really hard to find any information on modems. Here are both Wikipedia articles for reference:
https://en.wikipedia.org/wiki/Modem
https://en.wikipedia.org/wiki/Router_(computing)
What you think the modem can spy on by whom? Certainly not the ISP I suppose. They can already do it without the modem.
The modem manufacturer might send traffic data to themselves. But the modem would need router capabilities for that, wouldn’t it?
I don’t think ive heard about any privacy issues regarding modems. They convert your data into the Level 1 format so that it can be moved to the next hop. There isn’t really anything to spy on, and its very hardware dependent (hence no open source software that can standardize across each device). There might be open source modems out there, but your ISP probably doesn’t support them.
In an absolute sense, yes a modem can spy on you by hijacking requests and redirecting them to controlled locations. We use TLS to prevent this, even stronger with technologies like HSTS.
Does this happen in real life though? More then you think, but less of an impact then you think.
Some US providers will hijack DNS requests and redirect them to their own DNS servers, but this can be solved with DOH or DOT.
TLS interception is a thing but it requires the device you are using (phone, PC, tablet, laptop) to have a root certificate installed that the ISP also controls. Almost all browsers will only install root certificates from root certificate providers with good standing and have no quarm in untrusing the root certificate if things go badly.
First of all, the ISP controls cable modem firmware. They have all the settings and manage the device. You don’t get much control there.
As for your question, I’d say no, for 2 reasons. First, designing that capability is expensive and modems are built for cheap reliability. Second, any hardware to spy is more useful installed in a data center accessible to their user base. There is not much point installing unnecessary tech to one endpoint.
As for router, they are beefier CPU-wise. AT&T has in the past prevented users from changing DNS settings and that could lead to lots of tasty data. Deep packet inspection is becoming more prevalent in home routers as is integration with other technologies. (EERO devices for example).
Make sure to fire up a VPN or something when you need.
Thank you!
After posting this yesterday when lying in bed trying to sleep (i posted directly before going to bed) I thought of a similar reason:
Since (as far as i understood it) a modem is just a device that converts between 2 different types of internet signals, the ISP also needs one on their end to connect me to their data center. So it would be way easier for them to spy on their end of the cable (or signal, or whatever type of modem is used) than on my end, since there isn’t really much happening in between.
thanks for this, I was also in this situation, I got a xiaomi router and flashed OpenWRT on it, I then turned off the Wifi switch on the ISP router making it a modem only but I was still concerned about my internet data as it moves between my modem and their servers. your comment made it clearer
i should probably invest in that mullvad vpn now
This is the same as when my grandmother asks if her phone was hacked.
Can it? Maybe. It’s not impossible; but it isn’t practical and most ISPs limit their shenanigans to grabbing your unencrypted DNS requests.
Will it? Probably no; aside from the previously mentioned DNS redirections; they’re not interested in most people’s packets, only in how many they deliver.
Should you care? I won’t tell you not to take precaution, but I do urge you to consider your threat model carefully and consider the tradeoffs. When Security & Privacy goes up, Convenience and Functionality WILL go down. Balance your needs. Don’t put yourself in a state of Privacy fatigue.
Are there easy fixes? Maybe. I think a VPN or using Tor would solve your concerns here anyways; it’s not required that your modem be running OSS that you can control. If you can achieve it; that’s still good for you; but it’s not something to be sweating if your modem isn’t capable and your invasive ISP is the only effective option.
There is exactly one Fritzbox (Modem+Router) that can be flashed to dd-wrt, but only if it hasnt been patched by upstream firmware
Block the ISP DNS and use your own on the router level.
You could look into wireguard or VPN on the router level.
Probably OpenSense.
As long ad your device has a IMEI though not like it matters.
There’s probably a million other things you would need too. Make sure your browser doesn’t use its own DNS, eg, Firefox + CloudFlare by default.
I assume you could theoretically split traffic up over multiple ISP’s making it a PITA to try to make sense of.
Also obviously separate trusted & untrusted devices, WiFi and wired into separate networks.
That’s exactly why I want OpenWrt on my router. To have that kind of control.
Anyway your answer is completely unrelated to my question.
I think your best bet is to assume that everything you don’t control is a vector.
The modems run binary blobs you don’t control.
A standard modem with a singular hookup to a router is as good as it gets. Maybe you are contemplating the modem as a combo – if it is also a router and wifi, you can bet the ISP sees that as “Their Network” and not “Your Network” and any WiFi capabilities could be used to reverse hack insecure devices theoretically like smart TV or IoT.
You could put the modem router combo in a Faraday cage to dampen the signal theoretically.
That may not be answers to the query but I think the smart short answer is: yes, unless verified no.
Edit: to go further, theoretically they can capture any traffic and if they get the encryption key decrypt the traffic.
Or maybe with a quantum computer decrypt with ease. And if you have any leaks or there are backdoors then who knows what the consequences could be, cough cough xz
the questions of can they spy, and will they spy are different questions. at some US ISPs (at least the one i am at) the modems usually are only monitoring performance, ie number of packets, errored and discarded packets for troubleshooting. as far as the modem which i will assume is just a layer 2 bridge to your provider, usually not a whole lot going on there due to costs of the hardware. where the privacy violations are going to occur in the access equipment or core. this is what your modem connects to, then your traffic crosses on the way to the “greater internet” if your not using a vpn to outside of your provider, there is no way around it, they can and probably do tap into what your doing. a lot of them it may not be overly nefarious, i know my company does not sell customer data, and we generally only access it for troubleshooting and bandwidth analysis for upgrades, or as ordered by a court for law enforcement.
if you use a router from your isp almost every manufacturer is trying to sell all these different analytics and dpi that basically tells us what websites customers are visiting and how much/type of traffic to those sites, but directly from the router. same, or greater level of privacy violation as that can see local traffic on your lan, as well as watching wifi connection strength and scanning to see air quality and neighbors for “troubleshooting” or to sell access points.