My router was playing up, initially I couldn’t get my phone to connect, which I thought was my fault - since I started running grapheneOS but then other devices stop connecting and then those that were connected couldn’t access certain sites etc.
I still live at home, so my mum who isn’t technologically literate phoned the ISP, and attempted to fix it. Turns out it just needed a reset, as the last time it had been reset was 8 years ago.
What was a surprise was that the ISP guy told my mum how many devices were connected to the internet. She found that immensely creepy.
I doubt there’s anything I can do to reduce the trust burden with an ISP, beyond telling my mum to use a VPN. My threat model always had ISPs as a risk that had to be taken, however I am curious as to if there is anything at all that can be done! That’s also not immensely impractical?
I would at the minium assume the ISP has access to everything you can see in the management page of their modem/router.
Use your own router, if you don’t want your traffic/activity watched, you must use a VPN. There are several routers that have built in VPN clients, that should be more convenient then per client VPN.
For reference on what your ISP is using to watch your traffic from the subscriber through the core and to the internet, you will want to read about sflow/netflow, which reads packet headers. Technically, the ISP can capture all traffic and would have the full ability to read unencrypted data. There is also the ability to do MITM TLS shenanigans, but typically you see that at the enterprise level as end devices need to trust the certificate issued to the proxy. Also note that there is such thing as lawful intercept, which in the US means that law enforcement agencies can also snoop your traffic “with a court order” at any point, often without the ISP being explicitly notified.
Use your own router. ISPs often have special access or metrics shared with them for “ease of support” when using their router, but as you found out, that just amounts to letting them spy on your network.
So at a minimum, you need to have your own router with your own login and password. Disconnect theirs and put yours after the modem. If you have a traditional cable connection, you could even go a step further and use your own modem, though you’d have to verify it works with your ISP, and you’d have to call to get them to allow it to access the cable connection.
Instead of disconnecting theirs one can just run a second router behind the isp router. Place second router in the DMZ of first router. Run LAN from the second router.
Yep, I almost suggested that, but I was concerned it might be too technical for OP.
Yeah but it also might be the only option. If one has fiber to the house, for example, it’s far easier and less risk of damage or getting the fiber dirty to just plug in to the router instead of trying to find a router compatible with fiber.
Ah, see, I was talking about two separate devices, not an all in one: a modem and a router. But if OP needs an ONT for fiber, and the router is within the same device, I agree that they should just use the one provided by their ISP and add their own router.
