When most Internet users think about the security and privacy of their communications, they tend to think mainly about the associated practices of the sites they visit on the Net. Rarely do they think much about their ISPs in this regard, even though by definition the ISP has access to the entirely of their communications usage over that ISP (we can assume that in most cases this does not include the ability to read encrypted, e.g. SSL/TLS data, though man-in-the-middle attacks on that secured data are not at all impossible).
But have you ever thought about how the practices of your ISP might affect the security of your local network — and data that (at least ostensibly) never leaves the confines of your local net?
Though best security practices include running your own routers and firewalls (if not even more secure systems using FIDO security keys or other similar advanced technologies) the truth is that most consumer and small business users who run local nets (that is, communications between some number of local machines at their site or sites) depend on the firewalls and security mechanisms configured into ISP-provided modems.
The thing is that you’re often not the only one in control of those modems.
Leased cable or other wireless or wireline data modems typically provide the ability for the ISP to control and configure the modem remotely. Even if you buy an approved modem on your own when that’s permitted, network provisioning and maintenance/support requirements may still permit your ISP a great deal of control over the device.
Another truth is that most consumers and organizations tend to run rather lax security (if any at all) behind what they assume to be secure modem firewalls, meaning that if that firewall is breached, their local net is pretty much wide open.
In an ideal world, we could all employ methodologies similar to Google’s excellent BeyondCorp security model, which puts a well-deserved nail in the coffin of firewalls. Unfortunately, this usually isn’t practical for most non-techie consumers.
Fundamentally, the question boils down to this — can your ISP remotely change modem configurations that could give them or third parties inappropriate access to data on your local network?
For example, some ISPs now provide the means for customers to reconfigure the Wi-Fi on their modems via the ISP’s website. In the case of Time Warner Cable (aka Charter, Spectrum, or whatever they’re called this week), their site allows users to view and change Wi-Fi passwords, change or even disable Wi-Fi security completely, and more.
Handy? Yeah. But what happens if TWC’s super-deluxe website gets hacked? Or perhaps law enforcement or intel agencies come around and want to use loopholes in the laws to try access your local network data without your even knowing about it?
You can see the problem. If your local net has typically lax security, and you don’t have your own firewall downstream of that ISP modem, the modem Wi-Fi security could be disabled remotely, your local network sucked dry late one night, and security restored by the morning. You might not even have a clue that any of this occurred.
How often does this kind of scenario occur in practice? I have no way to know. But it’s clearly possible.
Luckily, this is a case where there are steps you definitely can take to minimize these risks.
First, make sure that your local network is internally as secure as possible. You can’t simply assume that just because a machine is on your local network with a local IP address that it necessarily is a friend!
Second, consider putting your own firewall downstream of the ISP modem. Routers/switches with this capability are plentiful and relatively inexpensive.
Third, consider not using the ISP modem Wi-Fi at all. Those routers I mentioned just above often have their own built-in Wi-Fi that you can configure, making it unnecessary to use the ISP modem Wi-Fi, and permitting a more comprehensive firewall under your complete control.
I’m not suggesting that you go into a panic and start ripping Ethernet cables out of the walls or cease using Wi-Fi. But it would be wise to start thinking now about how you can reconfigure your local network for maximal security in a world of expanding network security concerns.
I have consulted to Google, but I am not currently doing so — my opinions expressed here are mine alone.