[Cryptography] DSL modems - how would we detect wholesale subversion?

Bill Stewart bill.stewart at pobox.com
Tue Oct 29 18:03:45 EDT 2013 

At 12:56 PM 10/28/2013, John Gilmore wrote:
>And most DSL modems are provided by your giant telco DSL provider --
...
>How hard would it be, really, for
>them to subvert all their DSL modems to wiretap your LAN?

DSL modems normally don't have a lot of spare CPU horsepower,
and if you have old-style DSL
(as opposed to fiber, or U-Verse DSL-to-the-box, or cable modem)
there's not a lot of spare upstream bandwidth for them to abuse.
And it would cost them a lot to do all the processing to handle the data,
which isn't going to happen in a price-sensitive consumer business.
If they're trying to specifically wiretap *you*, that's a different case,
so if a large van marked "TPC" comes up to your door and
asks to replace your cable modem with a faster one, be suspicious :-)

>And even better that consumers have
>no idea what packets are going up and down over that DSL signalling,
>because they have no equipment for monitoring raw 2-wire DSL lines

It's annoying to us in the business as well;
that stuff is a pain to debug except from a DSLAM.
...

>You can guard against this threat by only plugging one Ethernet jack
>into your DSL modem, and having that lead directly to a Linux or BSD
>gateway box that is under your own control.  That way, the DSL modem
>has no physical access to the rest of your LAN, and you can monitor
>the upstream Ethernet to make sure that the only packets going to the
>DSL modem are those that you intended to go upstream.

You should probably be doing that anyway (at least with a
consumer firewall appliance, if not a Linux/BSD/DD-WRT box.
And in many case, the broadband provider isn't including a switch,
or only offers that for an extra fee with managed Wifi, and you can do better.)
That lets you upgrade the wifi yourself, if you use wifi,
and gives you some vague chance of security if you want to have a
LAN-attached printer or file server supporting your machines at home,
and it also gives you the ability to have separate guest wifi.

         Thanks; Bill Stewart
-------
Disclaimer: This is only my personal opinion, not the opinion of
my current or former employers, TPC, Big Cable, etc.

More information about the cryptography mailing list