In my opinion, the latest NSA leaks reached a new level of boldness.
Oh wait, maybe you are one of the people that keep saying “Of course NSA is spying on all of us, but I’m safe: I use Tor/VPN, deleted my Facebook account, and I completely switched to secure operating systems, so I got this going for me.“. If so I congratulate you, these are important steps and I hope there will be more people like you.
But as the introducting sentence states, the latest information of NSA’s mass surveillance goes much further than only spying in social networks and intercepting phone calls. This time, it’s about your home and your network itself. To be concrete: It’s about your router located somewhere in your rooms. Internal, top secret classified presentations show that NSA is actively searching for vulnerabilities in industry and home routers and is buying exploits if needed. And if all of these steps aren’t enough, they just implant a backdoor chip granting full remote access.
If you hear about an massively exploited vulnerability or a cooperating router vendor, I would expect you to switch the router or at least install updated/other firmware on the device. But what if you are not able to this because your Internet Service Provider (ISP) forces you to use his and no other device?
“That’s incredible!” you might think, but that’s the case in some countries and with some providers. They won’t give you your internet access credentials if you want to use a different device, or they simply use non-standard plugs and protocols. So you have a large group of people forced to use only one router model. We call this Compulsory Routers.
ISPs’ policies like this create many problems and some of those are
- competition issues: If many ISPs do it like this, smaller competitors have no chance to sell their routers because they are not usable by any customer
- technical issues: You want to use IPv6, VoIP or other technologies and devices? Maybe your ISP does not want you to use them or only his own products
- security issues: If a large group of people are using only one router or one hardware vendor, and if this product/vendor is vulnerable, the whole mass is in danger. Maybe you heard this term in biology, but it’s also highly relevant in this case: monocultures
“And what has this to do with the NSA stuff?”
More than you might think. Imagine a country with 4 big ISPs and all with Compulsory Routers. In the best case after some years, there might be around 10 router models from 5 vendors in use in most households and smaller/middle-sized companies. You don’t have to be paranoid to know that this is an open invitation for intelligence agencies to cooperate with the vendors or create remote attack tools for the few used router models.
If your router, the first device behind the connection jack in your wall, is compromised, your whole network is compromised as well, no matter how strong your encryption techniques or your passwords are.
And we? We would just have to endure this because we cannot buy the technology we trust in and we cannot use alternative Free Software firmwares. So it’s self-evident that we as freedom loving people have to do something about this problem to secure our own IT infrastructure!
Compulsory Routers are not only a technical, but also a political one. In Germany, we have a similar situation and until now it’s not clearly regulated what ISPs are allowed to enforce. Some great volunteers have worked together with Matthias and me on this issue for a longer period and we had remarkable success.
But we’re still not done yet and there are many countries in which such policies are not forbidden or regulated yet. Maybe your’s is as well?
If so or if you don’t know exactly, please read and contribute to our wiki entry where we wrote down many interesting background information, some argumentation guidelines, and tips how to stress the topic in media and public. If there are any questions, you can contact me anytime.