Uninitiated noon question below.
A couple of days ago, this haprogram https://programming.dev/post/41491279
Now, during the phonecall with my ISP, the guy asked, “is your router an ASUS?” to which I answered, “yes and no, because it’s sold as a router but I have it in AP mode and my actual router is OpenWrt on a Raspberry Pi.” To which he replied “noice!”
How did he know the make of my access point? A few of my own thoughts are:
- he was referring to historical data (I’ve been a loyal customer of theirs for a looong time…) from a time when I was using the same topology (setup?) but without a VPN on the router, so the hostname of the AP (stored in /etc/hostname on the ASUS OS/firmware ?) was simply displayed on whatever software an ISP uses for troubleshooting through… an ARP? But aren’t ARPs limited to a LAN/they cannot resolve beyond a hop? Or perhaps a variant of DNS? How indeed do hostnames transmit? Are they in the IP header by default?
- as in 1 above, but he actively used nmap or some other recog program
- as in 1 above but from a time when I was in fact using the ASUS machine as a router
- my VPN is “leaking” - not likely, because all my traffic either goes through the wireguard interface on OpenWrt/RPi, or it doesn’t go anywhere…
If 1, 2 or 3: why do they keep historical data on me? Is it praxis?
You must log in or # to comment.
Your ISP is probably netflowing their side of the connection so they can troubleshoot it. They most likely have some sort of management/monitoring software for the CPE/ONT/Modem so it most likely would have a log of recent devices by MAC address. He probably was going to ask if your router was an asus because he saw the new device on the ONT port and thought maybe you had the wrong one plugged in and that was causing your issue
The first 3 bytes of the Mac address is an OUI: organizationionally unique identifier. They’re centrally managed by some org, and you can look them up on google
If they have remote management/diagnostics for the ONT (sounds like they do, and it’s all but universal for that to be the case), then they can probably see the MAC addresses connected to the ethernet ports. The first three octets of a MAC address are the OUI (organizationally unique identifier) which identify the vendor. There are online tools anyone can use to lookup the vendor for a MAC address.
Amazing! I had no idea that you can grab the vendor off of the first three octets. I shall try to refrain from - for academic purposes, of course - identifying devices and their vendors around me next time I’m at the coffee shop…
For whatever it’s worth, that’s not a huge privacy violation. Most routers auto-identify devices. Most IP scan tools just identify the device by default too.
If it’s a good enough public/hotspot network, they will have “client isolation” turned on and it’ll keep you from seeing any other devices but the actual network equipment.
I see. Well, now I understand why I see vendor names of connected hosts in my AP’s GUI. The vendor name of my robot vacuum, I will never be able to pronounce… (Something Chinese.)
Maclookup.app
he was referring to historical data
DHCP can also send a hostname, so it’s possible your ASUS router previously sent its hostname, and then the Pi doesn’t send one. What ever software they use might not clear the old hostname when there isn’t one.
Edit: For example, this is what my current ISP lets me see:
DHCP also sends the MAC, no?
Yep, but it’s required, and also present in every frame sent between your router and the ISP BNG.
I was trying to think of a reason why ASUS would still be showing.
It would still be giving a MAC address would it not? You can determine the hardware from that.
Yep, that is my conclusion as it stands. For switching between devices, you need MAC addressss. For routing you need IP addresses (and MAC addresses?). For inter process communication, you need port numbers. Although, I do have to read up on where and how the VPN draws the line between what to encrypt and what not to encrypt in a packet.
I work for an ISP. There’s a number of ways that that they could have figured it out and probably 98 percent of them are genuinely there as a troubleshooting method and nothing more.
As another user said, if it’s a fiber connected ONT, there’s some remote management tools we can use to see what’s there. Some ONTs have a router built in as well and in some cases, we’ve actually done a site scan of WiFi networks for customers set up like you. We can see all the WiFi devices nearby and pretty quickly tell you “yeah, your speed/connectivity issues are because you have about 80 2.4ghz networks being broadcast around you.”
If they offer their own routers, someone could even do a site scan off of your neighbors routers and get an idea what’s around. If most of your other neighbors are using their own routers ISP provided router and you’re the odd one out, odds are that non-ISP device they’re seeing is you. This one is the least likely though, there’s a number of easier methods to see what’s the device is besides using other devices in neighboring houses.
Additionally, there’s a chance they did document something like “customer is using their own Asus router, not ours” and they just checked ticket/service order history. They could have got this from you telling them in the past, a technician being onsite and seeing this, or as the other comment mentioned, you’re connected to their network, they’re going to see the MAC address of the device plugged into their equipment in a few places pretty easily.
Thank you for such a detailed answer! I learned a lot! :D this inspired me to do some research on the capabilities of the new ONT that they are providing soon. Assuming that those probing capabilities that you spoke of are built into the ONT and not some peripheral add-on equipment?
Some of that is built in (mostly if it’s an ONT/router combination unit). And a lot of what they can see is just because you’re sending all of your traffic through them no matter what VPN you’re running. Knowing MAC addresses is pretty much a requirement for “the internet” to work correctly and, while you can obfuscate a MAC address on some devices, there is a (small) chance that can cause problems too.
I know hearing from someone that actually works for one may not be super convincing, but if your ISP is a smaller provider than like AT&T/Spectrum/Cox, they are almost certainly not going to spy on you just because they want to. I’m a customer of the ISP I work at. If I was told tomorrow I had to turn on some kind of deep packet inspection/intercept/spying service, I’d resist it as much as possible simply because I don’t want to see that and I don’t want someone to see what I’m doing. I can only assume that other companies have similar positions on the matter.
No judgment at all. I mean, I work for a government agency and - while resisting unlawful or immoral directives maybe somewhat harder for me (?) - I do try to stay humane and at times blatantly go against policies or orders that violate certain human rights.
Then, if I understand it correctly, the data portion of the packet is encrypted but there are unencrypted headers or whatevers necessary for inter device communication? MAC to MAC, IP to IP, port to port, etc., that stay unencrypted even when they go through the VPN interface? Which in turn is how the VPN interface or software or protocol is programmed?
Yeah, by virtue of not owning the entire connection (which is impossible unless you own the ISP, intermediary providers, and the service you’re connecting to) somebody somewhere is going to see something that may be identifiable to you. There are services that are offered by many companies for huge enterprises that give you basically a direct connection to a data center and a lot of times that traffic can be totally encrypted, but it’s usually for very big enterprises and isn’t cheap to get.
And you’re definitely helping the privacy part running a VPN on the router level, but still, there’s always a chance of something getting leaked. It’s pretty low and gets better all the time, but that chance always exists. It’s the reason why air gapping is still a thing for things that ABSOLUTELY cannot be attacked/compromised/viewed by some random person.
Again, if you’re going off of a privacy stance, you’ve made things hard enough that unless a huge ISP has some kind of agreement to sell data to advertising companies and spending the time to implement services to get you and the 2 percent (which is probably a huge overestimate) of customers taking similar steps, it’s just not worth them making the effort.
It’s absolutely crazy time that people pipe everything through a VPN because they don’t trust their ISP, but somehow trust a VPN provider more. Especially in the post-https-everywhere world. And the influencer advertising… snake oil. With some ISPs, sure, but with most it’s at best an equal trade.
I pay my VPN provider to not touch my data and if I start to doubt them I’ll just jump ship to another provider.
There are two ISPs for me to choose from and both want to shove ads down my throat and I’m sure they are selling whatever data about me they can.
Yea I trust my VPN provider more than my ISP by miles.
How naive
At the very least, it requires an informed choice.
Honesty he probably just guessed
Incorrect. It’s by mac address. And an OUI table lookup.
