It seems like it would be faster to make a list of things verizon won't accept an administrative subpoena for in lieu of a warrant as opposed to the other way around.
On an unrelated note, if you have verizon FIOS they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically reflashes. A properly written firmware could monitor not just all traffic that was internet bound, but also everything on the local lan and wireless net.
At least in the router I have, there is a significant amount of dark radios on the board. There's a second (unused) 802.11n radio that in other editions is used as a second n stream but easily could be used to do full site surveys or packet capture or as an evil twin, a DECT (cordless phone) compatible phy that could impersonate a cordless basestation and if I read the spec sheet right a bluetooth and powerline phy.
The verizon STB for their converged QAM/IPTV also downloads a portion of their firmware from the management servers and verifies hashes and oprational state TCG style - if they aren't connected to the network they will never actually finish booting.
Details are limited about what the CISCO built STB contains on the inside, but it at least has a light sensor (ir remote) and a vibration / accelerometer (for sudden drop hd head park) that they have been touting as a feature that allows them to measure ad exposure based on floor vibrations that suggest you walked away during a commercial.
They've also been recently touting a 99% effectiveness rate at uniquely identifying the viewer in multi person households based on statistical modeling of the order and speed buttons are pressed on the remote, though I'm unsure if that's with the current cisco gear or the new motorola (google) gear that they are just rolling out.
You can replace their router with one of your own. On my ONT there are two ways of connecting to the Verizon service:
1) Ethernet. If you connect this way then running your own router is trivial, but by using Ethernet you lose some services related to TV.
2) Coax. This is a bit more complicated. You'll still have to power the Verizon router, but everything behind, and including, your router still will be under your control. You need a Coax to Ethernet adapter like this one:
I don't remember all the specific steps I had to take to enable this offhand. I need to go back and write a howto. In any case, The final setup will look like this:
Verizon ONT --[Coax]--> Moca Adapter --[Ethernet]--> Your router.
Moca Adapter --[Coax]--> Verizon router.
One important point is that you must release your DHCP IP on the Verizon router before your router can obtain one.
I think you can dispense with the Coax connection to the Verizon router if you don't care about TV capabilities, but if you don't you might as well switch the ONT to use Ethernet instead and avoid this mess.
My main motivation for doing this was that the wireless capabilities of the Verizon-supplied router were terrible, but it has the added bonus of keeping Verizon's prying eyes out of my home network.
Yeah, I've taken a similar approach - my comments were more just to raise awareness about how much verizon is theoretically able to do in light of what a low bar they have for doing them for LEO.
You can get it set up so all your iptv services work with the ONT using the ethernet port BTW - that is the default install configuration these days for people on the faster service tiers as moca caps some where north of 100mb. In that setup the actiontec is connected both via coax and ethernet to the ont, and it serves as a ethernet<-> moca bridge internally to support the ip features of the stbs.
Running the STB's without any moca is basically unusable, no epg, no dvr, no vod etc. And it's worth noting that even though my actiontec is physically separated from my home net through a tweaky setup, they could still theoretically do full stream wireless packet capturing of whatever the radio could hear, or become an active node on your other 802.11 network. Brute forcing a WPA2 secret is a common enough practice that they have purpose built luggable SFF pc's with 4 tesla cards inside for field work.
You can actually remove 100% of the verizon CPE and still good tv if you're willing to pay for it. Once I found out all the stuff the STB's are doing I'm in the process of replacing them with a tivo with a cable card and a tivo mini (basically a slave). Even slightly cheaper per month than the multiroom dvr, though the upfront is $$$
I think I was abusing terms when I said SFF, I guess I was thinking more like "in comparison to" an HPC rack.
similar to the intermediate CA black box providers they seem to have much larger presences at trade shows than on the web, but this is pretty close to what I'm talking about:
I'm pretty sure the generations in development have video cameras and microphones (to allow you to cough wave your hands or speak to change channels, of course). That same platform also has ISM radios in monitoring mode so that they can see what devices are present and obtain rough positioning data. So they'll know when you get home based on your phone mac appearing, and how many people are on the couch and who they are.
here is the video recognition stb patent application that includes a number of eye openers:
> And they log in every day and confirm the hash of the firmware you're running
If you can modify the firmware you can change it to respond to their query with the "correct" firmware signature, so this doesn't seem useful to me. Source?
Also, is the 802.11n radio connected to an antenna? If not, can't really do any surveys with it. Sounds like a fun box to play with for evil maid attacks, though!
You can only load verizon/actiontec signed firmware via the UI. I suppose you probably could reflash it directly if you connected leads to the smt chip on the board, that is assuming it's not on the SOC and assuming the stage 1 loader doesn't verify the signature. It's mostly to prevent rollback attacks where a known vulnerable firmware is flashed to take advanatge of a flaw.
(technically it's implemented by an automatic process that verizon runs that logs in via their TR069 carrier management port and then does various (unlogged things) including enforcing that you're on approved firmware.
yeah the box has two antennas each one attached to the radios. Almost all of the other actiontec customers use it as a 2nd channel to get 300mbit, but for whatever reason verizon's is set to only use 1.
If their stage 1 is verifying the signature it's going to be pretty hard to hack the firmware (since you need to crack the key or find some other hole to get your firmware to run), so at that point they could care less about logging in to double-check the key wasn't cracked. In that case the integrity check is more likely just making sure the firmware isn't corrupt, or just checking the version to see if it needs an upgrade in general. If on the other hand they are just verifying which firmware is applied, the stage 1 probably isn't verifying the signature, so in that case we really could fake out the check.
Flashing the chip directly is probably significantly easier than attacking the UI's signature verifying feature. Once you learn how it's pretty fun to examine random devices' firmware directly ^_^
Yeah, glancing at the specs it looks like you're almost surely correct, that it's just checking a version string thats returned.
I got a little carried away, but really my point wasn't that it's impossible to avoid the risks, just that undoubtedly 99%+ of their customer base could be subjected to this and im sure most don't realize it. I thought my concerns with it were pretty tin foil hat until reading this story about the exact company doing something very, very similar.
> they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically re flashes.
This is pretty standard practice for cable providers. The cable company I work for does this to cable modems.
Oh yeah, its not an issue when you're talking about the typical WAN side CPE that only sees outbound traffic and isn't loaded with radios. After all, they can see or do whatever they want to your traffic anywhere in the path. It's a slightly different story when it also has the potential to see all your land side traffic and anything in the 2.4ghz band it can hear.
The cable modems my company provides has built in 2.4ghz, and the company has full admin rights to the modems local admin interface (the customer does not)...
yeah, so that's another good example of the future of administrative subpoena surveillance. I knew that the converged ap and modem was pretty common with dsl providers, but at least the ones i had seen allowed the customer to control what firmware was running.
My cable provider does this to and i don't trust them in the slightest so i just use my own router:
cable --> providers modem/router --> my router --> network
I would disable its routing ability and use it as a bridge, but it provides a easy way to share wifi with guests/neighbours.
On an unrelated note, if you have verizon FIOS they can push a new firmware package to your router and reboot it easily, without you ever knowing. And they log in every day and confirm the hash of the firmware you're running - if it's not on the approved list (which is generally just the current one they have you set for) it automatically reflashes. A properly written firmware could monitor not just all traffic that was internet bound, but also everything on the local lan and wireless net.
At least in the router I have, there is a significant amount of dark radios on the board. There's a second (unused) 802.11n radio that in other editions is used as a second n stream but easily could be used to do full site surveys or packet capture or as an evil twin, a DECT (cordless phone) compatible phy that could impersonate a cordless basestation and if I read the spec sheet right a bluetooth and powerline phy.
The verizon STB for their converged QAM/IPTV also downloads a portion of their firmware from the management servers and verifies hashes and oprational state TCG style - if they aren't connected to the network they will never actually finish booting.
Details are limited about what the CISCO built STB contains on the inside, but it at least has a light sensor (ir remote) and a vibration / accelerometer (for sudden drop hd head park) that they have been touting as a feature that allows them to measure ad exposure based on floor vibrations that suggest you walked away during a commercial.
They've also been recently touting a 99% effectiveness rate at uniquely identifying the viewer in multi person households based on statistical modeling of the order and speed buttons are pressed on the remote, though I'm unsure if that's with the current cisco gear or the new motorola (google) gear that they are just rolling out.