Potential VPN Attacks
by aesthetic
Recently, I've noticed an issue with the router/modem combo in my house.
It's an ARRIS Touchstone TG2472. It was provided by my Internet service provider, and is one of the poor performing router plus modem combo devices. I've been meaning to upgrade to a dedicated modem and wireless router, but simply haven't gotten around to it. During my usage of this ISP-provided router over the past few months, I've been beginning to notice some anomalies, and the ways they affect me.
I generally use a VPN when I'm using my computer. I have a subscription to a nice, high-speed, paid VPN. It uses a client that just sits on the computer, rather than a VPN router or some physical piece of hardware. I generally leave my VPN running all day, occasionally while seeding torrents (torrents of free Linux ISOs, of course), while I'm out and about. Occasionally, I've come home to find my VPN has been disconnected, but my torrents are still seeding! "That's annoying," I thought to myself. "It must be a bug with the VPN software."
A few more days passed, and I found myself home on a Tuesday afternoon. I wasn't feeling well, so I decided to work from home. A few hours into a report, my music stopped and nothing would load. I had no Internet! "That's strange," I thought, and walked over to my modem/router to check if it had disconnected. Lo-and-behold, the modem only showed the power light being on, with all other lights off. As it came back online, it seemed to be going through a full reboot process. But the power had never been cut, and the modem had no reason to restart. Strange.
When I went back to my laptop, I noticed it had reconnected to the Wi-Fi. When the Internet had gone down, the VPN gave a "Disconnected!" notification, due to not being able to reach its host. The torrents, however, simply assumed there were no peers and sat idle. When the Internet came back online, the VPN didn't auto-reconnect (a failure of the VPN client, perhaps?), but the torrents happily began seeding again, this time uploading data in cleartext over a non-encrypted connection.
At that moment, I realized something: what I had just witnessed could have been an intentional attack. Could rebooting modems be something ISPs are doing to attempt to strip/disrupt nonstop streams of encrypted/VPN transmissions? I've heard Comcast horror stories about individuals having their Internet shut off simply for using a VPN or having "peer-to-peer" traffic flowing through their router.
Using the router/modem combo my ISP had provided was opening me up for a myriad of possible attacks and misconfigurations. While I'm not 100 percent sure that what I experienced was in fact my ISP rebooting or possibly updating my modem remotely, the slim possibility that it was happening made me realize the poor operational security I was partaking in by utilizing their products in my home.
While this article doesn't try to reach for any conclusions or go further in-depth with a technical analysis of my modem, I hope that reading this has helped you consider what devices you run in your home, along with who can access them, update them, or even possibly reboot them. Even something as innocuous as a remote update and reboot on a modem can do something as extreme as stripping VPN traffic.
Oh, and pro-tip: Most VPNs have a configurable kill switch that will disable your network adapter if the VPN client disconnects. Turn it on!
Greet; to Lainchan - Let's All Love Lain! Much love to 2600 - Thanks for publishing abunch of my letters in the past!