Internet Traffic Modifications by ISPs After the Decision to End Net Neutrality Create a Huge Potential Attack Surface
A huge amount of ink has been spilled over the FCC decision to roll back Net Neutrality rules.
Many articles analyze which businesses will benefit and which will be harmed by the change, while others look at it from a political perspective. It is critical that we also understand the security implications of changes Internet Service Providers (ISPs) are likely to make under this deregulation.
As a general principle, Net Neutrality holds that the internet should be a passive conduit for data between any endpoints. It should not make any difference to a carrier who is initiating the connection and what service they are using. It is similar to the way utilities provide their services. My water company has no control over what I choose to do with my water, only metering how much of it I use. Before the breakup of AT&T, customers were only allowed to attach AT&T provided phone hardware to their lines. Now anything that meets the standards can be hooked up and are treated equally by the network.
The FCC decision ending net neutrality re-categorizes ISPs from being telecommunication systems governed by title II, to being information services under title I. As telecommunication systems, ISPs were prohibited from blocking, throttling, or providing paid prioritization. As telecommunication services which create, modify, store, or make information available, none of these restrictions apply. As important as the regulatory change is the signal this sends to the ISPs. The administration is clearly articulating a much more hands-off policy towards ISPs. This signaling is likely to embolden them to take actions which are unpopular but had not been banned by the title II rules.
ISPs have a long history of blocking, slowing, or modifying internet activity for their own business purposes. Some examples are:
This kind of behavior slowed significantly when net neutrality was implemented in 2015.
With the removal of the restrictions, it is likely that ISPs will start these kinds of activities again. They are likely to create fast and slow lanes, making the net pay to play for content providers. They could implement user fees to access certain services, creating access fees for consumers. And, they could outright block or censor certain content. All of these changes would be phased in slowly to avoid a huge public backlash.
So, what are the security implications of these changes? All of these traffic modification systems are a potential attack surface. For example, a hacker could create a denial of service by tricking major ISPs into blocking data to or from certain domains. Systems that inject benign code into pages could be retasked to inject malware. All this also adds significant complexity to the system, which always brings with it new vulnerabilities.
A common reaction is to call for the widespread use of VPNs to prevent ISPs from seeing the destination or contents of internet traffic. If the ISP can’t tell what website or service you are visiting, then they can’t prioritize traffic on that basis. The VPN’s encryption also effectively prevents content inspection or modification.
However, the use of VPNs is not a perfect solution. Patterns in the traffic can reveal the type of connection running within the VPN. Video, VoIP, websites, and P2P file sharing all have very different signatures that are clearly visible even through the encryption. Additionally, it is obvious to the ISP that you are using a VPN, which could be used as the basis for traffic slowing or blocking. This is already happening with many paid Wi-Fi services, like at hotels, where a connection that supports VPNs is significantly more expensive than the basic service.
Widespread adoption of anti-VPN policies would bring significant backlash, particularly from the business community which relies heavily on them for secure remote work and telecommuting.
The dangers of code injection also show the importance of universal adoption of TLS / HTTPS on all websites and services. Universal adoption of end-to-end encryption makes such injection virtually impossible and also prevents content based filtering or prioritization.
All this might be less concerning if there was real competition in the home broadband market. In that case ISPs could compete, in part, on their privacy and security policies / practices. Unfortunately, most households in the US have only one realistic option for broadband service.
It is impossible to know in advance exactly what ISPs will do under the new regulatory regime, but it is clear that there are significant potential risks. As security practitioners, it is critical that we do what we can to mitigate risks to our own organizations and watch closely for new vulnerabilities and attack surfaces.