OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Noctur on August 31, 2017, 05:02:11 am

Title: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: Noctur on August 31, 2017, 05:02:11 am
http://www.techrepublic.com/article/how-to-stop-isps-from-spying-on-your-iot-devices/

Can this be done with OpnSense?

A search through the forum and wiki don't turn up anything, general internet search and pfsense search doesn't hit either.

 
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: bobbythomas on August 31, 2017, 07:04:21 am
I think you can filter outbound traffic using the access rules. I had a similar issue with one of my smart plug which is a chinese make, upon traffic inspection I was seeing it contacting a chinese server, I then blocked all outbound traffic from that device and allowed to access it only through VPN.
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: ChrisH on August 31, 2017, 10:34:46 am
Have you even read the article?
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: franco on August 31, 2017, 11:25:26 am
I couldn't find a quick explanation of what this does. The concept seems to exist for a couple of years, but haven't heard of it yet.

Will probably go to the source: https://arxiv.org/pdf/1708.05044.pdf


Cheers,
Franco
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: fabian on August 31, 2017, 12:03:47 pm
With some custom tools you can do that on OPNsense as well. You just need to write a tool that uses pcap to capture traffic and log it into a database (postgresql, mysql etc.). The rest is looking for patterns of related connections (for example a connection between two devices every 10 minutes).

For example this library can be used to build a network sniffer:
https://github.com/packetfu/packetfu

A far more easy solution is using a transparent proxy as the client does not see that it is connected to a proxy.


Please note that using such a tool may be illegal in some coutries.
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: ky41083 on August 31, 2017, 09:45:45 pm
Wouldn't it be easier to set low bandwidth limits on these devices, so that they appear to have a constant data rate whenever they are "talking", regardless of the data they are sending?
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: fabian on September 01, 2017, 08:34:33 am
This would not help as the problem here is that it is still visible when a device connects to its server. What would help is redirecting the connections to a local server (DNAT, also known as Port Forward) which will answer the queries instead of the original server. In this case you could:
A) Forward the packets at a random time
B) Don't forward the packets to the original server

However this may mean, that you may have to reverse engineer the protocol.
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: ChrisH on September 01, 2017, 10:53:14 am
Or you could just not buy devices that spy on you. Increasingly difficult, I know.
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: bartjsmit on September 01, 2017, 04:46:15 pm
I think the main impetus behind the research was the recent move in the USA to allow ISP's to gather data from their subscribers and sell it on.

Your IoT device may be fully secure, but your ISP is in a unique position to collect metadata; e.g. when does your fitness tracker start sending in the morning, how often does your coffee maker phone home and when does your phone drop off your WiFi.

The solution proposed is to pad the regular traffic with nonsense data to render metadata collection useless, much like the British radio operators during WW2 who would transmit vehicle license plates to keep a constant level of traffic as well as to keep enemy code breakers busy.

Bart...
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: Noctur on September 01, 2017, 08:16:42 pm
Or you could just not buy devices that spy on you. Increasingly difficult, I know.

Agreed... I have 1 IoT device - a D-Link IP Camera - that I found was 'reporting home' which I've simply blocked from accessing the internet. I have a couple of other devices - smart thermostats - that look up current weather and allow remote adjustment that, while I haven't seen phoning home, I've also blocked on principle. My inquiry was more related to the thermostats that I'd like to enable.

I use NordVPN and could allow through them, but with the DNS Lookup / Suricata issues I've had the VPN drops out at times leaving it exposed. So I'm not going to open this up until I've resolved the DNS dropouts.

Thank you all for your replies...
Title: Re: Traffic Shaping - Independent Link Padding to prevent ISP spying
Post by: ky41083 on September 03, 2017, 02:19:04 am
This would not help as the problem here is that it is still visible when a device connects to its server.

I don't disagree that connection times are also an issue, depending on how a device behaves. But the linked PDF focuses on bandwidth of connections from these devices as a primary source of pattern matching.

To eliminate the bandwidth pattern visibility, it would be extremely easy to setup a low bandwidth limited pipe and send all of your IoT device traffic through it.

For connection time / pattern visibility, routing through a simple external VPN would suffice.

I think the main focus is on data that can be inferred OUTSIDE of end to end encryption. Unless I'm missing something?