Potential VPN Attacks By aesthetic Recently, I’ve noticed an issue with the router/modem combo in my house. It’s an Arris Touchstone TG2472. It was provided by my internet service provider and is one of the weak performing router+modem combo devices. I’ve been meaning to upgrade to a dedicated modem and wireless router, but haven’t gotten around to it. During my usage of this ISP-provided router over the past few months, I’ve been beginning to notice some anomalies and the ways they affect me. I generally use a VPN when I’m using my computer. I have a subscription to a nice, high-speed, paid VPN. It uses a client that sits on the computer, rather than a VPN router or some physical piece of hardware. I generally leave my VPN running all day, occasionally while seeding torrents (Torrents of free Linux ISOs, of course), while I’m out and about. Occasionally I’ve come home to find my VPN has been disconnected, but my torrents are still seeding! “That’s annoying,” I thought to myself, “it must be a bug with the VPN software.” A few more days pass, and I find myself home on a Tuesday afternoon. I wasn’t feeling well, so I decided to work from home. A few hours into a report, my music stops, and nothing will load - I have no internet! “That’s strange,” I thought, and walked over to my modem/router to check if it had disconnected. Low and behold, the modem only showed the Power light being on, with all other lights off. As it came back online, it seemed to be going through a full reboot process. But the power had never been cut, and the modem had no reason to restart. Strange. When I went back to my laptop, I noticed it had re-connected to the WiFi. When the internet had gone down the VPN gave a “Disconnected!” notification due to not being able to reach its host. The torrents, however, assumed there were no peers and sat idle. When the internet came back online, the VPN didn’t auto-reconnect (a failure of the VPN client, perhaps?) but the torrents happily began seeding again, this time uploading data in cleartext over a non-encrypted connection. At that moment, I realized something: what I just witnessed could have been an intentional attack. Could rebooting modems be something ISPs are doing to attempt to strip/disrupt constant streams of encrypted/VPN transmissions? I’ve heard Comcast horror stories about individuals having their internet shut off for merely using a VPN or having “peer to peer” traffic flowing through their router. Using the router/modem combo, my ISP had provided opening me up for a myriad of possible attacks and misconfigurations. While I’m not 100% sure that what I experienced was my ISP rebooting or possibly updating my modem remotely, the slim possibility that it was happening made me realize the poor operational security I was partaking in by utilizing their products in my home. While this article doesn’t try to reach for any conclusions or go further in-depth with a technical analysis of my modem, I hope that reading this has helped you consider what devices you run in your home, along with who can access them, update them, or even possibly reboot them. Even something as innocuous as a remote update and reboot on a modem can do something as extreme as stripping VPN traffic. Oh, and pro-tip: Most VPNs have a configurable kill switch that will disable your network adapter if the VPN client disconnects. TURN IT ON!