Your Roku is Spying On You

lauke-lux said:
How to install this on an internet provider's router ? Or should I buy a router that I install downstream of the provider's router; hence->which router can do the job ?
Click to expand...
You’d need to be able to configure the router to use the pi-hole as the DNS server for your network. You should also make the pi-hole the DHCP server for the network for maximum effect.
 
No doubt that Spectrum is spying on us. We'll be dropping their cable and voice service ASAP. I'm sure our Samsung TV is, too.
 
iaresee said:
You’d need to be able to configure the router to use the pi-hole as the DNS server for your network. You should also make the pi-hole the DHCP server for the network for maximum effect.
Click to expand...
So far I understood :
Buy a raspberry pi or similar host.
Install Linux on it (how ?)
Install and configure pi-hole
Thousand excuses as I'm not in IT anymore since a very very long time; I do not yer see how to install Linux and pi-hole on an external device
 
lauke-lux said:
So far I understood :
Buy a raspberry pi or similar host.
Install Linux on it (how ?)
Click to expand...
You flash the distro onto the SD card using something like Etcher. I'm using the DietPi distro because I wanted something tiny tiny. I'm weird like that.
Install and configure pi-hole
Click to expand...
With DietPi this is done from a command line installation tool. Super easy.

Thousand excuses as I'm not in IT anymore since a very very long time; I do not yer see how to install Linux and pi-hole on an external device
Click to expand...
No worries. Happy to answer questions.

Once it's on the box you make the box your DNS server and your DHCP server for your network and boom! It's filtering out all the shite domain names for you.
 
They can only see the DNS requests, potentially. That's the only thing that's still not encrypted. So if you, for the sake of argument, go to PornHub, Roku will know you watch porn. They don't get the full URL (web address) -- that part is encrypted along with the page if the page is using HTTPS protocol. If using HTTP protocol, however, they can get the full URL as well, plus cookies and potentially page content.

From your selection of websites they can also fairly reliably infer your age, gender, income level, level of education, health problems, etc. And that's before they correlate you with other data sources. They can also tie this to your public IP address, which doesn't change very often. That way if someone else is tracking you (and you can bet there are hundreds of companies doing just that, though not from within your house), they can simply join this data by IP address and augment your profile with even more relevant details.

Moreover, if you're using Google DNS or Open DNS or your network provider DNS, whoever provides your DNS has a full list of the domains you've visited (but again, not full URLs), and can use it for ad targeting. The only popular DNS service that has publicly committed to _not_ logging the requests is CloudFlare's https://1.1.1.1/. That's what I use.

I'd chuck this Roku shit into the dumpster if I was you, and get an Apple TV instead. Apple is the only major tech company that emphasizes privacy and uses it as a selling point.
 
Roku > AppleTV. I have both. AppleTV collects dust.

They’re not acting as the DNS server for the network so they don’t see DNS queries from other hosts on the subnet. They are running constant queries against every IP in the subnet and reporting back the forensic details there.
 
Sure, if you don't mind them spying on you, by all means use Roku. Can't wait until they start offering this data to a wider audience. I can think up several "interesting" business models that could totally ruin your life if you browse anything even remotely controversial. You're also logged in on Roku, so they know your name, address, and (potentially) billing info.

They don't have to act as a DNS server. All they need to do is put their NIC in promiscuous mode. They'll see all packets that way, and they will be able to capture unencrypted ones. Google got nailed for this shit years ago with their Google Street View cars. They'd drive around and capture everyone's WiFi traffic. They say they never did anything with it, but here Roku got you to agree to some obscure fine print, so they are free to do as they please.
 
Well, they’re not now. That’s the point of the pi-hole.

The AppleTV is also sending data back to Apple’s logging endpoints. Or it was until the pi-hole took over DNS resolving duties on my network. :)

Good point about using promiscuous mode for mapping the network, blindly. Thankfully it’s ability to report back is now hampered.
 
It doesn't actually need DNS to send stuff to their endpoints. It could already have an IP address, or a pool of IP addresses, from the factory. You might also want to ban those in your packet filter.
 
plexi59 said:
It doesn't actually need DNS to send stuff to their endpoints. It could already have an IP address, or a pool of IP addresses, from the factory. You might also want to ban those in your packet filter.
Click to expand...
It could have an IP address pool, yes. But realistically speaking that’s a hellacious untenable setup to keep up as HA infrastructure. This is far from perfect but close to incredibly good.
 
Agreed. Only the paranoid survive though. :) Actually, come to think of it, they could also use their own DNS, so blocking access to port 53 for outgoing UDP packets would not be a bad idea.
 
iaresee said:
You flash the distro onto the SD card using something like Etcher. I'm using the DietPi distro because I wanted something tiny tiny. I'm weird like that.

With DietPi this is done from a command line installation tool. Super easy.


No worries. Happy to answer questions.

Once it's on the box you make the box your DNS server and your DHCP server for your network and boom! It's filtering out all the shite domain names for you.
Click to expand...
Wow that was fast, from CA, wonder what time it was at your place.
Will get me a raspberry PI now in the first place and surely will be back then. Thanks for the info. I have nothing to hide but am getting sick of these continuous intrusions in our private life we never asked for.
 
Topic is a huge pet peeve of mine....

OP thx a ton for this post I am an IT engineer for Active Directory and all I seem to do all day everyday is respond to another security initiative by our Corp. Security Compliance dept.

But on topic...Now it's to the point everyone wants a piece of behavior/trend data.

Big Data. Hadoop, etc all these monster clusters of fileservers with no purpose other to track your clicks, your searches, what you buy, what you X and Y.

My wife brought a Google home into the house and I chucked it in the garbage!

My pet peeve is... 'Where does the line get drawn?' Different countries have different laws on where that line is.

I consider Big Data 'the devil' and I have 4 Rokus in our house had no clue this was happening....Youtube has practically replaced my TV because I watch things I am interested in ad hoc, instant gratification so it bothers me even further.

This data collection... where does it stop... all our smartphones have mics, cameras, etc...do they listen? Watch?

Makes me nervous all the time.
 
plexi59 said:
Agreed. Only the paranoid survive though. :) Actually, come to think of it, they could also use their own DNS, so blocking access to port 53 for outgoing UDP packets would not be a bad idea.
Click to expand...
I’m planning to OpenWRT my router next so I can run pfsense and do pretty much this. :)
 
I run OPNSense in a VM on my home server. I pass through the WAN NIC to it to isolate it from everything else. OPNSense is basically a more actively developed fork of PFSense. I've been running it for a couple of years, with no issues.
 
plexi59 said:
I run OPNSense in a VM on my home server. I pass through the WAN NIC to it to isolate it from everything else. OPNSense is basically a more actively developed fork of PFSense. I've been running it for a couple of years, with no issues.
Click to expand...
I tried to move my router to OpenWRT but couldn’t get the WAN side to pickup an IP address from my ISP. Had to revert back before the house mutinied. But I’ll try again next weekend.
 
If your internet is cable, sometimes you just need to let it try for a few hours. Most cable setups will not issue an address immediately if MAC has changed, but after an hour or so they will oblige. If you’re unlucky, you may need to call your ISP.
 
plexi59 said:
If your internet is cable, sometimes you just need to let it try for a few hours. Most cable setups will not issue an address immediately if MAC has changed, but after an hour or so they will oblige. If you’re unlucky, you may need to call your ISP.
Click to expand...
So the thing is the MAC address didn’t change. I figure I’ve got to call Comcast.

Also might try dd-wrt which is a little more polished than OpenWRT.
 
You must log in or register to reply here.
Back
Top Bottom