What could possibly go wrong? Sublet your home broadband to strangers who totally won't commit crimes

Money for nothing but your nicked IP

In-depth The latest passive income trend, we're told by Lithuania-based internet biz IPRoyal, is internet sharing, a term that here means "subletting" or "reselling."

And "passive income," of course, refers to getting paid without doing anything, a concept that may sound appealing but generally glosses over potential costs.

Launched in January, IPRoyal pays residential internet users in exchange for "sharing" their internet service, something many internet service providers like Sonic Internet [PDF] and Comcast prohibit in their terms of service. And it sells access to that bandwidth to customers seeking proxy services.

Other companies, like PacketStream and Packity, both based in Los Angeles, and Belarus-based Honeygain run similar businesses: proxy networks that let customers rent out unused bandwidth for a fee.

A proxy in an internet context is simply a server that acts as an intermediary between the user and the next point on the network. Bandwidth renting services provide apps that people install on their devices that act as proxies for other customers to gain access to their internet connection so they can use the IP address of the bandwidth-providing consumer.

"You essentially employ your internet connection to make money for you," Honeygain explains on its website. The outfit goes on to claim that its network is used by researchers at e-commerce, advertising, and web intelligence companies for ad-fraud prevention, brand protection, travel fare aggregation, and SEO monitoring services.

Don't look at me! Don't look at me!

Profs prep promising privacy-protecting proxy program... Yes, it is possible to build client-server code that safeguards personal info


What's new here, or relatively so, is the idea of turning one's internet service into a fee-generating party line. The Register asked Rudy Rucker Jr, co-founder of the San Francisco-based ISP MonkeyBrains, about bandwidth subletting, and he remarked, "Distributed VPN service! I didn't know it existed as a service."

He described the arrangement as a consensual compromise of your network, in that you allow your broadband connection to relay other people's potentially questionable activities across the internet. Someone might want to tap into these at-home proxies to build up a "large block of IPs so that you can generate revenue by 'clicking Ads' or 'bot reviewing apps,'" he said, recounting how he'd once seen a cabinet with about 50 iPhones automated to rate products. "Gross."

"My understanding is that this is not about 'sharing internet via WiFi to neighbors' but rather 'let someone proxy through your link to fake your source IP,'" said Rucker.

"To me, this means that clients would use more bandwidth on their links, not less," he said. "The more people use, the more people need ISPs. This looks clearly like something that strengthens our business, not threatens it."

At the same time, he's wary about how people would actually be using the service.

"Do I agree with people selling their link to help people fake reviews, drive up fake advertisement engagement?" he said. "No. Do I think I'll ever use this service personally? Probably not. It may be neat to be able to set up ad-hoc pings from around the globe. Neat idea, not worth the effort for our business."

This is not about 'sharing internet via WiFi to neighbors' but rather 'let someone proxy through your link to fake your source IP'

Rucker cited Tor as a service that enables anti-surveillance and anti-tracking uses that he supports. "Personally, I just don't see a use case for a service that pays people to 'Share their internet' that doesn't sound like a scam," he said.

Moreover, there's the issue of whether individuals actually have any right to resell bandwidth they've bought.

"Is a customer's 'unused' internet really theirs to share and sell?" Rucker asked. "The unused resource is more of a shared resource in a specific network segment (all segments have bottlenecks) and people who do this would be 'taking from the commons.'"

"Now if people monetized bandwidth from 1am to 6am, I would not see that taking from anyone, and I couldn't argue with that!" he added. "Usage at peak times would make our bandwidth bill go up, but not by a noticeable amount."

The companies involved in the parceling and resale of bandwidth insist the practice is secure, and not at all used for any of the awful things that happen on the internet.

“IPRoyal is built on three core pillars – security, safety, and privacy," said Karolis Toleikis, CEO of IPRoyal, in a statement. "All our clients need to confirm their identity by providing their name and valid ID documents. That way, we know who they are. We also make sure all the traffic our trusted partners use is 100 per cent safe."

However, IPRoyal, which refers to internet-sharing subscribers as "pawns," does warn that some of the others in the market may not be so scrupulous. Without naming names, the company points out that not everyone employs security measures to prevent data leakages, illegal content, and DDoS attacks from being conducted via their users, sorry, pawns' IP addresses.

Toleikis in an email to The Register insisted there's no difference between selling bandwidth and sharing your internet connection with the rest of your family at home.

"It's like creating a hotspot with your mobile phone to share your internet access with friends. It's perfectly legal, as long as you make sure you have unlimited bandwidth, so you don't have to pay for it," he said. "However, pawns (internet connection owners) should make sure their ISP allows sharing. It's their responsibility to make sure that it is permitted."

It's like creating a hotspot with your mobile phone to share your internet access with friends

Toleikis insisted no IP address used by his company's pawns has been blacklisted so far. "Our pawns trust us a lot more than other similar services," he said. "The reason is simple – we apply multiple security layers to avoid any illegal activity with our pawn traffic."

"Some of our pawns even check the network by themselves to see where and how their traffic is used," he added. "In case they notice anything suspicious, we urge them to let us know so we can further improve everyone's safety."

As a security measure, he said, the service requires customers to provide a selfie alongside a passport image.

Asked whether any clients have abused the service, Toleikis said in the first months some clients were making multiple connections to the Sony PlayStation Network.

"To ensure that all the traffic to and from our pawns stays safe, we banned all domain addresses from that particular company (Sony/PlayStation)," he said. "None of our clients can go to those websites anymore. We are making sure that all our pawns who decide to share their internet via our application and earn some extra money will be safe, and their traffic will not be used for any illegal activity."

In online forums devoted to GPT websites – "Get Paid To" – detractors are not hard to find. An individual posting to Reddit claims, "Honeygain got my residential IP blacklisted as a VPN," and another individual posting to the thread claims to have aroused the ire of IT staff after installing Honeygain on a work computer. The PC supposedly participated in an attack on the Sony Playstation servers.

One can also find mostly glowing reviews, which would be more convincing if fake reviews weren't a thing and if this sort of proxy service weren't well-suited for posting bulk positive reviews under different IP addresses.

Honeygain did not immediately respond to a request for comment.

Knight takes pawn

The amount of ostensibly passive income people earn in this manner varies. IPRoyal advertises $0.20 per GB of data and last month claimed, "On average, our Pawns earn around $5-30 per month." This in response to an individual claiming the amount was only about $0.15 per day.

Others offer $0.10 per GB, or less depending on availability. And the performance impact of backdooring your own internet connection, the companies claim, is minimal. Packity, for example, says its app will not use more than 15 per cent of available internet bandwidth.

The Register asked to speak with someone at PacketStream about the company, and received a response from the firm's support address that ignored our inquiry about whether we should attribute the replies to any individual in particular.

We asked PacketStream the following questions:

  • "Do ISPs have any issue with PacketStream reselling customer bandwidth, given that many explicitly forbid resale?"
  • "Have any PacketStream customers had their ISP accounts cancelled or blacklisted as a result of what's done on IP addresses that they're associated with?"
  • "Has PacketStream had to remove or warn any proxy address customers for illegal or disallowed activities? If so, any idea how often that happens?"
  • "How would you describe growth at the company since its inception?"

The response we received did not directly address most of our questions, but offered general reassurance about the legitimacy of the business.

  • "We have both active & automated processes to prevent abuse and terminate accounts. We’re a US company and service thousands of business customers, including large enterprise companies who choose PacketStream’s proxy solution because of our fully opt-in, transparent bandwidth sharing model."
  • "We value the integrity of our IP network. Maintaining an ecosystem that’s beneficial for all participants is important to us."
  • "PacketStream is not an anonymity tool. We collect customer information. PacketStream’s model doesn’t lend itself well to abuse cases."
  • "We launched a little over two years ago and we’ve seen strong growth on both the Packeter and customer sides of our business. We’ve seen an increase in the demand for business intelligence tooling as more companies have leaned into digital efforts during the shutdowns. We’re glad that we’ve been able to support households with a passive, supplemental income stream during the pandemic."

The Register asked Comcast whether any of its staff cared to comment on bandwidth renting. After an interim inquiry for more detail, the US cableco did not respond. ®

Broader topics

Other stories you might like

  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Intel offers 'server on a card' reference design for network security
    OEMs thrown a NetSec Accelerator that plugs into server PCIe slots

    RSA Conference Intel has released a reference design for a plug-in security card aimed at delivering improved network and security processing without requiring the additional rackspace a discrete appliance would need.

    The NetSec Accelerator Reference Design [PDF] is effectively a fully functional x86 compute node delivered as a PCIe card that can be fitted into an existing server. It combines an Intel Atom processor, Intel Ethernet E810 network interface, and up to 32GB of memory to offload network security functions.

    According to Intel, the new reference design is intended to enable a secure access service edge (SASE) model, a combination of software-defined security and wide-area network (WAN) functions implemented as a cloud-native service.

    Continue reading
  • CISA and friends raise alarm on critical flaws in industrial equipment, infrastructure
    Nearly 60 holes found affecting 'more than 30,000' machines worldwide

    Updated Fifty-six vulnerabilities – some deemed critical – have been found in industrial operational technology (OT) systems from ten global manufacturers including Honeywell, Ericsson, Motorola, and Siemens, putting more than 30,000 devices worldwide at risk, according to private security researchers. 

    Some of these vulnerabilities received CVSS severity scores as high as 9.8 out of 10. That is particularly bad, considering these devices are used in critical infrastructure across the oil and gas, chemical, nuclear, power generation and distribution, manufacturing, water treatment and distribution, mining and building and automation industries. 

    The most serious security flaws include remote code execution (RCE) and firmware vulnerabilities. If exploited, these holes could potentially allow miscreants to shut down electrical and water systems, disrupt the food supply, change the ratio of ingredients to result in toxic mixtures, and … OK, you get the idea.

    Continue reading
  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • 1Password's Insights tool to help admins monitor users' security practices
    Find the clown who chose 'password' as a password and make things right

    1Password, the Toronto-based maker of the identically named password manager, is adding a security analysis and advice tool called Insights from 1Password to its business-oriented product.

    Available to 1Password Business customers, Insights takes the form of a menu addition to the right-hand column of the application window. Clicking on the "Insights" option presents a dashboard for checking on data breaches, password health, and team usage of 1Password throughout an organization.

    "We designed Insights from 1Password to give IT and security admins broader visibility into potential security risks so businesses improve their understanding of the threats posed by employee behavior, and have clear steps to mitigate those issues," said Jeff Shiner, CEO of 1Password, in a statement.

    Continue reading
  • Info on 1.5m people stolen from US bank in cyberattack
    Time to rethink that cybersecurity strategy?

    A US bank has said at least the names and social security numbers of more than 1.5 million of its customers were stolen from its computers in December.

    In a statement to the office of Maine's Attorney General this month, Flagstar Bank said it was compromised between December and April 2021. The organization's sysadmins, however, said they hadn't fully figured out whose data had been stolen, and what had been taken, until now. On June 2, they concluded criminals "accessed and/or acquired" files containing personal information on 1,547,169 people.

    "Flagstar experienced a cyber incident that involved unauthorized access to our network," the bank said in a statement emailed to The Register.

    Continue reading

Biting the hand that feeds IT © 1998–2022