[TR-069] Verizon FiOS Uses It — But So What?

I became interested in TR-069 after figuring out my Verizon FiOS router had the capability to be remotely managed by it, allowing my mind to wonder about a couple of “what-if” situations. However, I can see the benefits of this feature from the perspective of the provider. For example, with Tr-069 the provider or manufacture of the device can swiftly deal with problematic issues that would have otherwise allowed for a technician to be dispatched to a customers home, which can be costly. With the ability to perform such tasks as remote firmware upgrade/patching or even the initial configuration of the device for the customer, providers can definitely save a lot of money. Imagine millions of customers needing a technician to be dispatched to their homes due to a major security flaw in the device software?

But what if the provider uses the full capabilities of TR-069 for profit and gain? That I would not be the least bit surprised. After all they do technically own the device while the customer has service with them. But what if a mid-night shift engineer used the capabilities of TR-069 to gain entry into a customers home network to snoop around? Would the customer know? Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? First, what exactly is TR-069?

According to Wikipedia:

TR-069 (Technical Report 069) is a DSL Forum (which was later renamed as Broadband Forum) technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices.

In other words, TR-069 is a WAN Management Protocal implemented in client devices such as home routers, set-top boxes and similar equipment leased from ISP’s or cable providers. These client devices are also referred to as CPE’s or a Customer Premise Equipment. TR-069 is the technology that allows vendors to remotely interact with their CPE for such purposes as initial device configuration, troubleshooting and basic management of the device such as performing remote backups or firmware upgrades. This allows vendors to cut costs on field technicians that would have otherwise been dispatched to a customer’s home or office. The protocol allows for communication to take place via SOAP/HTTP, between the CPE and the vendors Auto Configuration Servers (ACS). With TR-069, communication can either be initiated from the vendor side or the customer side without the customer’s knowledge. An ACS can be thought of as a single point of management for all customer devices [2].

So, would the customer know if “someone” was snooping around? Possibly, but they would definitely have to be proactive and check the logs from time to time. Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? This is a big NO! At least not with the equipment provided to them by the manufacturer or their ISP. Trying to disable the abilities of Tr-069 once implemented in a device is damn near impossible, especially when attempted using the FiOS router itself. Check out this screenshot:

You will notice under the “Delete” column, what would have been an option to delete this rule from the outside has been removed. Another example to show the “Verizon FiOS Service” cannot be blocked is something you can test yourself. For example, if you have Internet with FiOS and know your public-ip port “4567” will be open. Attempting to connect to it via a web-browser should present you with a login prompt. However, not just anyone can connect and I would be surprised if you could get that Login/Password pair. But, what if someone figured out the pair? Or what is an employee at the ISP wanted to snoop around?

Advertisements
This entry was posted in *Nix, Security, Uncategorized. Bookmark the permalink.

5 Responses to [TR-069] Verizon FiOS Uses It — But So What?

  1. Anonymous says:

    I just recently got fios and my router was rebooted remotely, and had the WIFI network ssid changed. Im pretty pissed, looking to see if i can flash it.

    • swinful says:

      Hi,

      Just playing “devil’s-advocate”… Maybe it was not the service provider that rebooted your router. How can you tell? I read somewhere it’s pretty easy to figure out the default ssid password with the provider provided actiontec router. Have you had a chat with the service provider and what did they say?

  2. Aditya Nag says:

    I think that if you are concerned about the security of your network, you would use your own router.

    You can replace the Verizon router, or if you don’t want to do that, you can simply connect your router to the Verizon router. That way, even if Verizon logged into their router, they would not be able to connect to your home network which is behind your own router.

    Doing this is a hassle, yes, but it’s not too complicated (well, if you’re worried about security, you probably know how to do this, or can find a consultant/pro/local geek kid to do it for you) and gives you another layer of security.

    Verizon can naturally see the traffic; after all, you’re using their network, and they can monitor it. If you are concerned about them snooping, you’d need to set up a VPN; buy one, or do it yourself on a hosted server somewhere else.

    Security is complicated, but it’s a fun exercise to figure all this stuff out..

    I agree that it’s not good practice for Verizon to leave port 4567 open. I’m going to test this on my home FIOS connection, and if it is indeed open, I’ll probably put a PFsense box behind the router.

    Good post!

    • swinful says:

      Hello Aditya,

      Thank you for your comment — I agree with you 100%! Please let us know your findings after verifying port 4567 on your end. I would also be very interested in your configuration of PFsense if you don’t mind sharing.

      Regards,
      -swinful

  3. D.S. says:

    I don’t want to add to the paranoia but I work in Telecommunications (I can’t say where) and I am familiar with TR-069. What you need to know is it is possible, and I have done this in the lab, to ssh to a Tr-069 device and execute Linux commands to check the state of the router, enable logging, et cetera. This also provides me the ability to (pardon the pun) snoop around. However I am not really interested in what individuals do and it would be access and break Federal law.
    Consider the fact that we leave facts about our lives all over the network with companies like LinkedIn, FaceBook, flickr, Google, et cetera. We also use credit cards and store loyalty cards. Even more disturbing we use Location Based Services, online gaming, entertainment, and chat on our smart phones enabling the carriers to maintain a pretty good lock on our location. If (and this is a big if) someone (like a government) wants to, they don’t really have to wonder too long about your movements, motivations, and behavior. It would be scary except for the fact the government can’t even run the post office so “tracking me” isn’t a worry. Big Business maybe? Yeah, they’re interested…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s