I became interested in TR-069 after figuring out my Verizon FiOS router had the capability to be remotely managed by it, allowing my mind to wonder about a couple of “what-if” situations. However, I can see the benefits of this feature from the perspective of the provider. For example, with Tr-069 the provider or manufacture of the device can swiftly deal with problematic issues that would have otherwise allowed for a technician to be dispatched to a customers home, which can be costly. With the ability to perform such tasks as remote firmware upgrade/patching or even the initial configuration of the device for the customer, providers can definitely save a lot of money. Imagine millions of customers needing a technician to be dispatched to their homes due to a major security flaw in the device software?
But what if the provider uses the full capabilities of TR-069 for profit and gain? That I would not be the least bit surprised. After all they do technically own the device while the customer has service with them. But what if a mid-night shift engineer used the capabilities of TR-069 to gain entry into a customers home network to snoop around? Would the customer know? Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? First, what exactly is TR-069?
According to Wikipedia:
TR-069 (Technical Report 069) is a DSL Forum (which was later renamed as Broadband Forum) technical specification entitled CPE WAN Management Protocol (CWMP). It defines an application layer protocol for remote management of end-user devices.
In other words, TR-069 is a WAN Management Protocal implemented in client devices such as home routers, set-top boxes and similar equipment leased from ISP’s or cable providers. These client devices are also referred to as CPE’s or a Customer Premise Equipment. TR-069 is the technology that allows vendors to remotely interact with their CPE for such purposes as initial device configuration, troubleshooting and basic management of the device such as performing remote backups or firmware upgrades. This allows vendors to cut costs on field technicians that would have otherwise been dispatched to a customer’s home or office. The protocol allows for communication to take place via SOAP/HTTP, between the CPE and the vendors Auto Configuration Servers (ACS). With TR-069, communication can either be initiated from the vendor side or the customer side without the customer’s knowledge. An ACS can be thought of as a single point of management for all customer devices .
So, would the customer know if “someone” was snooping around? Possibly, but they would definitely have to be proactive and check the logs from time to time. Could the customer even prevent remote access into their leased modem or router and ultimately their private home network? This is a big NO! At least not with the equipment provided to them by the manufacturer or their ISP. Trying to disable the abilities of Tr-069 once implemented in a device is damn near impossible, especially when attempted using the FiOS router itself. Check out this screenshot:
You will notice under the “Delete” column, what would have been an option to delete this rule from the outside has been removed. Another example to show the “Verizon FiOS Service” cannot be blocked is something you can test yourself. For example, if you have Internet with FiOS and know your public-ip port “4567” will be open. Attempting to connect to it via a web-browser should present you with a login prompt. However, not just anyone can connect and I would be surprised if you could get that Login/Password pair. But, what if someone figured out the pair? Or what is an employee at the ISP wanted to snoop around?