i thought the whole article was a great piece of comedy. Some of the examples of how staff could setup Wireless Networks and go to clients houses and steal their files was amazing.

Wait, wait, wait, you mean that my property-of-Chorus centrally-managed ONT "modem" is centrally-managed? Whatever shall I do?!

kiwiharry: Although the article doesn't state which modem it was, on my Vodafone HG659 modem there is a Remote Management tab and it looks like it allows me to disable it.

The so called "Opt-out" feature already built in?

Or maybe we should all go and claim for $300 reimbursement of hardware before it's too late.

Or be comfortable for the RSP to send their own support out at a cost. Cost? No way!!!  

This will make some less technically minded people think they should go and buy a dlink or netgear off the shelf because they dont want their ISP having access and in the process just simply open up themselfs to the world in the process because they have no idea about locking it down as such. 

The story was very poorly written and IMHO will do nothing but spread FUD and increase support calls and costs to an RSP. If you're a security "expert" and have just discovered TR-069 I don't think you should be proclaiming yourself to be an expert.

Much of what's written about TR-069 on the Internet is also without basis - yes there have been documented security risks over the years from poorly deployed solutions but that's because of the way they've been deployed.

If you're a large ISP remote management of CPE is essential, particularly if you're offering voice services over it.

There are other issues such as people giving their CPE away that's provisioned with voice details that are legitimate issues of auto provisioned hardware but not mentioned. We've seen numerous posts from people over the years as a result of this, both from Vodafone and Snap/2degrees users.

A few years ago BT's Homehub product was nobbled - https://www.theregister.co.uk/2007/10/22/home_hub_vuln_plugged/ - because of reasons, but it did give an example of how not paying attention to the details can lead to compromised security and opportunity for nuisance.

Without knowing the specifics of what risk there is - beyond the obvious 'we can remote in and do stuff' - I'm not sure what the right answer is.

I guess the alternative is to go back to the world where ISP's provided NO support for the equipment they were supplying, and left the customer to do it themselves.

As long as the isp's are confident no one else can log in via the remote access path, and have 100% confidence in the hardware - HG659 I'm looking at you - to not 'accidentally' let someone through....

sbiddle:

 

The story was very poorly written and IMHO will do nothing but spread FUD and increase support calls and costs to an RSP. If you're a security "expert" and have just discovered TR-069 I don't think you should be proclaiming yourself to be an expert.

 

 

Yep, this self proclaimed "expert" clearly knows zero about the telecommunications industry. TR69 is not new and certainly not a bad thing unless its been very poorly implemented.

Why is anyone surprised? This is the kind of gutter journalism they stoop to all the time now. 

noroad:

 

sbiddle:

 

The story was very poorly written and IMHO will do nothing but spread FUD and increase support calls and costs to an RSP. If you're a security "expert" and have just discovered TR-069 I don't think you should be proclaiming yourself to be an expert.

 

 

Yep, this self proclaimed "expert" clearly knows zero about the telecommunications industry. TR69 is not new and certainly not a bad thing unless its been very poorly implemented.

But he "has experience working on IT security with intelligence agencies". He is clearly too busy to be reading a modem manual.

I suspect this all started as way to get a free modem.

What the actual fu..

Shame this "security expert" was not named for his discovery of TR069. Wonder if he used my router guide?