1

When I was changing my router my ISP technician told me that he has remote access to all routers provided by ISP. Was that true? If that is a fact it scares me...

Davidenko
  • 113
  • 1
  • 7

7 Answers7

5

ISPs have complete access to the router provided by them. They often use port 7547 which is TR-069 Protocol (CWMP customer-premises WAN management protocol). And you cannot disable it because it's hidden from GUI mode, and obviously, ISPs don't provide the CLI to customers.

The solution is to replace the router with your own and asking the complete router configurations from your ISP.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Hisan Mehmood
  • 51
  • 1
  • 1
5

In a typical modern setup, the cable modem and router are the same device. It is both an endpoint on the consumer's network as well as the telecom's. As such, they have base level access to administer the device, however what they are allowed to do with it is generally governed by your terms of service. Even when the router is separate, if it is supported by the ISP, then they need access to it to be able to provide support.

This is why I never use the router provided by the ISP. If you want to be secure, you should always use your own hardware that you own as an additional layer of defense. I have my ISP's cable modem/router set in to bridge mode and it relays the connection to my personal router which treats it as a WAN device. This gives me complete control of my interior network, but it also means I'm on my own whenever there are problems with my connection and the first thing they make me do is plug in to the cable modem directly to eliminate my network as a possible problem.

AJ Henderson
  • 41,816
  • 5
  • 63
  • 110
2

Of course, how else would they be able to fix something if things go wrong? Note that normally all access should be regulated by a TACACS server which also logs every router access. I do say normally...

Lucas Kauffman
  • 54,169
  • 17
  • 112
  • 196
2

Go home, plug a new router into the ISP router, or if you're courageous, replace the ISP router with your own router. Set the admin password to a 32 character "Horse Battery Staple Kumquat" value.

Now ask whether the ISP has access to all routers connected to their network.
The admin told you what it is useful (to him) for you to believe.

schroeder
  • 123,438
  • 55
  • 284
  • 319
MCW
  • 2,572
  • 1
  • 15
  • 26
  • 1
    Then it might not still be giving you access to the internet? Depending on your ISP. I'd recommend rather another device inside the router provided by your ISP, and for privacy use a VPN service and a DNS service outside the control of your ISP. – Simply G. Mar 17 '16 at 07:27
  • 1
    The OP said "all routers provided by ISP". And the router on the local network is, according to your design, not on the ISP's network anymore... – schroeder Jan 01 '22 at 09:54
0

I highly doubt it, yes there may be limited access to the router itself most likely for diagnostics purposes. But having access through the router itself into your network is unlikely as there are numerous laws which would come into play e.g. in the UK we have the computer misuse act making it illegal to access your network directly without your consent. If you are worried you can do simple things to help put your mind at ease,

  1. change the administrator password on the router

  2. change the access password to your router

  3. keep anti-virus software up to date (some may have anti-intrusion algorithms as well)

    The chances are what he meant was that he (the ISP) will have a degree of access to routers which would allow them to carry out diagnosis in the event of a problem. Without reverse engineering the router though there is no way to be 100% sure but chances are he was making it up a bit. If all else fails i'm sure Edward Snowden will let us know soon

Community
  • 1
daark
  • 272
  • 2
  • 7
  • 2
    Have you ever read the contract you signed with your ISP? – Lucas Kauffman Feb 11 '14 at 13:20
  • I haven't, what are you implying? – Davidenko Feb 11 '14 at 13:41
  • 1
    That there is a high possibility that there is a clause in your contract which states that the equipment you are using is still their property and that therefore they are allowed to have access to it. – Lucas Kauffman Feb 11 '14 at 15:03
  • That is true, however attaching themselves to your computer or networked storage still remains highly illegal, such a clause would also have privacy *implications for which they could be sued – daark Feb 11 '14 at 16:41
  • None of your suggestions would do anything against an ISP-level threat. Not every country has the CMA, and some ISPs claim that your home network is their network, which defeats your CMA argument. – schroeder Jan 01 '22 at 10:03
0

It's probably true. This is to enable technical support. ISPs have wasted huge amounts of time trying to walk customers through menus, so they have cut out the middleman. I'm guessing it scares you because:

  • "OMG, they can see everything that I do!" Truth is, they already can; they're your ISP. Everything you do on the internet is an open book to them whether they control your router or not. OK, if they have control of your router they can sniff traffic between systems in your home network, chances are that's not a real concern
  • "OMG, they can control my network!" So what? There's nothing that they could do on your router that they couldn't do from their routers

If having control of your router is important to you then talk to your ISP. Many ISPs now have it in the T&Cs that you use their provided router in order to get tech support. If you put your own on there it will probably still work but you'd be on your own if something goes wrong. You also may be able to pay a bit more monthly in exchange for retaining tech support while still using your own router.

schroeder
  • 123,438
  • 55
  • 284
  • 319
GdD
  • 17,291
  • 2
  • 41
  • 63
  • 2
    What do you mean: "There's nothing that they could do on your router that they couldn't do from their routers" Isn't router separating my LAN network from internet? I sad it scares me, because they can see shares and disks they are not supposed to see. – Davidenko Feb 11 '14 at 13:37
  • They can configure your local wireless and lan networks!!! They could ABSOLUTELY not do this if they didn't have access. – chad Nov 11 '21 at 20:08
-1

They do maintain a way to access the routers that they provide. This gives them a way to look at the configuration if something goes wrong. To access your network, though, they would have to have a machine that has a private IP address on your network. To be sure, the router has that. The computer they're using doesn't unless it's connected by VPN.

This would mean that the router has the software installed full-blown command environment and/or VPN software. This is highly unlikely. But, even if it isn't, then can he access other devices on your network? That depends on which servers each device is running. Can you access and control someone else's computer in your house? Probably not, because they're not running an SSH server on port 22. If you can't access the machine, he can't. Since he's not the user of your machine, he can't access yours either. Let's say someone in your household has given you access to their machine (whether SSH or not). You should have a password that's necessary to initiate that service. But he doesn't have it.

I am confident allowing my ISP access to its own device doesn't allow its employees free run of my entire network, and also that they're too busy to try anyway.

schroeder
  • 123,438
  • 55
  • 284
  • 319
Unclechromedome
  • 1
  • 1
    Your comments about external machine's access to the local network and the need for a VPN are false and not how it would work. – schroeder Jan 01 '22 at 09:22
  • The OP says explicitly that the technician said "routers provided by ISP" so your comment on that is redundant and removed. – schroeder Jan 01 '22 at 09:23
  • "the router has the software installed full-blown command environment" -- they certainly can. Most are custom-built Linux machines. – schroeder Jan 01 '22 at 09:24
  • Theis entire answer seems to be about access to the router meaning access to the network, but that was never asked, Then you go further to talk about logging into local machines. Again, never mentioned in the question. – schroeder Jan 01 '22 at 09:25
  • The rest of the answer is a story about your struggles maintaining your own router, which is completely off-topic of the question and removed. – schroeder Jan 01 '22 at 09:28
  • Here's how this would work: the router sets up a remote access service on the ISP-side (ssh, or any other basic shell). The ISP could tunnel and pivot their traffic with this. That does not require a "full-blown command environment" (whatever that means). All traffic from the ISP, then, originates from the router on the local network. No VPN or and no local IP address required. After getting access to the device and network, they can scan, look for open services on the network, change DNS, redirect traffic, the works. So your entire first paragraph is wrong, and so are your conclusions. – schroeder Jan 01 '22 at 09:37
  • But, as I said, network access was never asked. Simply having remote access to the router's settings is enough to cause damage, surveil, or be malicious. – schroeder Jan 01 '22 at 09:38