Does an ISP have admin access to your modem/router?

I use a Zyxel P-660HN-T1A modem/residential gateway to connect to my home ADSL subscription.

I called my ISP today to inquire about upgrading to a faster broadband package. For some reason, my call was misinterpreted as a downstream speed complaint and my call was forwarded to a technician who carried out a BER test.

After doing this (and verifying that there were no issues), he mentioned the presence of 2 devices connected via WIFI and wanted to know if I knew about this as they might be downloading data unbeknownst to me. Of course, I was shocked at this.

Furthermore, he went on to suggest that I should secure my WLAN with a passphrase. I have unprotected WIFI for reasons of my own.

My obvious question: How did the tech support agent attain this information? Should we assume that the ISP has admin access to the device and is essentially on the local network at all times, despite me changing all default logins long ago (including the telnet login credentials)?

Please advise a concerned user.

synack

Posted 2013-07-11T19:54:54.860

Reputation: 51

Answers

The modem you have allows remote management via TR-069, which could allow access to the information mentioned.

ernie

Posted 2013-07-11T19:54:54.860

Reputation: 5 938

I'm not sure what Zyxel has implemented in that particular device, but you the specs are here

– ernie – 2013-07-11T20:15:10.777

Did the ISP provide the router? If yes, then it is their equipment, why wouldn't they have access. I know for certain, that Comcast and other ISPs have access to the routers they provide.

If you are paranoid, you should set the ISP provided equipment to act as a bridge, and get your own router.

Zoredache

Posted 2013-07-11T19:54:54.860

Reputation: 18 453

Thanks for your input. Yes, they provided it. I would like to know how they access it and how I should investigate that. Also, if I buy my own modem/router will this be a non-issue? – synack – 2013-07-11T20:11:48.170

I don't know for your router/ISP. It would probably be though ssh or a web interface. – Zoredache – 2013-07-11T20:14:21.543

Comcast doesn't allow CMs they can't control. Even customer owned equipment is managed by them. I couldn't say definitively for other ISPs, but I'm sure it's common practice. – Chris S – 2013-07-11T20:17:46.363

It's common for ISPs to have full access to the CPE.
This is usually the "modem" and anything integrated into that device.

If you don't trust them for any reason I strongly suggest limiting the functions provided by the "modem" and attaching whatever equipment you supply to it (eg, modem plugged into a WiFi router).

Chris S

Posted 2013-07-11T19:54:54.860

Reputation: 5 907

Thanks Chris, would you mind explaining how they might be accessing it (over IP, or somehow over analog DSL)? – synack – 2013-07-11T20:10:29.017

DSL is digital, that's what the "D" stands for. Every system I've seen is based in SNMP or TR-069.

– Chris S – 2013-07-11T20:15:26.793

DSL, yes. But this is a DSL modem/gateway that sends/modulates the signal out across POTS. Therefore, analog. – synack – 2013-07-11T20:20:19.857

ADSL uses OFDM modulation, but I wouldn't consider that Analog... unless you also consider WiFi, Cellphones, and Bluetooth to be "analog" too.

– Chris S – 2013-07-11T20:29:21.517

-1

During setup, the ISP downloads a special program into your Modem's operating system that links up with the Control systems at the ISP in order to manage your Modem, in the interest of serving your needs. Some of the functions this achieves are regulating internet speed, traffic, updating firmware among others. Sometimes they also collect some metadata on the devices connected to the modem and their internet usage etc. You mentioned that you have an unsecured wifi, which whatever your reasons are, is open for anyone to connect to and compete for your bandwidth. That's probably why he was trying to make sure that you were aware that could cause your internet to be slow.

user896482

Posted 2013-07-11T19:54:54.860

Reputation: 1

-2

yeah they do, but its contained. It's not like they have access to your internal network or something outlandish.

He asked you if you had a secured wifi network with the logic that un authenticated users could be eating up your bandwidth. There's really no way for him to enumerate this info via a single remote connection to the modem.

Scandalist

Posted 2013-07-11T19:54:54.860

Reputation: 2 767

My apologies if it wasn't clear, but I didn't mention anything about having unprotected WIFI. – synack – 2013-07-11T20:09:37.610

yes you did. "Furthermore, he went on to suggest that I should secure my WLAN with a passphrase. I have unprotected WIFI for reasons of my own."

It seemed as if you thought he somehow knew you had un protected wifi when he was only making a logical guess that someone could be on your network eating bandwidth. It's also very commonplace for UPNP routers to know about other devices they are connected to. – Scandalist – 2013-07-11T20:13:12.910

1You're misunderstanding, unfortunately. Verbatim, his words were: "Oh, you should also probably secure your WIFI with a passphrase in case those connected devices are your neighbours'. Do you know how to do this?" This was prior to me mentioning anything about open WIFI. Thanks for your input. – synack – 2013-07-11T20:16:19.120

I'm only going off what you said in your post, where you yourself mentioned having open wifi. We cannot mind read here at SU. In any case, there's no way for him to access your internal network or resources short of installing a VPN and violating some kind of privacy agreement. – Scandalist – 2013-07-11T20:21:34.373

What if they have kernel-land access to syslog and tcpdump? There's a mini Linux distribution running on these devices by default. – synack – 2013-07-11T20:22:21.660

syslog? tcpdump? I'm not sure how these tools could grant them access to your internal network. If you're worried about your ISP monitoring your connections via these utilities on a SOHO modem, you should be more worried about how they could track you at the routing level back at ISP HQ. – Scandalist – 2013-07-11T20:28:00.260

@scandalist that modem allows for remote provisioning and management (as do most DSL modems), so this information is available via TR-069. – ernie – 2013-07-11T20:29:24.333

1@Scandalist That's fine. Most of my traffic goes through an encrypted tunnel to a VPS my colleague hosts for me. The obvious concern is that the Linux distribution (I'm almost sure it's a Gentoo variant) can be controlled in totality. That includes the ability to install packages and probe the network. You probably don't need me to explain why that's bad. Thanks for your input on my question. – synack – 2013-07-11T20:31:25.497