This is something I noticed a couple of months ago when investigating issues with a Telstra-supplied NBN modem, the Sagemcom F@ST5355-A. Current hardware version is FAST5355-A, software version SG7E10001332, GUI v. 184.108.40.206 and Datapump version A2pv6F039x6.d26r. FIrstly, the modem plain sucks; not being able to change DNS servers is a big reason why, but I’ll get into that later.
How, why do I so dislike this modem? Many reason, but I’ll get to the most pressing one: Telstra frequently use a protocol called CWMP, defined by the TR-069 protocol, to remotely interact with, modify, and control their end customer’s hardware, specifically the modems. They call them “Customer Premises Equipment” (CPE) in the business. Here is a link to Wikipedia’s very quick rundown. Looking though the maintenence ogs on Telstra’s modem, you can see the line “TR-069 connectivity to (220.127.116.11/cwmp/cwmp) has been initiated” crop up. “18.104.22.168” is the IP address access the modem, this one at least, and scanning it revealed an email address and more.
The biggest problem with this is that it often involves a reboot or reset of the modem, is usually performed on a monthly basis, although 15-25 times per month is quite common in my experience. This reboot does something VERY dangerous: it resets the default modem administrator password back to the default of “admin” along with the username to “admin”. That is one of the first automated combinations and attacker will fire off against equipment to attempt access.
Telstra did more; they removed configuration settings for the LAN (local area network), totally removed the dyanmic DNS updating settings, removed all custom port forwarding rules, and enabled automatic UPnP, allowing devices on the network, including compromised ones, to automatically configure and change the routing of traffic through the network. Firewall settings were also modified, IPv6 connectivity was enabled to the public internet rather than the user-set LAN only setting. Guest Wifi networks were also both disabled and renamed, passwords changed too.
The timezone was set to the ACT instead of where it belonged, NSW, and another grievous tech sin, they turned on the remote access settings to the modem enabling it for the entire public internet with default password of “admin”, and encryption turned off. Notably, if you try to force encryption to the modem, you get an error as the Sagemcom security certificate is invalid.
More to come.