In recent days, TIM has used a modem functionality called TR-069 to change the configuration of a specific model sold by AVM.
TR-069, Technical Report 069, is a safe and proven feature that has been used for years by operators for the remote management of CPEs, Customer Premises Equipment, i.e. routers, modems and other types of equipment. It is important to understand that we are not faced with a backdoor: this encrypted communication protocol has been studied and perfected over time to guarantee user privacy and system security at the same time.
The TR-069 works in two different modes: a simply diagnostic mode, where the operator can read some configuration parameters, and an operating mode where the operator can set some parameters according to a series of predefined variables. If these variables are not present, it is possible to load an entire portion of the configuration by overwriting an entire group of rules, and this is a bit like what TIM did to insert a custom profile intended for Multicast.
Going into detail, it is good to specify that through TR-069 it is not possible to access some parameters in reading: For example, it is not possible to read the Wi-Fi password, nor the user name and password for accessing the router itself, while it is possible to force the password change or set a new access password.
In short, the system is designed to allow the assistance services of the operators to intervene on aspects that for an advanced user may appear trivial, but which for an inexperienced user are not at all. The operator, thanks to the TR-06, can also check that the modem is installed correctly, if there are problems on the line and can understand why a person called and complained. Being a standardized system, and being the players involved in European companies, it also falls within the terms of the GDPR and is therefore something controlled, safe and verified.
The security of the TR-069 is linked to its very principle of operation: if the Internet provider wants a router to connect to its Auto Configuration Server, or ACS, it contacts the router on the port set for this type of communication. In the FRITZ! Boxes, since we will then go into the details of the TIM case, the port is TCP 8089.
The request is made on a specific address and the router does not respond to this request: it could be someone pretending to be an autoconfiguration server who wants to check if the port is open.
No router data is transferred to the server that made the request if the router first was unable to verify the authenticity and integrity of the request: to do this, check that the server is actually the one that has been stored in the router firmware.
A question that in Italy only concerns FRITZ! Box
This is a fundamental point: operators cannot intervene on every modem and above all they cannot work on most of the modems that are sold in stores today and are owned by users.
They cannot do this because the parameters and strings of the Auto Configuration Servers of the various providers are not present inside. A TPLink router, or Netgear, it can never be controlled by any Italian operator because no Italian operator sells this type of router in the catalog and offers it as an option.
The case is different with AVM FRITZ! Box: the company, recognized for years for the reliability and quality of its products, is present in the catalogs of the various operators with some specific models and these models within the firmware have the various configuration strings necessary for the operators who have certified them. However, they are not activated by default if you do not select a specific operator.
The 7490, for example, was sold by Wind and therefore will have the string that allows it to be configured and managed remotely by Wind while the 7590, which Wind has never sold, will not have these parameters inside. It really depends on the models.
The fact that a router is sold by an operator and has the configuration strings inside is not a bad thing, on the contrary, it is only an advantage: it means that the operator has made all the specific tests to verify the interoperability of that modem with its network and worked with the producer to improve an affinity that isn’t always so obvious.
Who has purchased an AVM FRITZ! Box 7590 modem from Amazon, and during the initial configuration phase has chosen “TIM” instead of “Other operator”, has in fact set the one of TIM as Auto Configuration Server, allowing TIM to carry out diagnostic checks and also to send configuration parameters, such as those for VOIP.
If he had chosen “Other operator”, by manually entering the connection parameters of TIM (or others), he would not have allowed TR-069 communication between the router and the operator’s control servers.
TIM’s, it is very likely at this point, was a mistake: they did not consider that there were some AVM FRITZ! Box 7590 routers owned by users, purchased on Amazon, for which, however, the users had set TIM as an operator. Since the firmware is unique for all versions, these are also part of the updated device group.
To remedy the problem in the future, it is likely that AVM will decide, with an upcoming software version, to insert a checkbox when selecting TIM (or Wind) from the operator panel when setting up the router: the user can choose whether to allow the operator to read the diagnostic data of his proprietary device, and modify them if necessary to restore the connection, or whether to prevent autoconfiguration servers from reading and writing to the router. This is to prevent a similar mistake from being repeated in the future.
–