undefined | Better HN

0 pointswhatwhaaaaat1y ago0 comments

Even if you buy your own modem they can push firmware to it (and do). The config file your modem downloads includes a cert that allows the isp to do this. You can flash special firmware (used to be called force ware) to prohibit this.

0 comments

akskakskaksk1y ago

Is it safe enough to buy a separate router and put the ISP modem on the "internet" side of it?

whatwhaaaaatOP1y ago

It depends. The tr069 managed devices are typically router wifi combo type devices. If you can get a dumb modem that would would likely remove any tr069 vulnerabilities.

The firmware on whatever is doing docsis is going to be updatable by the ISP generally.

Two different mechanisms. The tr069 management and snmp triggered firmware upgrade

jraph1y ago

I think the attack described in the article is still possible in this setting, where the modem is in the middle of your unencrypted http traffic. This is true of any equipment belonging to the isp

However, I would assume no unencrypted traffic is safe anyway, and the modem would indeed not have access to your internal network.

ipython1y ago

You're assuming DOCSIS. I'm on FTTP, where the demarcation point is a cat5 cable to my equipment. Granted, there could be chicanery on the optical terminal, but that still doesn't provide my ISP visibility into my internal network.

j / k navigate · click thread line to collapse