TR-069 with Routers – Informing Isn’t Always Best

April 5, 2015

So I first came interested into “router hacking” in the past few weeks, I’m going to have future posts on my findings because it’s such an interesting area that I don’t think enough people look at. I first started getting interested in analysing routers and dissecting the inner workings of them when I was watching a DEFCON 22 talk on the TR-069 protocol. If anyone hasn’t seen it, I have it below. The TR-069 protocol allows your ISP to interact with your CPE (Customer Premises Equipment), essentially your router. One of the big things it’s used for is upgrading your firmware on your router, can we see something wrong with that?

What struck me was the silent update of firmware. I can tell all UK residents, all major ISP’s use TR-069 for firmware upgrades and most do not use SSL, straight up plain text. That’s right, on my ISP (which I will not name ;)), all TR-069 requests are done via HTTP. I had some fun with TR-069, but as the speaker says in the video, there isn’t too much on it. A lot of the content available for TR-069 on the internet is specification based, but misses vital information that users may need and so wasn’t the most forgiving thing. I got requests working from the TR-069 server from my ISP, but was unable to retrieve a firmware image from the ISP.



Winning at TR-069. TBH, this is what you see when you enter nothing.

The first reason I can think of why they do not wish anyone to view the firmware is security, there are a lot of vulnerabilities in various pieces of firmware, well documented around the internet. Routers are basically the father of the IoT, the opening of what seems to look like a security apocalypse in my view. Silently updating any machine is a scary thought, especially when it’s in conjunction with hardware, software on the other hand that silently updates has constant watch from AV’s or other security features of an operating system.

The TR-069 feature on my router has some very simple features such as login credentials, one thing to notice is that the password field is pre-filled out. The defense towards this thing is pretty trivial, you could just simply edit the HTML form to send the data to another site or just simply edit the URL that’s nicely pre-filled for you. The periodic inform was set to 24 hours, my ISP TR-069 server will have a callback from my router, among others informing back. The periodic inform is set to 1 minute as I was debugging it with my own make shift ACS server (totally not a single PHP script). I have TR-069 disabled on my router now, I don’t like the idea of informing my ISP.


That’s a scary thought when you look at what can be included in commands for TR-069. Looking at this document on page 95 you can see that the ACS can ask CPE’s (Customer Premises Equipment) to download firmware, you look further down the page and there’s various parameters, I’ve checked the document a few times but found no hash checking or any sort of validation that the file you received is the file you originally was asked to download. I think we can all understand where I’m coming from here, it’s not too far fetched either. I know, I know, it’s relatively easy for me to say SPY AGENCIES EVERYWHERE. But it has potential, routers are the gateway to our internet, every device we use that uses our internet will feed back to this single machine. To me, I see that as a great attack vector for agencies, especially when ISP’s give beta programs to firmware upgrades.

Looking at this page we can see potential targets for MiTM attacks, BT being the largest ISP. It seems with BT, they have implemented SSL (congrats, you are part of a select group of ISP’s who have a brain). Potentially SSLstrip could be used against this so that HTTPS would be reverted to HTTP, but even if HTTPS was forced upon the user with no option, why not just get the ISP to do it?

It seems like a few months back everyone was a bit paranoid like me and didn’t seem to like the idea of TR-069. And someone responded with this on reddit.


There’s a big difference between having functionality to download firmware for the increase of security and having functionality that downloads firmware which can decrease security. Not even being asked whether you would like CWMP enabled on your router is a start, in the UK you can be asked if you wish to have a parental lock on questionable material. This is something I’d like to see be implemented easily for when you first setup your router (not many people go into the router gateway), the ability to change the periodic inform would be nice too.

I thought I would have a further look into the protocol in question and decided to, much like the dude in the video, have a go at some requests. I didn’t get very far, but I got some basic information which I think is fairly important. The information obviously is different with every single device and the specification of the ISP, but I thought I’d look into it, I was genuinely interested to see what information was given away, at least, the initial part anyway. So from one of the previous pictures we saw I changed my CWMP URL from my ISP’s to an internal IP so that I could now read what my router was sending to my ISP (remember there’s more commands to pull more information, just an initial request.)


I used a simple PHP script to grab the headers and the data it would be sending. Here’s what it looked like:

foreach (getallheaders() as $name => $value) {
$fp = fopen(‘data.txt’, ‘a’);
fwrite($fp, $name.”-“.$value.”\r\n”);
$f = file_get_contents(“php://input”);
$fp = fopen(‘ivegotmydatazz.txt’, ‘a’);
fwrite($fp, $gets.”\r\n”);
fwrite($fp, $f.”\r\n”);


This will be basically grabbing anything that it will be trying to send, I would then log it down and review it later. The first things it would sent would be about your device.

<Manufacturer>Huawei Technologies Co., Ltd.</Manufacturer>

Pretty simple to see from this request. What manufacturer this device was from, the specific product model and the serial number. The serial number to me doesn’t really need to specified at all. The serial number can be a way of uniquely tracking you.  The next interesting part is what it sends in the device summary;so it gives a time (which is 2000, apparently to my router), your hardware version and your firmware version and then we get to the end of the device summary.

<Value xsi:type=”xsd:string”>http://[IP]:7547/pinqobnfibxbs</Value>
<Value xsi:type=”xsd:string”>[IP]</Value>

Another great way we can track, correlating the external IP and the serial number will mean anything you access with your IP within 24 hours can be pointed to you. Something you may want to look at when you have CWMP enabled on your router. As well we have a connection request URL, which has the port and URI randomised everytime. In another post I’ll be looking into firmware of routers and other devices and wanted to show a protocol for routers first.

I personally have disabled CWMP and think many should too, while I understand the technical frustrations an ISP may of had when asking a user to update their firmware, that does not really excuse, for me some of the information provided back to the server and the amount of time it’s given. As a person interested in technology it’s easier for me to snub my nose at this feature of a router and many would defend it as a triumph. But I, as do many, will always feel paranoid of such a feature within a router.

April 5, 2015 @ 3:49 pm


I wrote that comment on reddit.

The original context was “what’s this process called ‘agent’ on my router? How dare my ISP (who, er, supply and manage the router) run it!”

As I recall, there wasn’t any real discussion of the security in TR-069. I’m disappointed – but not particularly surprised – to learn that most ISPs haven’t really bothered with security.

AFAICT security in IT remains a bit of a joke even in the post-Snowden era; we have all these clever things we can do with SSL but as often as not we cripple security with poor processes that simply don’t lend themselves to end-to-end encryption.

    April 5, 2015 @ 8:06 pm

    Did not expect the person to write that to see the article! You’re completely correct, the security is there, but the implementation is lacking and that’s what worries me. Why do they not use SSL or other technologies. I got that image because of the BT snoop article.


April 6, 2015 @ 6:17 pm

There is exactly same issue with Verizon in US. I’m their customer. They have port 4321 open to everyone and the whole service running on this port is unknown and it responds to all incoming IPs and just needs a username and password. But I’m sure there is other ways to bypass this authentication mechanism.

Anyway, I tried to put a firewall in front of my router that came with Verizon, but they rejected it and they didn’t let me do it.
I asked them to disable my port, they rejected it.
I tried to do it myself from router configuration, it’s impossible.
So you are very lucky to have ability to disable it.

    April 9, 2015 @ 7:50 pm

    Look to see if you have a TR-069 module included on the router 🙂

April 11, 2015 @ 7:58 pm

I have a question, how do you find that TR-069 part in your router web management page? Is it just commented out HTML code, and if so, where? I have an Arcadyan router, they should be using TR-069 as well.

    April 12, 2015 @ 8:53 am

    Every router is different, look for an advanced section with anything called CWMP. That’s what they usually call it. CWMP.


Leave a Reply

Your email address will not be published. Required fields are marked *