Internet Security Diagnostics: TR-069

Diagnostics / Security

TR-069 (short for Technical Report 069) is a protocol for data exchange between the server of a service provider and a customer's terminal device connected with the server. T-069 is often used by broadband providers for the remote configuration of DSL routers.

Function

TR-069 takes care of the following tasks:

Autoconfiguration and dynamic service activation
Firmware management
Status and power control
Diagnostics and remote maintenance

Protocol description

Packet transport	TCP is used to transport the IP packets.
Default port	TR-069 queries are accepted at port 8089 by default.

FRITZ!Box: TR-069

The FRITZ!Box supports the TR-069 protocol which enables secure automatic configuration of your Internet connection and Internet telephony. It also allows your service provider to automatically update FRITZ!OS.

FRITZ!Box: Port 8089

TCP port 8089 is opened on the FRITZ!Box if the Internet provider supports TR-069 and one or both of the following actions is allowed:

automatic configuration by the Internet provider
automatic updates

FRITZ!Boxes supplied by Internet providers are set so that the provider can perform the first configuration, install FRITZ!OS updates and conduct remote diagnostics.

Switching on and off access permission in the FRITZ!Box:

Open the "Internet / Account Information" menu.
Select the "Provider Services" tab.
Switch permission for access on or off with the "Allow atomatic configuration by the service provider" and "Allow automatic updates" settings.

The FRITZ!Box protected from attacks against port 8089

An auto-configuration server (ACS) and the FRITZ!Box interact as follows:

ACS	Your Internet service provider can initiate a connection between the FRITZ!Box and his ACS by contacting the FRITZ!Box via TCP port 8089 under a previously negotiated URI (Uniform Resource Identifier).
FRITZ!Box	As a rule, the FRITZ!Box does not respond to such requests. Instead, it checks the integrity of such requests. This means no information is transferred from the FRITZ!Box to the ACS. The FRITZ!Box only establishes a new and secure (encrypted) connection to the provider's ACS only if the FRITZ!Box accepts the URI being used. In the case of an update, the FRITZ!Box only permits the installation of FRITZ!OS versions that were digitally signed by AVM.
ACS	The ACS of the service provider is then allowed to transmit the respective data over the secure connection established by the FRITZ!Box.

ACS

Your Internet service provider can initiate a connection between the FRITZ!Box and his ACS by contacting the FRITZ!Box via TCP port 8089 under a previously negotiated URI (Uniform Resource Identifier).

FRITZ!Box

As a rule, the FRITZ!Box does not respond to such requests. Instead, it checks the integrity of such requests. This means no information is transferred from the FRITZ!Box to the ACS.

The FRITZ!Box only establishes a new and secure (encrypted) connection to the provider's ACS only if the FRITZ!Box accepts the URI being used.

In the case of an update, the FRITZ!Box only permits the installation of FRITZ!OS versions that were digitally signed by AVM.

ACS

The ACS of the service provider is then allowed to transmit the respective data over the secure connection established by the FRITZ!Box.

This mechanism ensures the following:

It prevents anyone from accessing and reading data from the FRITZ!Box via TCP port 8089.
It ensures that the FRITZ!Box contacts only the ACS it already knows.

Provider Services