BT, Sky, PlusNet and TalkTalk routers (probably others as well) get firmware updates automatically also - it is very common.
You mention "seems a bit naughty if something can be done to my router without my knowledge." There are security loopholes discovered and identified all of the time, some so critical they can allow attackers remote access into your home network, from there they can run exploits against your machines... This can lead to compromise of data, e.g. usernames/passwords etc. Would you rather your ISP be able to remotely apply security patching and upgrading as required, or indeed prefer you are at risk and have full management of your device? Due to the security landscape, it makes sense for ISPs to be able to install updates remotely, but also, often times bugs are identified in routers down the line e.g. BT HomeHub 5s kept rebooting when Google Chromecasts were connected, here BT was able to remotely update the hubs to resolve the issue.
Honestly the ISPs are not trying to mess anything up or indeed breach your privacy, but instead keep things working and ensure you are secure.
Usually, where you one ISP router with another ISP (e,g. using a TalkTalk router on BT), it inhibits the security patching etc, so instead you may have got an update direct from the manufacturer. This is why it is not advisable to use one ISPs kit with another ISP. Where you use a third party product e.g. a Netgear router on Sky or BT, Netgear then push out security/bug fixes for the router... A BT router used on say Sky (after being cracked) may not get security updates from BT and with time become a greater and greater security risk (the retail versions are exceptions). Either use ISP supplied kit on the correct ISP, or get an off the shelf product from a reputable vendor such as Netgear, Cisco etc who is known to patch their products for security loopholes.
Edited by ukhardy07 (Sat 10-Feb-18 20:14:27)