Talktalk (and many other smaller ISP's) do not implement ACLs, without restricting the source of device management, the protocol will allow access to anyone with the correct credentials, hence the 'astonishment' at Talktalk forcing a credential reset to default, thereby making any of their routers where the end user has changed the default credentials 'to improve security' immediately vulnerable.
Some aftermarket routers and modems have vulnerabilities, use Shodan to check yours.
The specific vulnerability is the implementation of NTP as a command rather than a protocol, simply fixing this will not make the device secure, just less vulnerable.
Additionally, some routers / modems expose TR-064 to the WAN interface, only TR-069 traffic should be accepted (with auth.) on the WAN, it is possible on some devices for TR-064 to listen on the WAN for traffic. This should not happen. It is also possible for TR-064 to accept commands without authentication, the specification says it should always be authenticated - clearly not all manufacturers follow the specification.
Edited by 10forcash (Wed 07-Dec-16 22:59:24)