CPE security: Why do providers lock down devices

Thought about putting this in the security section but the issues are often raised in this section when looking at the ONTs provided by operators and locked down modems/routers.

Ofcom have published some draft guidance for Communications providers arising out of a draft Government Telecommunications security documant

This may explain to some people why some ISPs provide locked down routers and why ONTs are not (easily) replaced by ONTs of the customers choice.

The relevant section appears to be 3.31-3.39

The document is an interesting read for the nerds among us and also explains why some VOIP systems are more restrictive on CPE than others (large providers 'digital voice' offerings) due to which Tier they are in for the implementation of the regulations.

This seems to be talking about default configuration of the CPE as delivered by the provider, and specifically calls out that it doesn't cover changes made by the end user.

It makes sense from a security perspective, but doesn't suggest any locking down of the equipment.

In general you will find that most customers are not all that tech-savvy and overloading them with all the bells and whistles would be counter-intuitive to support.

ONT's being locked down - I assume you are referring to serial numbers? This is to prevent other subscribers from seeing your traffic. Ultimately in a xPON setup, you are using shared media.

In reply to a post by gorebrush:

ONT's being locked down - I assume you are referring to serial numbers? This is to prevent other subscribers from seeing your traffic. Ultimately in a xPON setup, you are using shared media.

I don't think the Openreach ONTs being locked has anything to do with it being shared medium.
The ONTs are no more secure by having their WebUI stripped.
After all the serial number is on a sticker on the rear of the device and not hidden in some setting in the locked down ONT.

Openreach also locked down every single VDSL2 and G.Fast modem they provided which are point to point devices.

Anyone can see the serial number of every Openreach ONT in the country via a particular providers broadband availability checker.

Edit: This appears to have been fixed by the provider in question.
Edit again: no they haven't

Your 1st sentence nailed it

In general you will find that most customers are not all that tech-savvy and overloading them with all the bells and whistles would be counter-intuitive to support.

If the modems/ONTs weren't locked then providers would have many more calls querying much of the info contained within their WebUI's, such as error counts and signal levels.

Edited by j0hn83 (Tue 11-Oct-22 11:29:42)

In reply to a post by j0hn83:

I don't think the Openreach ONTs being locked has anything to do with it being shared medium.
The ONTs are no more secure by having their WebUI stripped.

They don't have a web UI at all, because they are not layer 3 devices. They don't even have an IP address.

In reply to a post by j0hn83:

After all the serial number is on a sticker on the rear of the device

Yes, but it's hard for someone who is outside of your house to get the serial number.

The security of a PON network is somewhat laughable, but here's how it works:

* The ONT thinks of a random key
* The ONT sends this random key *in plain text* (!) in a control frame to the OLT
* The OLT starts using this key when communicating with that particular ONT, until the ONT next requests a key change

This security relies on two things:

* Light which travels upstream through the splitter mostly goes straight on. Very little is reflected back to the other client ports on the splitter, so you'd either need to intercept it at the splitter itself, or have very sensitive equipment on a different splitter port.
* Transmit and receive are on different wavelengths, which are physically split inside the ONT, so an off-the-shelf ONT is incapable of receiving the transmissions of another ONT.

These two points mean that you can't just use a firmware hack on an ONT to sniff the transmissions of another ONT on the same PON (including the encryption key). You'd have to have specialised equipment.

However, you can also assume that if anyone wants to hack your connection badly enough, they won't need to take over a neighbour's house to do it, or to enter the footway box to physically access the splitter - they will have capability to do it at the exchange anyway.

They don't have a web UI at all, because they are not layer 3 devices. They don't even have an IP address.

The non Openreach generic Huawei models certainly do. I'd expect the Nokia ONTs to be the same.

In reply to a post by candlerb:

Yes, but it's hard for someone who is outside of your house to get the serial number.

That's the thing... It isn't.
I can tell you the serial number for almost every Openreach ONT in the country, including if it's a 1 or 4 port ONT, database errors being the only exclusion.

But is that public information, or is it via privileged access to systems? If I had access to the DVLA computer, I'd be able to tell you the registered owner of a vehicle given their licence plate - but that doesn't make it public.

As for not providing local management access to the ONT: I suspect the real reason is to prevent spurious support calls for ISPs and Openreach. "My ONT says the noise margin is only 2dBm!" "Is your service working?" "Yes, but my noise margin should be more than 2dBm!" "Please go away".

If you can detect transmission errors (e.g. via packet loss) then you'll need to escalate this to the ISP anyway, and then the ISP can check all the ONT status remotely.

Publicly available. A large providers availability checker discloses it all. It has done for a couple years at least.
I don't need to break in to your house. Your door number will do.

Ergh