Page 1 of 1

Disabling TR-069

Posted: Thu Sep 06, 2018 9:17 am
by MajorWedgie
I want to disable TR-069 in my exetel provided ZTE modem because I do not trust it.

Can this be done? If so how? What are the ramifications?

Re: Disabling TR-069

Posted: Thu Sep 06, 2018 11:04 pm
by KavindaS
MajorWedgie wrote:
Thu Sep 06, 2018 9:17 am
I want to disable TR-069 in my exetel provided ZTE modem because I do not trust it.

Can this be done? If so how? What are the ramifications?

By having the TR-069 configurations, Exetel technical support can do the configuration to your modem, whenever an issue occurred or it requires troubleshooting. By removing the configurations, we will not be able to remotely support and you need to do the suggested troubleshooting or configurations by your own.

To disable the TR-069 function, follow the below suggestions and refer for additional information of this.

On the main page of the ZXHN H268A, select Management & Diagnosis > TR-069 to open the Basic Configuration page.

Remove the details in the added fields and save.

Re: Disabling TR-069

Posted: Sat Sep 08, 2018 3:42 pm
by MajorWedgie
and does TR-069 allow you into my network?

Re: Disabling TR-069

Posted: Sat Sep 08, 2018 5:29 pm
by shehanw
TR 069 only allows us in to your modem to make changes if required in the event of troubleshooting any faults. However, it does not allow us to make any changes to your local network or devices that are connected.

Re: Disabling TR-069

Posted: Tue Nov 27, 2018 2:42 pm
by tin
Just adding for anyone else that comes across this... TR-069 allows for remote configuration changes to the device. Like any remote access, this is helpful for support... But does create a security risk (even if it's low).

TR-069 allows the settings to be changed, and firmware to be updated. Again, this is great for ISPs wanting to idiot-proof the settings, but highly dangerous if an attacker finds a way to push the changes out. DNS can be pointed to rogue servers that could result in malware being pushed to clients. Firmware could be updated to a version with an SSH back door.

Up to the end user, in the end. If you know how to configure a modem, turn it off. If you're someone that needs the ISP support to do it, keep it on.

Re: Disabling TR-069

Posted: Wed Mar 06, 2019 10:25 pm
by aussierod
The steps provided by KavindaS don't actually block 7547 port.

Steps to block (stealth) the port are on my blog.
https://rodneystevens.com/tr-069-how-to ... zte-modem/

Re: Disabling TR-069

Posted: Wed Mar 06, 2019 10:58 pm
by KavindaS
Hi All,

Thank you for sharing some additional information here, since we have received limited information from the modem support, comparing to what has been shared here.

Re: Disabling TR-069

Posted: Sat Mar 09, 2019 12:50 am
by Franpa
If the Service List option wasn't grayed out in the default configuration, we could simplify these steps https://rodneystevens.com/tr-069-how-to ... zte-modem/ to the following:

1) Make sure you have your Exetel VDSL password handy. (note: VoIP password is different)
2) Back up the default Exetel ZTE modem settings to a safe place.
3) Navigate to the following place: Internet (tab) >> WAN >> DSL Connection >> expand Exetel_VDSL (see attached picture to see what page you should be looking at).
4) Delete the contents of Service List (the stuff in the red rectangle) and click Apply (currently this box is grayed out in the default configuration and can't be changed).
5) Management & Diagnoses (tab) >> TR-069 >> Delete everything here and click Apply.

But as is, you have to duplicate the configuration to be able to delete the contents of Service List...