TR-069

Technical Report 069 (TR-069) is a document by the Broadband Forum that specifies the CPE WAN Management Protocol (CWMP).

CWMP is a SOAP-based protocol for communication between an internet service provider auto configuration server (ACS) and customer-premises equipment (CPE).

Features include auto-configuration, firmware image management, status and performance monitoring, and diagnostics.

Examples of CPE types include modems, routers, gateways, set-top boxes, and VoIP-phones.

Orders sent between the device (CPE) and auto configuration server (ACS) are transported over HTTP (or more frequently HTTPS).

Additionally, if authentication is required for security reasons, data such as the username and the password needs to be provided.

If the value is false the initialization stage is followed by the transmission of device requests, otherwise ACS orders are transmitted first.

This stage (and the whole provisioning session) is terminated by an empty HTTP-response from the ACS indicating that no more orders are pending.

The identity of the device is verified based on a shared secret (password) at the HTTP level.

The ACS requests a connection from the device by visiting a negotiated URL and performing HTTP Authentication.

The CWMP protocol also defines a mechanism for reaching the devices that are connected behind NAT (e.g. IP-Phones, Set-top boxes).

The model is always rooted in the single key named Device or InternetGatewayDevice depending on the manufacturer's choice.

For example, if an object represents four physical ports on an Ethernet switch, then it should not be possible to add or remove them from the data model.

Even though values such as 'bg' or 'b/g' are not legal according to the Broadband Forum standards, they are very commonly found in device data models.

Customer information and device operation would be available to the potential attackers, including other MAC addresses on client's networks.

[7] Flaws in combined implementations of TR-064 (LAN side DSL CPE configuration) and TR-069 (CWMP), that reused the same HTTP endpoint over public internet for Connection Requests without proper protections, were found in devices by various vendors and are exploited by Mirai-based botnet and other malware.

A DSL modem , which is type of customer-premises equipment . The WAN interface of this device, in this case the DSL port, could expose CWMP to the internet service provider .