学术文献库

TR-069 is a standard for the remote management of end-user devices by service providers. Despite being implemented in nearly a billion devices, almost no research has been published on the security and privacy aspects of TR-069. The first contribution of this paper is a study of the TR-069 ecosystem and techniques to inspect TR-069 communication. We find that the majority of analyzed providers do not use recommended security measures, such as TLS. Second, we present a TR-069 honeyclient to both analyze TR-069 behavior of providers and test configuration servers for security vulnerabilities. We find that popular open-source configuration servers use insecure methods to authenticate clients. TR-069 implementations based on these servers expose, for instance, their users' internet telephony credentials. Third, we develop components for a distributed system to continuously monitor activities in providers' TR-069 deployments. Our setup consists of inexpensive hardware sensors deployed on customer premises and centralized log collectors. We perform real-world measurements and find that the purported security benefits of TR-069 are not realized as providers' firmware update processes are lacking.