Disable TR-069 on a Fritz!Box and check if that was succesful – translated from a post by Hartmut Goebel
Posted by jpluimers on 2016/11/29
Just in case you got scared by the TR-064 hack and likely causality to the German Telekom ISP outage yesterday as some modems expose TR-064 via the TR-069 WAN access, here is how to disable TR-069 in your Fritz!Box: [WayBack] TR-069 auf Fritzbox ausschalten und Ergebnis prüfen — Hartmut Goebel · CISSP, CSSLP · Berater für Information-Security-Management
Note that for Fritz!Box the TR-069 implementation is not as bad as some Speedport devices used by Telekom, but you might want to consider turning TR-069 off:
If you trust yourself to keep the Fritz!Box firmware *and* settings up-to-date better than your ISP does, below are the translated steps.
Steps to disable TR-069 on a Fritz!Box router
- Activate
telnetd
on your Fritz!Box via a connected phone by dialing#96*7*
- Connect to your Fritz!Box over telnet at using
telnet fritz.box
or instead offritz.box
., use the IP-address of your Fritz!Box device- the password is the same as the password in the Fritz!Box web interface
- Disable TR-069 by typing this command:
ctlmgr_ctl w tr069 settings/enabled 0
- Verify the TR-069 is off by looking at configuration file with this command:
cat /var/flash/tr069.cfg
- Check that at the start there is a line with
enabled = no
- Check that at the start there is a line with
- Disable
telnetd
on your Fritz!Box via a connected by by dialing#96*8*
Note that even without a phone you can enable/disable
telnetd
as described by [WayBack] FRITZ!Box VoIP password extraction –jeroen
References:
- [WayBack] Spekulation: Angriffe auf TR069 mit shell co… | Forum – heise online
- [WayBack] TR069 -> NTP -> Binary Injection … via [WayBack] TR069 -> NTP -> Binary Injection … – Kristian Köhntopp – Google+
- [WayBack] Eir D1000 Wireless Router – WAN Side Remote Command Injection (Metasploit). Remote exploit for Linux_MIPS platform.
- [WayBack] ‘Mirai bots’ cyber-blitz 1m German broadband routers – and your ISP could be next • The Register
- [WayBack] Störung Internet Zugang – behind this non-descriptive title are updates for Speedport routers used by German Telekom ISP provider
- [WayBack] A few words to the current DSL router disaster We brought this onto ourselves… via [WayBack] A few words to the current DSL router disaster … – Kristian Köhntopp – Google+ original at [WayBack] A few words to the current DSL router disaster We brought this onto ourselves.The problem is due to laziness. It is not caused by technological difficulties… – Martin Seeger – Google+
- [WayBack] Newly discovered router flaw being hammered by in-the-wild attacks | Ars Technica
Goran said
Telnet is no longer available.
jpluimers said
Thanks for the tip. It looks like they’ve disabled this in some versions but not the one on my 7340 where I tested this with. Thanks for the tip.
https://en.avm.de/service/fritzbox/fritzbox-7490/knowledge-base/publication/show/1635_Access-to-the-FRITZ-Box-via-Telnet-is-not-supported/