Story image

ISPs build backdoors into customer modems, creating security breach

30 May 17

Apparently, major internet service providers (ISPs) have been building back doors into modems sent to customers, which allows the companies' staff to access settings - but most importantly, it creates a gaping security hole.

The discovery alarmed a computer expert who contacted the New Zealand Herald, saying the remote access could provide a direct pathway to the contents of people's computers by employees of the company. This would make any sensitive and personal information stored on customers’ computers easily available to outside parties.

Leading major ISP Vodafone is one of the companies with a "back door" built into its modems. Spark has confirmed it also has built-in "remote access" in modems it supplies to customers.

The companies justify the back doors by saying that the ability for their staff to access modems remotely is a huge benefit to customers who struggle with the technical aspects of setting up and troubleshooting on their modems at home.

While this sounds reasonable enough, the capacity for the back door to be exploited by a rogue company employee was concerning.

The concerned computer expert, who has experience working on IT security with intelligence agencies, said he was concerned to find Vodafone had its own access to his modem.

When he contacted the company, he said he was told: "We just made this hole so we can get in."

"It looks like you're protected but they have remote access and it's very hidden,” says the expert.

He $300 on new equipment to block Vodafone's access, which Vodafone reimbursed him for, and raised his concerns with their security team.

He was told they were looking at installing an "opt-out" setting which would allow customers to block Vodafone's remote access.

A Spark spokesman said customers were not told of the company's ability to access their modems remotely until they asked for help.

"We only access the modem remotely when we are asked to by the customer,” he says.

The Spark employee was able to check to see if the modem worked, change settings, reboot the modem or set up Wifi.

"We will only do this once the agent has got verbal approval from the customer."

A Slingshot spokesman said the company did not have direct remote access in terms of changing settings, but was able to force updates of software or predetermined settings to a customer's modem.

The company alerted customers with a line in its terms and conditions saying it would "reserve the right to occasionally manage your modem".

Voyager owner Seeby Woodhouse said his company had remote access to the modems it sold to help customers.

"There is a potential security risk but there is a security risk in having people configure their own modems,” he says.

Woodhouse says that the increased threat from ransomware - which hijacked computers - and other online threats meant ISPs would likely seek greater access over time to improve security.

Royole's FlexPai: So bendable phablets are a reality now
A US-based firm called Royole is delivering on that age-old problem of not being able to fold up your devices (who hasn't ever wished they could fold their phone up...)
Hands-on review: Having fun in Knowledge is Power: Decades and Chimparty
They don’t revolutionise social video gaming, but they are enjoyable enough to occupy you during a wet weekend. 
Kiwis losing $24.7mil to scam calls every year
The losses are almost five times higher compared to the same period last year, from reported losses alone.
Tile's Mate & Pro Bluetooth trackers land in NZ
If your car keys (or your tablet) have disappeared into the void at the back of the couch or if you left them somewhere in your car, retracing your steps to find them could be a thing of the past.
Government still stuck in the past? Not on GovTech's watch
What exactly is GovTech and what’s been happening in our capital city?
"Is this for real?" The reality of fraud against New Zealanders
Is this for real? More often than not these days it can be hard to tell, and it’s okay to be a bit suspicious, especially when it comes to fraud.
Hands-on review: The iPhone Xs
The iPhone Xs is a win that brought numerous new and exciting features to the market.
How much does your Amazon Prime Video subscription really get you?
For our NZ$8.90 per month, the average cost per title is US$0.00126 - but we only really get a choice of 416 TV shows and 4321 movies. Choice is a little bit limited compared to other countries.