FutureFive New Zealand - Consumer technology news & reviews from the future
Story image
ISPs build backdoors into customer modems, creating security breach
Tue, 30th May 2017
FYI, this story is more than a year old

Apparently, major internet service providers (ISPs) have been building back doors into modems sent to customers, which allows the companies' staff to access settings - but most importantly, it creates a gaping security hole.

The discovery alarmed a computer expert who contacted the New Zealand Herald, saying the remote access could provide a direct pathway to the contents of people's computers by employees of the company. This would make any sensitive and personal information stored on customers' computers easily available to outside parties.

Leading major ISP Vodafone is one of the companies with a "back door" built into its modems. Spark has confirmed it also has built-in "remote access" in modems it supplies to customers.

The companies justify the back doors by saying that the ability for their staff to access modems remotely is a huge benefit to customers who struggle with the technical aspects of setting up and troubleshooting on their modems at home.

While this sounds reasonable enough, the capacity for the back door to be exploited by a rogue company employee was concerning.

The concerned computer expert, who has experience working on IT security with intelligence agencies, said he was concerned to find Vodafone had its own access to his modem.

When he contacted the company, he said he was told: "We just made this hole so we can get in."

"It looks like you're protected but they have remote access and it's very hidden,” says the expert.

He $300 on new equipment to block Vodafone's access, which Vodafone reimbursed him for, and raised his concerns with their security team.

He was told they were looking at installing an "opt-out" setting which would allow customers to block Vodafone's remote access.

A Spark spokesman said customers were not told of the company's ability to access their modems remotely until they asked for help.

"We only access the modem remotely when we are asked to by the customer,” he says.

The Spark employee was able to check to see if the modem worked, change settings, reboot the modem or set up Wifi.

"We will only do this once the agent has got verbal approval from the customer."

A Slingshot spokesman said the company did not have direct remote access in terms of changing settings, but was able to force updates of software or predetermined settings to a customer's modem.

The company alerted customers with a line in its terms and conditions saying it would "reserve the right to occasionally manage your modem".

Voyager owner Seeby Woodhouse said his company had remote access to the modems it sold to help customers.

"There is a potential security risk but there is a security risk in having people configure their own modems,” he says.

Woodhouse says that the increased threat from ransomware - which hijacked computers - and other online threats meant ISPs would likely seek greater access over time to improve security.