Exclusive : DoT issues Guidelines on ADSL Modems for Broadband Internet Access Security

The Department of Telecom (DoT) has issued new guidelines for Broadband and Internet service providers about vulnerabilities in the ADSL Modems that its concerns around national security.

Internet - Broadband

According to the DoT, in recent past concerns have been raised about vulnerabilities in the ADSL Modems. These vulnerabilities can be exploited by attackers to implant malwares in modems, change configuration or manipulate data etc. Vulnerability in ADSL Modems needs to be addressed by all ISPs to the extent possible.

The Department of Telecom (DoT)’s  guidelines for ADSL Modem :

  • The ADSL Modems are presently supplied by vendors with default setup of user id & password as admin and admin respectively. The default password needs to be changed to a strong password by customer at the time of installation of modem at customer site, to avoid unauthorized access to modem. The ISP (Broadband service provider) executive visiting customer for installation of modem should ensure this. He should duly explain to customer, the process to change the password.
  • The protocol ports in ADSL modem on WAN side (e.g. FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP) be disabled. These ports may be used by the hackers to enter into the ADSL Modem to misuse/ compromise the ADSL Modems by way of implanting the malwares, changing the DNS entries in the modem.
  • There should be mechanism to upgrade the firmware of the ADSL remotely by ISPs. For this ISP needs to have separate login password, which is not possible in the present system of ADSL Modem design. Ideally there should have been separate logins for modem for its LAN & WAN side.
  • Since at present there is only one login for both LAN & WAN side in modems, which is to be kept by customer only, ISP should advise the customer to upgrade/ download the latest firmware & software of their modem by visiting the site of the manufacture’s website or from their website in case of ISP supplied ADSL modems . This should be advised by the ISP at the time of installation and periodically disseminated by other means also to the customer like printing on bills, bill inserts etc.
  • ISP should provide information about the website of manufactures on their website.
  • The possibility of having separate user id & password for LAN & WAN should be explored with vendors for future supplies along with other necessary security features in ADSL Modems. The timeline for introduction of such ADSL modems will be decided separately, if needed.
  • There is a reset button in every modem. Whenever it is operated, al configuration settings in ADSL Modem are reset to default factory settings, resulting the resetting of modem login & password to default admin & admin respectively. Customer should change the default password again to earlier password or any other new password. All customers should be made aware regarding this feature.
  • Customer may be advised to switch off their ADSL Modem, when not in use.

DoT also told to all ISPs, that these instructions should be followed immediately for new Broadband / Internet customers and all existing customers should be communicated via phone or e-mail and ask the customer to change the password. The ISP will assist the customer to change the password including by physical visits. The above instructions should be complied with in 60 days.

Leave a Comment

Your email address will not be published. Required fields are marked *

Current day month ye@r *

  • Rahul March 14, 2014 9:59 pm

    I doubt that mtnl aunties know the reset button !!

  • Ganesh March 14, 2014 8:01 pm

    I strongly oppose the feature which allow a remote party to upgrade my firmware or change any setting in my modem. It’s my modem, I should be the one who should be upgrading the firmware whenever I want. The WAN login feature is nothing but a grave security risk! This should NEVER be implemented! Ever!

  • Biswadeep March 14, 2014 9:47 am

    Remote Support ?
    I want to see how BSNL & MTNL provide that when they cannot even provide direct support properly :D

  • Sudhakar March 13, 2014 9:00 pm

    These guidelines are already followed by expert users and corporates. So no need to worry on this.

  • Firstonnet March 13, 2014 7:13 pm

    I hope almost both the PSU operators are following this norms since long time, its preferably for private operators who are not giving proper support after the sales of products or plan to the user. Almost all the lineman’s are aware about this and everytime they suggest to user to change their default password into strong password and also to switch of the modem when not n use, almost every MTNL & BSNL user already follow this rules. Nothing is new for our PSU subscribers.

  • Ashish Dung Dung March 13, 2014 7:04 pm

    I don’t think ISP’s would be able to implement these things so soon, problem is with people here in India, they are so unaware about everything, and really ignorant, they mostly don’t care at all about how things work , they just intend to use things.