The Department of Telecom (DoT) has issued new guidelines for Broadband and Internet service providers about vulnerabilities in the ADSL Modems that its concerns around national security.
According to the DoT, in recent past concerns have been raised about vulnerabilities in the ADSL Modems. These vulnerabilities can be exploited by attackers to implant malwares in modems, change configuration or manipulate data etc. Vulnerability in ADSL Modems needs to be addressed by all ISPs to the extent possible.
The Department of Telecom (DoT)'s guidelines for ADSL Modem :
- The ADSL Modems are presently supplied by vendors with default setup of user id & password as admin and admin respectively. The default password needs to be changed to a strong password by customer at the time of installation of modem at customer site, to avoid unauthorized access to modem. The ISP (Broadband service provider) executive visiting customer for installation of modem should ensure this. He should duly explain to customer, the process to change the password.
- The protocol ports in ADSL modem on WAN side (e.g. FTP, TELNET, SSH, HTTP, SNMP, CWMP, UPnP) be disabled. These ports may be used by the hackers to enter into the ADSL Modem to misuse/ compromise the ADSL Modems by way of implanting the malwares, changing the DNS entries in the modem.
- There should be mechanism to upgrade the firmware of the ADSL remotely by ISPs. For this ISP needs to have separate login password, which is not possible in the present system of ADSL Modem design. Ideally there should have been separate logins for modem for its LAN & WAN side.
- Since at present there is only one login for both LAN & WAN side in modems, which is to be kept by customer only, ISP should advise the customer to upgrade/ download the latest firmware & software of their modem by visiting the site of the manufacture's website or from their website in case of ISP supplied ADSL modems . This should be advised by the ISP at the time of installation and periodically disseminated by other means also to the customer like printing on bills, bill inserts etc.
- ISP should provide information about the website of manufactures on their website.
- The possibility of having separate user id & password for LAN & WAN should be explored with vendors for future supplies along with other necessary security features in ADSL Modems. The timeline for introduction of such ADSL modems will be decided separately, if needed.
- There is a reset button in every modem. Whenever it is operated, al configuration settings in ADSL Modem are reset to default factory settings, resulting the resetting of modem login & password to default admin & admin respectively. Customer should change the default password again to earlier password or any other new password. All customers should be made aware regarding this feature.
- Customer may be advised to switch off their ADSL Modem, when not in use.
DoT also told to all ISPs, that these instructions should be followed immediately for new Broadband / Internet customers and all existing customers should be communicated via phone or e-mail and ask the customer to change the password. The ISP will assist the customer to change the password including by physical visits. The above instructions should be complied with in 60 days.