See also http://www.ispreview.co.uk/index.php/2013/12/confusion-alleg...
In a nutshell, some ISPs will effectively hijack publicly routable ranges for internal use if they know that there's no way those addresses will ever be used for real public services. In this case, a UK ISP is re-using the US DoD's 22.214.171.124/8 network. Anecdotally I've heard the inverse is also true (US ISPs use UK MoD ranges).
All the Mac address associated on the network.
The username/password to my router.
All the names of the computers associated on the network.
My WPS pin.
My SSID Name.
My WPA2 Password.
My old WEP Password.
How long each computer has been on the network.
Amongst other things.
It was pretty scary. Luckily I have root on the device, tr69 is no longer alive
The BTAgent is there to manage the devices - e.g. Updating them. Its possible that some stats are there to improve line quality as well. To me that seems a reasonable tradeoff, and if I wasn't happy with it then it is always possible to use your own piece of CPE.
The other point is that the interface that BTAgent runs on isn't exposed to the internet, it is only available from the management network so someone obtaining the keys for BTAgent would also have to compromise the management network - at which point bt has bigger problems!
It's not mentioned in the article, but I'm not aware of a DSL provider in North America NOT using TR-69 to remotely manage the routers given to customers. To properly support customers, you simply need to use something that gives you remote admin capabilities.
"e.g. with remote access via a CPE backdoor, the local ethernet port on the CPE can be put into "promiscuous mode" and all ethernet frames on the local network snagged. Allowing, for example, the snooping of traffic to a networked local printer in an office."
I've actually done this, with the permission of the customer, to diagnose a problem inside the customer's home network. It was actually a badly broken printer killing the wifi.
I know it's not always possible, but if you don't trust the ISP in your home network, don't use the ISP's gear. I don't and I work for one.
Every device in infrastructure should have a management address. This int is routed differently than the data interface. In a datacenter, management will be a separate physical int but telecom can't go running 2 cables into a house so it's a logical management int in that case. Comcast remotes into my modem all the time for management purposes (service magically goes out) and I doubt they login via my DHCP address from them. It's just good practice to manage a device from a management int and in a consumer environment this should be hidden from the user. Everyone in infrastructure knows, the less the user knows the better.
Tinfoil hat time - funny cowinkydink they chose a DoD subnet. Why wouldn't they use 10.0.0.0/8 like the rest of the world? Could be them being different, could be something more. Convenient for the DoD to own the management subnet, just saying.
Or just that they had historically some 10/8 space already used elsewhere in the network ?
Note that they're not the only ones camping on DoD address space, I know a couple more folks who had to do it out of necessity at some point, under the assumption (flawed, sure) that DoD probably will never advertise them.
The best way to solve it is to go IPv6-only in management, and for those folks who are lucky enough to have had public IPv4 space for management purposes, that is one of the big drivers.
Could be 10/8 used elsewhere for some other network but us infrastructure guys are lazy. NAT that shit. I've never known an ISP to be a monument to best practices.
I've yet to come across any 30/8 subnets in my career. RFC1918 gives one a shit-ton of address space to work with. Bleeding into the 30/8 for necessity seems like something is wrong somewhere.
The fact ipv6 isnt more widely adopted reiterates my point above, engineers are lazy and NAT works. I've only known one company to use public ipv4 space for managment and they were a mess. I'd love to say using 30/8 is out of necessity or out of laziness but it's just oddly convenient.
"NAT that" - sure, if you say so. Unless someone years ago already made that choice for you and you already have that management network.
"yet to come across any 30/8" - http://blog.erratasec.com/2013/12/dod-address-space-its-not-... - read the blogpost and comments.
Of course you also can use looking glasses (http://lg.he.net/, http://www.cogentco.com/en/network/looking-glass in case anyone to check me) to verify that 30/8 is not in the BGP tables, thus is not routed.
And even if it starts getting routed, e.g. someone makes a hijack, the space surely does not have to be 30/8 to be hijacked, as evidenced by e.g. http://research.dyn.com/2013/11/mitm-internet-hijacking/
And let me put a tinfoil hat on and ask: if I were to spy on the home routers and wanted to keep the whole affair in secret, would not assignment of less "hot" chunk of addressing space (like, for example, RFC1918), and then getting the access to the system that can use that range within this network keep me much lower under the radar ?