Certifying Security

It's been on my list for some time to write up an entry for some of the advantages delivered through the Broadband Forum BBF.069 certification program. The program is currently the industry's only official certification program for the TR-069 protocol, and has been created by the experts that wrote the standards. With the recent articles circulating from the DECFON 22 presentation from Shahar Tal, now seems like a great opportunity. I'll expand a little more on the specifics from the DEFCON article later in this entry, but first I want to give a small background on TR-069 and the BBF.069 Certification Program for the novice.

The TR-069 protocol was developed and first released by the Broadband Forum in 2004. The protocol is used by internet service providers (ISPs) to remotely manage equipment installed in the subscriber's premises. Remote management of the customer premise equipment (CPE) helps the operate better manage and support all the customers in their network, providing more advanced features like online troubleshooting and performance monitoring. It's even possible for the service provider to roll out a new software image to the CPE devices in the middle of the night, when their subscribers are sleeping (and not using their network connections).

The BBF.069 certification program was released by the Broadband Forum in 2012 to address the growing number of devices implementing TR-069 and its growing use within the network. The program allows CPE devices that have passed strict conformance tests to use a recognizable logo on their packaging and documentation, and also provides an online registry of certified devices. The BBF.069 Certification Test Plan contains more than 100 detailed test cases to verify the CPE's implementation of TR-069 protocol. The conformance tests are designed to test both positive and negative requirements defined in the standard. A positive test case is designed to ensure the CPE responds/behaves correctly, if all the TR-069 communications from the auto-configuration server (ACS) are correct and well formatted. The negative test cases are exactly the opposite and are intended to test cases with the TR-069 communications are either incorrect or improperly formatted. In the negative cases, the CPE is required to support the correct error handling.

At this point I want to dig into a couple of key items tested within the BBF.069 Certification Program, which are specifically related to some of the points raised by the DEFCON article. The TR-069 protocol includes a mechanism that allows the ACS to monitor the value of specific parameters, effectively, requiring notifications if the parameter values are changed, such as by a user altering the configuration of sensitive parameters within the CPE. The certification program thoroughly tests these notifications, including delayed delivery, when the CPE was either disconnected or “misconfigured.” In short, the service provider would be made aware that the CPE's configuration parameters, including those associated with the ACS connectivity, were changed.

TR-069 deployments are also recommended to use HTTPS transport and valid, non-self-signed certificates to secure communication between the CPE and the ACS. The BBF.069 certification test plan includes several test cases to verify the CPE properly implements the TLS protocol and verifies the certificates being used to secure the TR-069 communications between the CPE and ACS. Again, these tests include both positive and negative cases, where the CPE must accept and use properly formatted and valid certificates, while rejecting certificates that are invalid, out of date, or for an incorrect server. Similarly, the CPE must properly handle the case where it has been redirected to another server either within or outside of a secure session.

Service providers deploying BBF.069 certified CPE, using the HTTPS transport can ensure the equipment placed in the subscriber's premises include a robust and well-implemented TR-069 stack. BBF.069 Certified CPE devices will properly validate TLS certificates used to encrypt the management traffic with the ACS, helping to prevent well known “man in the middle” attacks. Additionally, deploying certified CPE devices helps service providers ensure the CPE will interoperate properly with their existing and future ACS equipment, and lessens the amount time needed to integrate the equipment into their deployment. For more information on the BBF.069 Certification Program, please refer to the Broadband Forum's website.

Lincoln Lavoie, Senior Engineer, Broadband Technologies