FRITZ!Box 3490 Service - Knowledge Base
How is the FRITZ!Box protected from attacks against port 8089?
Your Internet service provider can use TCP port 8089 to contact the FRITZ!Box in case it would like to initiate a connection between the FRITZ!Box and its Auto Configuration Server (ACS). As a rule, the FRITZ!Box does not respond to such requests. Instead, it checks the integrity of such requests. The FRITZ!Box does not contact the Internet service provider's ACS in order to retrieve the respective data unless it passes the integrity check. This mechanism makes it impossible to use TCP port 8089 to access the FRITZ!Box and retrieve data from it. In addition, it ensures that the FRITZ!Box only contacts the ACS it already knows.
Technical background information
The FRITZ!Box supports the TR-069 protocol which enables secure automatic configuration of your Internet connection and Internet telephony. It also allows your service provider to automatically update FRITZ!OS. If necessary, the service provider's Auto Configuration Server (ACS) contacts the FRITZ!Box over TCP port 8089 using a URI (Uniform Resource Identifier) that was previously negotiated. During this procedure, no data is transmitted from the FRITZ!Box to the ACS. The FRITZ!Box only establishes a new and secure (encrypted) connection to the provider's ACS if it accepts the URI being used. The ACS is then allowed to transmit the above-mentioned data. In the case of an update, the FRITZ!Box only permits the installation of FRITZ!OS versions that were digitally signed by AVM.
Note:Disable the provider services in the user interface (in the "Advanced view" under "Internet > Account Information > Provider Services") if you do not want the FRITZ!Box to establish a connection to your Internet service provider even when contacted by its ACS. If you do not see the "Provider Services", your service provider does not support TR-069 and the FRITZ!Box ignores all attempts to contact it via TCP port 8089.