FRITZ!Box 6490 Cable Service - Knowledge Base
How is the FRITZ!Box protected from attacks against port 8089?
Your cable provider can use TCP port 8089 to contact the FRITZ!Box in case it wishes to initiate a connection between the FRITZ!Box and its Auto Configuration Server (ACS). As a rule, the FRITZ!Box does not respond to such requests. Instead, it checks the integrity of such requests. The FRITZ!Box does not contact the cable provider's ACS in order to retrieve the respective data unless it passes the integrity check. This mechanism makes it impossible to use TCP port 8089 to access the FRITZ!Box and retrieve data from it. In addition, it ensures that the FRITZ!Box only contacts the known ACS.
Technical background information
The FRITZ!Box supports the TR-069 protocol which enables secure automatic configuration (for example for Internet telephony, additional services or automatic FRITZ!OS updates initiated by your cable provider). If necessary, the cable provider's Auto Configuration Server (ACS) contacts the FRITZ!Box via TCP port 8089 using a URI (Uniform Resource Identifier) that was previously negotiated. During this procedure, no data is transmitted from the FRITZ!Box to the ACS. The FRITZ!Box only establishes a new and secure (encrypted) connection to the cable provider's ACS if it accepts the URI being used. The ACS is then allowed to transmit the above-mentioned data. In the case of an update, the FRITZ!Box only permits the installation of FRITZ!OS versions that were digitally signed by AVM.