FRITZ!Box 6490 Cable Service - Knowledge Base
How is the FRITZ!Box protected from attacks against port 8089?
Your cable provider can use TCP port 8089 to contact the FRITZ!Box in case it would like to initiate a connection between the FRITZ!Box and its Auto Configuration Server (ACS). As a rule, the FRITZ!Box does not respond to such requests. Instead, it checks the integrity of such requests. The FRITZ!Box does not contact the cable provider's ACS in order to retrieve the respective data unless it passes the integrity check. This mechanism makes it impossible to use TCP port 8089 to access the FRITZ!Box and retrieve data from it. In addition, it ensures that the FRITZ!Box only contacts the ACS it already knows.
Technical background information
The FRITZ!Box supports the TR-069 protocol which enables secure automatic configuration of your Internet connection, Internet telephony, and additional services such as automatic FRITZ!OS updates initiated by your cable provider. If necessary, the cable provider's Auto Configuration Server (ACS) contacts the FRITZ!Box via TCP port 8089 using a URI (Uniform Resource Identifier) that was previously negotiated. During this procedure, no data is transmitted from the FRITZ!Box to the ACS. The FRITZ!Box only establishes a new and secure (encrypted) connection to the cable provider's ACS if it accepts the URI being used. The ACS is then allowed to transmit the above-mentioned data. In the case of an update, the FRITZ!Box only permits the installation of FRITZ!OS versions that were digitally signed by AVM.
Note:Disable the provider services in the user interface (in the "Advanced view" under "Internet > Account Information > Provider Services") if you do not want the FRITZ!Box to establish a connection to your Internet service provider even when contacted by its ACS. FRITZ!Boxes offered by some cable providers do not allow you to disable provider services.