Rural UK Fibre ISP Truespeed Criticised for Restrictive Router
Full fibre broadband ISP Truespeed, which is currently building a Fibre-to-the-Premises (FTTP) network across rural areas of South West England (here), has been criticised by a number of customers for their questionable approach to WiFi security, as well as other access restrictions on their bundled router.
At present it’s not uncommon for some broadband providers – usually the biggest players – to ship bundled routers to consumers that have been locked down (i.e. placing some restrictions on your control or access), although most of those will still enable you to perform common networking tasks like port forwarding, password changes and firewall adjustments etc. (experiences do vary).
The decision to restrict a router is usually based around a number of different considerations, such as the ISPs desire to better control the security or support of their network environment, and to prevent their device being used on rival broadband ISPs.
Often customers can get around many of these limitations by purchasing a third-party router and plugging it in via the WAN port of their existing kit (it’s uglier and inefficient to have multiple boxes, but it works). We’ve long campaigned for ISPs not to lock down their routers (here), which is a particular bugbear for IT people, but little progress has been made. Thankfully many smaller ISPs tend not to follow this practice.
However, every once in a while we come across a situation that is more extreme than most. In this case the problem stems from the router that Truespeed bundle to customers of their new FTTP network, which predominantly exists in areas where there may be little choice of alternative ISPs – unless you want to go back to slow speeds via Openreach’s copper network.
A Router Restriction Too Far?
We first started hearing about the customer frustrations with Truespeed’s router over a year ago and one recent post on Reddit by ExdigguserPies serves as a good example of the same issue. “Alarm bells started ringing when I discovered that [Truespeed’s] supplied router is completely locked down. I can’t control anything except to physically turn it off. The web interface is not accessible,” said the customer.
The ISP confirms this on their website (FAQ) by saying that “right now, we don’t allow customers to change their router settings themselves. This is to make sure we can keep both your home network and our Truespeed network fully secure.” Apparently, “If you want to make a change to your network or router configuration, contact our Customer Support Team.” That alone would be enough to discourage most experienced IT folk.
So if you need to do any normal networking tasks on your router (port forwarding, static IP assignments, DNS changes etc.) then you have to ask the ISP to do that for you, which is somewhat less than ideal. But the concerns don’t end there.
ExdigguserPies said:
“The engineer who installed their router wrote my wifi password down on the cardboard box and his phone was connected to it. Then I noticed that my wifi password was emailed to me in a pdf. They clearly know my wifi password. So I emailed them asking how I can change my wifi password. This was their response:”
Truespeed Support: At present any changes need to come via us, and we then push the changes to the router. We do have a portal in development which will mean you can do it without contacting us, but this is a way off at this time. If you want to let me know what you want the password to be (and we can change the SSID as well) I can get it done ASAP?
Just to be clear, in most cases this means that in order to change the WiFi password for your home network you’d have to send (most likely in unsecured plain text form) that password via email to the provider’s technical support team, which isn’t a particularly wise approach (example for why) and may conflict a little with their own usage policy.
7. SECURITY
7.1 Security when using the Services is your responsibility. We are not responsible for your failure to take proper security measures on your computers, tablets, mobile phones, etc.
7.2 All wireless networking equipment that you use in relation to the Services must be password protected. All Wi-Fi passwords must be kept secure and confidential. We recommend that you change your Wi-Fi password regularly.
7.3 We may suspend your services if your devices are attacking others. If we identify devices on your connection causing a significant impact on our Services, or are part of a botnet type attack, we reserve the right to suspend or disconnect your access to the Services without notice. We will contact you as soon as practicable to attempt to resolve the situation.
7.4 All users using The Services must ensure that their devices are protected with up to date anti-virus software and a properly configured firewall (where applicable).
The good news is that you can use a third-party router instead, although the ISP states this on their website: “We are not able to put the Truespeed router into a bridge or ‘Pass Through’ mode. We use a DMZ on the Truespeed router to forward all external traffic to your own router, without any interference from the Truespeed router’s security.”
The other alternative is to pick one of their business packages, which includes a router that does at least support bridge mode.
Alex Huscroft, Head of Customer at Truespeed, told ISPreview.co.uk:
“We strive to offer the best possible service at all times so take all customer feedback very seriously. This feedback also helps to inform our future plans.
We are aware of concerns from a small number of customers who are keen to reconfigure some of the router settings themselves. To date, we have taken a very cautious approach to how we manage our routers and customer data to ensure ubiquity of service. As one of only a handful of full fibre ISPs also providing a VoIP telephony service, we opted to control the router partly to ensure that this service is not compromised by consumers inadvertently changing router configurations.
The good news, though, is that we have taken these concerns on board and are actively working on amending our policy so that customers will be able to change SSID/Wi-Fi password settings on their Truespeed-owned router. This will happen in phases, with the first phase scheduled to coincide with the launch of our new mesh wi-fi extender service this summer. We invite any customer who has any questions to get in touch with us here: ultrafast@truespeed.com.”
Truespeed’s website also confirms that they’re “working on making router configuration more open in the future so you can access your Truespeed router,” although we’d ideally like to see a lot more control than just the ability to change the WiFi password and SSID of the customer’s home network.
All of this is quite disappointing because Truespeed has otherwise been doing an excellent job on their rural FTTP build in South West England. Nevertheless, some people may not be prepared for the level of access restrictions that are imposed via their bundled router. In fairness, the ISP does make most of this clear on their FAQ pages and, of course, many users almost never touch the admin side of their router.
Mark is a professional technology writer, IT consultant and computer engineer from Dorset (England), he also founded ISPreview in 1999 and enjoys analysing the latest telecoms and broadband developments. Find me on X (Twitter), Mastodon, Facebook and Linkedin.
« Community Fibre Offer 10Mbps for £10 to Those on Benefits
Openreach Boost Rural FTTP Broadband Build to 6m UK Premises »
Latest UK ISP News
- FTTP (5515)
- BT (3514)
- Politics (2537)
- Openreach (2297)
- Business (2262)
- Building Digital UK (2244)
- FTTC (2043)
- Mobile Broadband (1973)
- Statistics (1788)
- 4G (1664)
- Virgin Media (1619)
- Ofcom Regulation (1461)
- Fibre Optic (1395)
- Wireless Internet (1389)
- FTTH (1381)
I always recommend replacing any ISP’s supplied equipment with your own as far as possible. Moves like this to lock down supplied equipment with the excuse of “we’ll keep you safe, just trust us” simply lends more reason to that. Whilst this used to be simple with standard Openreach xDSL connections, alternative ISPs often come with alternative less-standard access setups which can make it near-impossible for less technical customers to configure their own equipment to work with their connection. It seems the days you could simply plug in your own router, configure your PPP login details and have it “just work” are gone.
In Truespeed’s case you can connect your own router to the ONT, though there is no DHCP on the internet VLAN. Their routers grab their configuration on boot from the untagged VLAN on the ONT’s Ethernet port. You can configure the network statically and not worry about this, provided you set the correct tagged VLAN and addressing details for your connection. Obviously this kind of configuration would be beyond the average consumer, and in any case difficult if you were to use their phone service (SIP not on the internet VLAN).
Sadly this is not the only issue with Truespeed, though I won’t go on with my other grievances about their security and network in general. At least the service, usually, is much better (albeit much more expensive) than the Openreach alternative in this area!
So no changing your WiFi password or name or channel number?
Point 7.1 makes me laugh. How can customers take proper security measures of they can’t access the hub’s settings?
There’s something wrong with this company.
Thats the 1st thing I do when getting a new Wi-Fi hub.
The provider is going through a lot of issues at the moment, this is probably least of their worries.
Like what?
I’ve just had Truespeed installed this week and am currently going through the pain of their “Its our router not yours” attitude, the service is great but this really pisses me off and if there was any alterntative for a decent speed connection I would jump.
I have at least spoken to a decent tech who seems quite happy to make whatever changes in terms of addressing, DHCP, DMZ I want, and there is a physical button on the back of the Zyxel to disable their WiFi so I’m mostly able to use my own kit with their router in front, it does mean double NAT but then I’m using an A&A L2TP tunnel from my router so this is less of an issue, still got some work to do on the network over the weekend to try and get an optimal setup.
There’s one point that concerns me a lot though with the fact that you can’t set your own WiFi password, it can be changed buy you have to call support and _tell them_ the password you want over the phone! Therefore its IMPOSSIBLE to secure your network as at least one person outside of your home will know the password, given this story that came out earlier in the week this seems like it could be very dangerous (or a defence of reasonable doubt depending on your point of view) https://www.bbc.co.uk/news/technology-57156799
Oh dear, what a shambles, Truespeed are making a fool of themselves, mind, it’s a pretty good system really, if a truespeed customer is accused of IP theft, they could deny any involvement.
Go truespeed and start illegal downloading.
I suspect they are not the only restrictive ISP. For example BT’s hub and black disc mesh seems to block it being re-purposed on another network. However their white disc version can be purchased to work on any LAN.
I would imagine anyone with the black discs knows they won’t work with other ISP’s especially at BT loan them to you and you have to return them when you leave BT.
White discs are intended for any ISP.
That’s a bit disappointing. I live in the Mendip area and am looking forward to upgrading to Truespeed when they finally get to Street. I’m guessing this wont allow me to use my firewalla then, but hopefully my BT Whole Home mesh should be ok.
I use the BT WholeHome Wifi mesh system (white disks) perfectly fine with the Truespeed router.
How odd. It’d make more sense if that device were a combined router and ONT however if there’s a separate one that’s bemusing.
Also if it’s a point to point fibre network and the ‘ONT’ is actually just a media converter that’s also bemusing.
Only reason to lock down a router to this extent is if it’s connecting directly to a shared network and the operator doesn’t have the resources to purchase custom firmware. An ONT on a PON that’s completely under the control of the end user can be dicey.
Indeed. The ONT is essentially a media converter (1000BASE-BX), though it does filter some VLANs (it also runs Linux and has an open telnet server on the fibre side) so it’s not entirely a passive media converter.
I wonder what would happen if you put a couple of BX SFP’s in a switch dropped in a port based VLAN, dropped an ACL on port 23 and hooked up Truespeeds media converter. May be port mirror it and take a look at the telnet traffic.
Frankly it is nothing more than idiot control freakry on behalf of Truespeed. No need to do anything more than present a 1Gbps ethernet connection on the back of the media converter. Hell if you had a router with an SFP (plenty on the market) I would be looking to stick a BX SFP directly in that. They are as cheap is chips on fs.com
Sounds just the same with what jurassic fibre do with their routers, can’t access anything on it so don’t have a chance of changing wifi ssid or password without getting hold of them.
“Hi TrueSpeed bank here, yes no problem we can change your card PIN. What would you like? 4567 No problem”
Later……
— BANK CashMachine—–
Ok let’s try, card in, 4pip 5pip 6pip 7pip
‘Balance =£0’
‘Recent transactions £-6326’
‘Do you want another service?’
The most concerning thing about this story is the implication that Truespeed probably keep some sort of database with customer wifi passwords and identifying information. Original passwords must be kept somewhere as they are re-instated to the router after a factory reset for example. New passwords are at the very least kept in their email inbox! A data breach could put all of that information out in the wild.
Sounds like they aren’t to be trusted really, specially if you can’t use a third party router which I’m going to guess you can’t.
The ammount of information being transacted between ISP supplied routers now is getting terrible, nothing is sacred.
I have had Truespeed for more than two years and it’s a brilliant product, completely reliable and fantastic speeds. Whilst I recognise that I can’t change the password myself and that does need to change, actually the technical support crew are superb and I have a Netgear 853 mesh system set up on top of their router with Bit Defender switched on so I think I’m pretty safe. The technical crew advised me on what to buy and helped me set it up, no problem at all. I must say I’m really not impressed with people who aren’t customers pontificating about a product they aren’t using!!!
This whole story comes from a customer experience… and the security implications are there for all to see. rolleyes
It’s not about that side of your security, it’s the fact if they get hacked internally, someone has all your details Inc WiFi password. Dodgy
It just highlights its infosec credentials
You also forgot to mention that you are TrueSpeed employee
Another ISP to avoid. Duly noted.
“We strive for security”
But… you send passwords in plain text via PDF?
That’s almost as bad as what Sony did storing customer details in plain text.
Have been a TrueSpeed customer for a few years. Was very disappointed when I couldn’t just plug my router in to the ONT, and took a while to actually commit given that was the case.
Despite the restrictions on routers, they are decent people to deal with and generally helpful. I just get everything forwarded to my router and have their wifi switched off.
Would love to remove their box and plug my own device into the ONT, or even fibre directly into my device (even if it meant sacrificing the landline). Don’t want to pay extra every month though (perhaps a one off config session might be OK). Not sure how bad they’d think I was if I just started trying this (I haven’t found the VLAN details yet…).
I also use TS and have my own router behind in DMZ. Can turn off WiFi on their router (can be done on front panel buttons of the Fritzbox router they supply).
As for the VLAN, should be able to find that out easily enough if you have either a managed switch or an unmanaged switch that does not strip tags or drop. Then run wireshark and see what VLAN the internet traffic is on. TBH, probably not worth the bother for most folks and might annoy TS. Also, if you are on dynamic IP then I think the IP is part of the TR-69 config (or whatever else they use). Unless you can read this and dynamically update your wan ip they might get a bit grumpy. Not my area of expertise but does not sound worth the pain.
I can happily run servers and use dynamic DNS. Just need to make sure your DDNS tool queries the public IP from an external service rather than some that just use the WAN IP of your second router. Just configure this in my pfsense router but many routers can do this.
Just a pain having to jump through a few extra hoops when this stuff should be exposed to users. TBH a provisioning portal isn’t great either as your config is still exposed to an external system – but this is the way the industry is going. I would think the best solution would be a firmware with some settings locked such as WAN config and maybe VoIP settings and allow users access to WiFi, NAT etc? Don’t think this will ever happen and the portal has been in the works for a long time now.
Overall reliability of TS speed has been good and whilst a bit expensive there is now a cheaper 80Mbps tier that I will downgrade to when out of contract. Only me and the wife – 80Mbps is ample for our needs.
Another grump some folks have with TS is that they are not very transparent on VoIP call costs. They do not publish on their site and I believe the costs are on the steep side. I just use my own VoIP provider but as the router is locked down then can’t use the Fritzbox’s VoIP hardware.
F
Already denying access to some alt nets to f they don’t offer a static IP.
Just cancelled the service after spending a week trying to get my router working with theirs using double NAT. Loads of DNS errors every day.
To be fair, their support desk were very helpful, but sorry, cannot accept that they have to keep control of the router. Their solution is upgrade to a business service for twice the price for 1/2 the speed. Then you are allowed to remove their router……