Today, I switched ISPs, and now I'm in Turkcell Superonline (really doesn't matter who. They are all evil, after all) and they gave me a brand new router (actually, I do not own it, I have it as long as I'm using their services).

The router is an AirTies Air 6372, with the firmware 6372SO. Right in the moment I saw the firmware was also branded by Superonline, I became furious and looked everywhere in the web interface if I could see something going wrong.

And I discovered that,

* device logs and reports aren't accesible
* every text in "port forwarding" is removed yet the form is there

And they actually forgot removing one little button which read "advanced" in a "quick reports" type of a tab (which didn't really tell much). I clicked on it, and bam! "Access denied."

Now for the big deal... "Remote Management". I went there, to see that "Ping", "Telnet", "Web" are all checked, but in the "IP List to Allow Access" list, there were pre-defined networks, and when I ran whois on them, I found out that they all belonged to Superonline!

Great... So I deleted them all, and tried to add my own IP address. Didn't work, the input was disabled. I did some HTML trickery (inspect element, remove lines, etc.) to get past the obstacle and added my own server's IP. And it showed on the list, but I couldn't telnet into it (connection refused)

Ran a nmap on the router to find out a dozen of irrelevant ports open to the public. Backdoors, I'm afraid!

I have VoIP phone records, passwords, MAC addresses, or even private information (carried on the router by the USB host feature) on my router. Nobody except me should be able to access it all. The ISP is solely responsible with giving me an username and a password.

Which brings me to my last point, on the router, I have an admin account, yes. In my previous router which was also an AirTies, I had an admin account too, but I wouldn't enter a username. But this time, I had to use the default username "admin". Which trivially proves that there are other login accounts on the machine, and one of them are presumably the highest level administrator, equal to the root account. When you ask the manufacturer for the details, they kindly ask you to piss off.

Taking into account the fact that they have root access to my router and they won't give it to me, am not I in a very dangerous position in terms of security and privacy? Can't they easily adjust the Quality of Service settings on my router, without my knowledge, and render forwarding the ports useless? I live in a country where the government does MITM attacks using fake root certificates, and I could easily say that this compant has close relations with the government and my personal information could be at the evil hands of capitalism right now.

And all of this, is for what? Okay, my connection is limited, that's OK, but this is certainly a wreck for power users. If they get my data, they really won't be interested in my Facebook passwords, but rather my daily habits, etc. and provide more suitable ads personally for me, just so I hand my money off to them at my own free will.

I really need help from you guys, as you can clearly see, I'm worried.