[Hello71]

By my reckoning, as long as the modem has no public- or customer-facing IP address, it's probably not going to be a vector for easy attacks. It might be accessible from within the ISP network, but if someone has access there then they can probably just tap your line directly, no need for additional exploits.

[ad_hominem]

ONTs typically terminate to Ethernet at the customer premises so it's effectively the exact same thing as a cable modem. So not any more secure than having cable and using the cable company's provided modem.

If you tapped someone's fiber line, all the traffic between the ISP headend and customer premises (OLT and ONT if we're talking fiber) will be encrypted. In fact on a PON network using TDM it has to be, because if you stared down your own fiber you would be seeing all your neighbors' traffic as you're all time-sharing the same laser diode at the ISP headend (because it's a passive network, you will be seeing your neighbor's traffic when the diode is transmitting outside of your designated time cycle).

Anyway my only point was to inform OP that contrary to their belief, they effectively are in the situation of having an ISP-owned modem.

[solotronics]

When I was setting this up for an ISP a few years ago the TDM was just a SFP that has its own MAC address inside. Its doing the TDM part inside the SPF itself. When we configured a new customer it was just adding the MAC to the config of an interface on an alcatel router at the hub side. You might not be able to transmit without interference but I bet you could spoof the MAC of a neighbor on the same fiber and listen in.

[ad_hominem]

Wow that is very interesting! That would be a worthwhile experiment to test out for sure.

[neilalexander]

In the case of Openreach in the UK, the majority of subscriber lines carry PPPoE traffic over VLAN 101 which is bridged on the modem to the consumer equipment.

There's also an additional VLAN 301 for TR069 management traffic, which is used by the HG612 modems (and possibly others) that Openreach used to enjoy flinging at all VDSL subscribers. The modem itself claims an IP address in this VLAN.

Although usually hidden from the end-user, it's actually surprisingly easy to drop yourself onto VLAN 301 even with the HG612 and get an IP address on that management network. I imagine that this is the kind of way that modem exploits become dangerous if they are indeed routable on networks like this.