What are you all on about? He said [slashdot.org] he disabled administrative access from outside. No matter the password, there's intrusion going on here, so there is something to talk about.
Administrative access was not used for this. His actiontec, along with most other telco distributed CPEs use the TR-69 remote administration spec to allow for reconfiguration of services, firmware updates and other crap that used to require a technician to be sent out.
If a password was all there is to protect your router from outside, all hell would break loose for simple brute forcing. You also can't expect Aunt Irma to change her password first thing when she gets net access.
Which is why they changed his password from the default to a unique one. Even with remote access disabled, a default password on your router is a risk. see Pharming
Finally, even disregarding all that, even if he was stupid and careless, they can't just access the router if he didn't explicitly give them the right in a contract somewhere. I get you're all supercomputerexperts, but maybe we could talk about what he's asking?
Telcos are typically behind IBM and God on how many lawyers they have on staff. I'll eat my fucking shoe if it's not explicitly laid out in the TOS for FIOS that they can and will access the router for remote configuration changes, particularly for security reasons.
Why is there an open forced access port/back door?
There is a backdoor to allow changes in configuration that are usually, but not always, related to connectivity and function of the actual connection to the provider - the minutiae that even a field tech doesn't want to have to waste time with.
Is that ok without telling the owner?
Are we that sure it wasn't in that contract he signed?
What security is in place that entities besides Verizon can't access it?
A properly implemented TR-69 system is going to be more secure than any machine this guy is running on his network, guaranteed. The administration server address cannot be changed from the user accessible interfaces, the connection is initiated from the CPE to that server instead of the reverse and there are multiple layers of verification and encryption in use before anything is actually allowed to be updated or changed.