This is one of the main reasons I bought my own docsis 3 router for about $100 6 years ago. Comcast doesn't have access to it. The other bonus is you save a lot of money over the years by not having to rent it from Comcast, every month for the lifetime of your service. It pays for itself the first year. You give up pay per view/on-demand which never affected me, but something to consider if he uses that. I think you can still get ppv but have to call in or something and can't just order it using the remote, but my memory on that is foggy since I never use ppv. They make good Christmas presents and saving the FIL money always builds up the brownie bank :)
If you’re with Comcast, then it’s very likely they do have access to the modem, even if you own it.
A cable modem is somewhat “trusted” from the perspective of the network: cable is physically a shared medium, and a malfunctioning or malicious devices can disrupt service for everyone on the same physical cable segment. There’s no way for an ISP to remotely cut off a bad device.
This means cable ISPs demand tight control of the equipment connected to their network, including remote configuration and firmware updates. Comcast enforce this by limiting activation to a list of approved devices, and there’s a certificate-based scheme to try and prevent spoofing an approved device.
Historically, the cable modem also enforced download and upload speed limits as well, giving ISPs another reason to keep modems under tight control, but I don’t know if that’s still the case.
If you distrust Comcast, then you should treat your DOCSIS device as hostile even if you own it, and put it behind a router you do control instead of using a combined modem/router.
if he only paid 100$ for a modem and it was brand new, it likely wasn't an all-in-one station like what large ISPs are trying to push. Cheaper/dumber modems severely limit the amount of control Comcast have and how much they can fuck up your network with a bad update. They can't mess up your wifi settings if the box they control doesn't even have a wireless radio on it.
"dumb" modems are a lot more reliable simply because there is nothing for them to patch inside. It doesn't have a complex OS running a wide range of services that need regular updates (managing a TV, wifi, file sharing, etc.).
And how do they do this? They have a team dedicated to hacking modems? More seriously, many cable modems have a setting "allow ISP to update settings". You can disable it and then the ISP cannot access it, full stop.
They can however very easily block it. Especially if they contract prohibits using your own modem.
Do you have an example of a cable modem that blocks remote setting updates?
Both remote configuration and remote software updates are MUSTs in the DOCSIS spec[1], and my understanding is that the information in the configuration file is technically required for the modem communicate with the headend for anything more than bootstrapping. There’s no way to turn this off and have a functioning modem.
CableLabs enforces adherence to the DOCSIS spec, and there’s a certificate scheme that ensures that only certified devices gain access to the network, so I don’t see how a non-compliant device that allows users to block updates completely could ever be used with most ISPs. (I’m ignoring the possibility of extracting a valid certificate from a compliant device, of course—I’m talking about buying a non-compliant device off the shelf.)
There’s another configuration protocol, TR-069[2] which is more concerned with configuring the Wi-Fi side, and this is usually under user control in user-owned devices. This might be what you’re thinking of?
For ISP-owned DOCISS devices, even if the user switches TR-069 off, it could potentially be silently re-enabled by a remote software update.
It's incredibly common to see misconceptions between modems, gateways, routers, etc. I think this confusion is exacerbated by the fact that Comcast and most other coaxial cable (even if they're fiber, if the output is coax to your unit, it's going to be coaxial for this purpose) systems.
Comcast/Xfinity offers combination devices, which include a wireless router and a modem, in the same box. The only thing you need to connect to a coaxial broadband network is the modem. This is freely available. The only catch is that unless you buy a combo device like what Comcast gives you, you still need a wireless router if you decide to buy your own modem. You should probably do this though, because combo devices that include wireless routers tend to age poorly (thermally).
A modem will speak DOCSIS 3.1, which is a protocol that gives a lot of trust/control/authority to Comcast. They effectively can push updates to it, configure it, remotely administer it, etc. However, these are NOT functions they have if you buy your own router and connect it to the modem. If you go this route, you have full authority over your LAN and you can do whatever you please. The only thing Comcast can update is the stuff that speaks DOCSIS -- the modem.
The catch is that with the combo devices that they ship out, those devices include remote administration and firmware control for the entire stack. They can remotely push everything.
I don't like to be pedantic, but this is critical. DOCSIS 3.1 modems that aren't combination devices cost just as much as good wireless routers, if not more. So $100 isn't a good estimate of what most people would have to pay, unless they already have a router they'll use. It's going to be the cost of the modem and the cost of the router. The upshot, obviously, is that you can really spend a lot of money and go all out (e.g., buy a pfSense router, UniFi switches, access points, and a good DOCSIS 3.1 modem, and have a really nice LAN), or you can opt for a budget router instead. You get to pick one of the most important pieces of the equipment -- the router -- instead of being stuck with what Comcast gives you (probably a used/preowned combination device).
