(The following post was rejected by the moderation of the Cryptography mailing list as "inappropriate", so I am posting it here, instead.)
probably the telco has their own [administration interface] for the DSL [modem].
Having had jobs where I had access to the management and configuration UIs for various brands of head end units for DOCSIS [cable modem] and for DSL systems, and for various brands of remote management tools for customer side equipment control for DOCSIS and for DSL, all in lab settings: I flat guarantee that the telco has their own management access to your DSL modem, and that that management control can see both the CSE and CPE sides of your modem.
When we were lucky, the modem lets the telco change the credentials to the telco admin interface. All too often, it was fixed to a hard default by the modem manufacturer.
IMO, one of the deeply fundamental problems with both DOCSIS and with DSL is that the telco has to trust the equipment installed at the customer's site, and thus cannot allow the customer to randomly play with what it can be configured to do. (For example, at least in 2004, DOCSIS 1.1 and DOCSIS 2.0 did bandwidth caps in part on the terminal side, instead of at the head end.) This is the kind of deeply stupid design error that only someone breathing the telco / bellhead koolaid can make.