AT&T can reach into your LAN

It appears that AT&T can reach inside your intranet. I was having some WiFi issues with an older AT&T 2Wire Gateway so a quick online chat yielded a replacement Gateway that arrived this morning. I was prepared for the usual “change the default WiFi access point names & passwords” routine but, in the printed instructions for the swap, AT&T says “your WiFi settings will automatically transfer from your old Gateway to the new one.” How is this possible? I did not run any special app or send any config file to AT&T. I just unplugged all the cables from the old Gateway and plugged in the new one. 15-20 minutes later, the WiFi settings on the new Gateway had been changed to the old Gateway’s settings so all my devices (phones, computers, even my security camera!) were reconnected automatically.

AT&T can’t be planting an invisible config file on -all- my devices—I could have any/all of them powered off or out of range, right? The instructions say nothing about keeping any LAN devices powered on. It would appear they could only effect this trickery by having the Gateway automatically send my WiFi settings to their mothership for storage on their servers and then pushing them back through the Gateway’s firewall to effect the WiFi re-config. Wait! If they can reach through the Gateway to the LAN side and effect changes, what else can they see or do to my LAN or devices on my LAN? And would you trust them to store your WiFi settings on their servers?

What you describe can all be accomplished by retaining settings on the gateway, which is AT&T’s province. So long as it uses the same setting such as the address on the wifi side, the other devices should be able to find it with no change on their end.

If the gateway has been disconnected, there is no WiFi information to store and, therefore, to read, unless it is stored on AT&T’s server.

I just finished a 40 minute chat with AT&T. They’ve admitted the following is exactly what they do: They read the WiFi settings, upload them to their server and, when you connect a new gateway, they reach through your firewall and write the new (old) WiFi settings to the new gateway. Nothing in their privacy policy indicates they can or will do this. However, the instructions accompanying the new gateway make is plain this happens automatically (well, at least the “wifi magic happens”).

Do you trust AT&T with access to your LAN? They’ve got it and don’t specifically publicize it.

I’m adding a router inside the AT&T gateway to keep my LAN secure.

The only thing surprising is that they didn’t mention it in advance.

When I had Verizon FiOS, the installer told me that Verizon support staff can log into the router they supply in order to read and change settings (supposedly only as a part of providing customer support).

I assume that Comcast is similar if you lease a modem/router from them. This is why you can go to the Comcast web site and configure its features from there. Their web portal uses that access to push the configurations into the equipment,

In general, if you are leasing equipment, then you should expect the owner (in your case, AT&T) to be able to access its configuration.

It’s not just ISPs, either. Linksys, for example, offers cloud-based configuration for their router products (e.g. via their mobile app). Needless to say, this means there is a way for their server to access the router’s configuration in order for that to work. You have to trust that it is secured enough that Linksys employees can’t just go stealing your access credentials.

In your case, the AT&T 2Wire system is a DSL modem/router. You should be able to configure it for bridge mode, making it into a dumb DSL modem. You would then have to purchase your own Wi-Fi router, attach it to the modem via Ethernet, and configure it for your home LAN (including disabling any remote management capabilities). This will pretty much take care your concerns - AT&T will still have access to the modem, but they won’t be able to get any further than that.

And it looks like you’re already planning to do that. Good idea.

You might also want to see if you can buy your own modem and stop leasing one from AT&T. That may save you a bit of money also will keep them out of the modem’s configuration as well.

FWIW, I’m doing the equivalent on my Comcast service. I don’t lease any equipment from Comcast. I bought a modem and a router, both of which I configured, and which Comcast can’t access. They know the brand and model of my modem, but that’s about it. The downside is that I have to perform all of my own maintenance/support for it. Not a big deal for me, but something that could be an issue for others who are less technically savvy.

2 Likes

Years ago, when I was on AT&T Uverse, I needed to use their gateway device to link between their line and my internal network. The device did not have an explicit way to turn it into a bridge rather than a router . Here is what I wrote to Tidbits about the solution:

"With respect to Uverse or other Internet providers routers, there is often an option to bypass the router function of the device and use your own router behind it. For example, on my Uverse router, I can place a device in the DMZ which gives it the Internet node address of the connection and removes firewall restrictions. Since my own Apple Airport Extreme router provides those safeguards for my network, it is safe to do this. You can also disable interfaces that you are not using (for example wireless and Powerline access from the ISP-supplied router).

Check the manual for the router. You may need to do an Internet search for it if your provider does not provide a link to it on its own web page. Note that if the specific router is not listed, it is often similar enough to another one from the same manufacturer that the same instructions should apply. For example, while Uverse router may not be listed, they usually provide the same options as a DSL router from the same manufacturer (with some additions to allow the television signal to pass through)."

2 Likes

AT&T’s gateway has embedded certificates for authentication to access AT&T’s network, so there’s no way to get around using the AT&T equipment as far as I know.

Are you sure Comcast doesn’t have some access to your modem? The last time I had a cable internet connection (I think, through Charter), even though I supplied my own modem, the company made it clear that it would push software updates to it.

2 Likes

I can’t imagine that my experience with Comcast is different from yours, but I had to provide the MAC address of both the modems I’ve purchased before being given access. And ISP’s are the only ones given firmware updates for modems, so they certainly do have access from their side. The reason I had to recently replace my modem was due to the manufacture no longer supporting it, so Comcast informed me that they would be unable to patch any future vulnerabilities or defects.

I wouldn’t describe this as reaching through your firewall to write the wifi settings. There aren’t WAN-side settings and LAN-side settings. There are just gateway settings. AT&T has access to them from the WAN side, just as you do from the LAN side.

1 Like

Respectfully, I must disagree. The line is drawn at the firewall or it’s not drawn at all. AT&T doesn’t tell you that it can reach inside for the WiFi settings until it’s painfully obvious by the behavior of the new gateway setup; and, even then, there is nothing that describes the process.

Let’s think of a Brother network printer for a moment and remember that, if you do not wish to connect it via USB during the initial setup, Brother asks you if it may turn off the Firewall for a proper configuration. This implies they are reaching through to permit the printer and the Brother mothership to communicate. But Brother is, indeed, asking for my permission and then turns the firewall back on.

One should not let the name “gateway” obfuscate the combination of separate components. Modem, router, firewall, Ethernet switch, WiFi access point, DHCP server, NAT server (and I may have forgotten more). At one time these were separate and rack-mounted in the closet. The fact that they are no longer separate boxes does not imply that LAN-side and WAN-side don’t exist any longer.

I would love to see a technical and policy statement from AT&T describing exactly what they CAN and DO access and why.

When I was still with Comcast I bought a modem and never had to supply anything to Comcast. I was always surprised that – despite Comcast being about the most horrible company besides the Cali Cartel perhaps – my 3rd party modem worked just fine upon hooking it up. No configuration, no funny business, no calling Comcast, nothing. It really just worked straight out of the box as soon as I hooked it up to the Comcast coax. It was a modem model that Comcast claimed was compatible with its network, but that was it. I bought it off Amazon. Maybe I was just a very lucky exception to the Comcast rule of eternal suffering. :wink: But I would say my experience was exactly as what @Shamino describes.

So I think we both dealt with the same Comcast and I too bought a recommended modem from Amazon (Motorola 8600) this year, so it seems my experience should have been the same as yours, but for whatever reason it was not in one important aspect. When I initially replaced my unsupported modem with the new one, it did not connect to the internet right away, so I contacted Comcast and gave them the model number and MAC address. But now that I think back on it, I now remember that she did say that she could already see the MAC address that I had given her. So I suspect that as long as my IP address had not changed that Comcast was fully aware of the replacement modem and if I had waited a few minutes the system may have adjusted itself without my needing to make that call.

Yes it does. Don’t let different names for functions obfuscate that it is a single computer with phone wire and Ethernet port(s), and a WiFi radio. A router is a simple firewall with a set of rules for what packets to drop (block) and what packets to pass through, including packets to the device itself.

It’s hardware you leased from AT&T, it’s their gateway that includes their “firewall.” The vast majority of customers are not knowledgable enough to be supported without AT&T either having remote management of their hardware or having support staff visit homes, an expensive proposition that customers would pay for (either per visit or through everyone having higher prices).

4 Likes

Comcast has always required that I call them to “setup” my new modems. I’ve bought from a variety of places, Amazon, Staples when in a rush, Small Dog. Every single time I have to call Comcast to read them numbers off the modem. I always try first but it never works until they add the number to their system. Last time was probably 2018.

Diane

Yeah, UVerse is a fiber-to-the-home service, much like Verizon FiOS. As such, it has some hardware that you probably can’t find from anybody else.

If bridge mode isn’t available, you can always just disable their Wi-Fi and attach your own router via Ethernet (your WAN port to their LAN port). This should work, but it creates a “double-NAT” scenario (addresses are translated twice) that can interfere with some services like VoIP, so it’s important to test such a scenario.

Using the DMZ as you did should also work, if there is no other option.

How annyoying. The last time I had DSL (Earthlink), the modem was pretty generic. It always “just connected”. My router used PPPoE to authenticate my login and establish the link to the Internet after the modem established the connection to Earthlink’s central office.

This is particular to cable systems. Every cable modem requires firmware updates to be pushed in by the cable company. I assume this is required by law because hacked firmware would let you snoop packets from everybody else on the cable (definitely true for DOCSIS versions 1 and 2, not sure about 3).

But I think that’s the extent of it. As I wrote, Comcast normally provides a web page for modem configuration, but that page doesn’t exist with mine. I assume that’s because it’s not leased and is a brand/model they have never leased to anyone.

Either way, a modem is just a dumb device that doesn’t have enough intelligence to be dangerous. And my router is a completely separate device that Comcast knows nothing about. Comcast definitely does not have access to it, and that’s the real demarcation between their network and mine.

The MAC address is needed so they can configure their end of the link. Remember that DOCSIS cable networks have hundreds of customers sharing a single run of coaxial cable (via splitters and amplifiers). Just like old-style thick/thin Ethernet, it means every node needs a MAC address and the bridge/router linking it to the rest of the world needs to know those addresses.

In the past, yes, you would have to give your cable company the MAC address so they could configure their equipment. These days (at least since 5 years ago), this is all automated, in much the way that Ethernet switches learn all devices’ MAC addresses (by monitoring the transmitted packets). When you connect a new modem, Comcast detects this and routes all your packets to a “captive portal” site, similar to the login screens you find on public Wi-Fi hotspots. They do this because they don’t know which account to bill the traffic to (and they have to push down parameters like rate-limiters to prevent you from using more bandwidth than you paid for and a database of DOCSIS frequency bands that they are using so you can actually talk to the central office). After you provide your Comcast login credentials, the system logs your modem’s MAC address with your account, pushes down a configuration file, maybe also pushes down a firmware update, and then remotely reboots the modem. After the reboot, it should just work.

Yes, they can push down firmware updates. And if you have a combined modem/router, you will want this. If you’ve just got a dumb modem (with a separate router), then it shouldn’t matter much. I can’t imagine how an attacker could exploit a bug in a modem (without any routing capabilities) without first taking control of the cable company’s central office. Internet traffic just passes through on its way to the router without any processing, and if any malicious packet would be delivered, they would then have to attack the attached router in order to do any real damage.

Of course, you need to be responsible enough to keep your router’s firmware up to date. A side effect of the cable company not being able to push updates is that the responsibility becomes 100% yours.

Did you unplug all cables, or all cables except the power cable? When I had an AT&T gateway/modem replaced a couple of months back, the instructions were to unplug everything except the power cable from the old gateway and plug in the new gateway, and then the new gateway pulled the settings wirelessly from the old gateway?

Dave

1 Like

Old gateway was completely disconnected from power.

ATT subsequently confirmed they store a config file of my wifi settings on their server then push it back to the new gateway through the firewall. Guess there ain’t no firewall as far as they’re concerned.

It’s hyperbole to say they are reaching inside your LAN. The reality is you’re connecting equipment to their network, so yes, they can be in control of configuring it. There’s no need to think it’s nefarious when it saves a lot of non-technical people from trying to tackle a very finicky process, and it can save AT&T from dispatching a technician too.

(By the way, unless you opt out, your Amazon Alexa devices are also storing your Wi-Fi settings for easy configuration of other devices.)

2 Likes

On the contrary: The reality is that customers are paying an exorbitant amount of money to connect equipment to their network, and that those customers should be in control of configuring it.

1 Like

You have contradicted yourself from the first sentence to the second. You may want to justify it (as does AT&T), but please don’t deny the reality simply to make excuses for the behavior.

This could have been avoided if the setup of the new gateway simply provided a dialog with the choice:
Do you want to let us reach through your firewall this one time in order to configure your WiFi settings automatically? This will let us set your gateway’s WiFi access point names and passwords to exactly what they have been with your old gateway. If you do not provide your permission, you will have to configure your WiFi settings manually.
YES - DO IT NO - I’LL DO IT MANUALLY

If you want AT&T to reach inside your LAN, that’s fine; but to do so without the express consent of the customer (and there is nowhere in their privacy policy that states they will do this) is a privacy violation for which they should have their hand slapped.

It would seem highly unlikely that it’s done out of malice, a desire to snoop or for harvesting of data, and much more likely that Gordon’s hypothesis is correct (which keeps everyone’s costs down). I’d have thought it rather pleasing to connect a new device and find that one didn’t have to go through the tedium of configuring the thing.

What factors do you take into account in reaching the conclusion that customers are paying an “exorbitant” amount of money?

Jeremy

1 Like