Just to be clear, by “inside your LAN” you are referring only to the part of the AT&T provided/owned router that implements wired and wireless network services in your home, and not to having contact with any other device. So the complaint is basically that one side of the AT&T box should not be able to communicate with the other side of the AT&T box without user permission?
I was chairman of my city’s cable tv commission for 10 years. Logistically most ISPs have a monopoly, and monopolies exorbitantly overcharge.
What factors do you take into account in reaching the conclusion that customers are paying an “exorbitant” amount of money?
1 Like
That’s an interesting turn of phrase but it is not sufficiently exact for me to provide my agreement. Just to be clear: Nothing on the LAN side should be accessible to anything on the WAN side without the express consent of the owner. Either there is a firewall or there isn’t. The gateway’s configuration page shows there is a firewall present and, in fact, provides a method by which I may modify the settings. So there is, indeed, a firewall. You may (or may not) wish to argue that dropping the firewall for a beneficial purpose such as “auto-configuring the LAN WiFi” is permissible (or not). My point is that, without a specific notification requiring the express permission of the user during the event, it is a security violation.
Let’s consider a Cisco (name your brand) router that, oh…AT&T might want to use in its corporate HQ. Let’s assume that Cisco had a firmware update that it considered beneficial and necessary. Should it be able to pass through the firewall and do this beneficial update without the express permission of the IT admin? Of course it should not. Cisco would be pilloried in the press for such a misdeed. This is exactly that same thing as the thread topic. Someone needs to provide express permission and that is not being done. It doesn’t matter whether the user is an IT admin or a noob; in fact, maybe it’s more of an issue for the noob because he/she is being kept in the dark (where a noob resides).
I would suggest that this ability to auto-configure the LAN WiFi settings have a software toggle in the gateway settings. But hiding it in the settings doesn’t resolve the issue because it’s not just whether it can be done but that it can be done without express consent.
At the risk of going off-topic, a few years ago I tried to replace my Apple Time Capsule network with an Orbi mesh network. I had difficulty getting it to work with my devices and finally gave up when I came to a request (demand) to register online. I didn’t see any reason that my wifi network should be registered in this way.
Unfortunately the Time Capsule wifi had become unreliable and I eventually replaced it with a new gateway/router from my ISP (Telstra) that came with our (woeful) NBN rollout in Australia.
So I now probably face the same situation as ATT customers in the USA - I have no say in Telstra’s access to my gateway.
It is regrettable that Apple dropped its networking products. I still use the Time Capsule for network storage and as an ethernet hub but have wifi turned off.
(PS I got a refund for the Orbit)
How do you know it is? It just sounds like your WiFi config is stored both on the WAN side (so AT&T can store it to configure new devices) and the LAN side (so your devices can connect to the WiFi), at least conceptually.
1 Like
(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)
Just addressing the cable modem part of any box, I strongly suspect that Cisco does allow firmware updates from the WAN side, as I believe all cable modem manufacturers must. As an example, here is an official statement by Motorola about firmware updates to their modems https://motorolamentor.zendesk.com/hc/en-us/articles/216091737-How-do-I-update-the-modem-firmware-
Sure, as I said “conceptually.” Here’s a perhaps better analogy. When you post a message here, you’re sending a message from inside your LAN (your computer, via a web browser or your email client), to outside your LAN (TidBITS’ servers). In the AT&T case, you’re sending WiFi configuration from inside your LAN (your computer, via a web browser or application) to outside your LAN (AT&T’s servers), (as well as somewhere else inside your LAN, the LAN side of the gateway). In neither case is the receiving server (TidBITS’, AT&T’s) able to “reach into your LAN”, it’s just storing data you’ve sent it (and by accessing those servers you can pull stored data back inside your LAN, to read a comment/article on TidBITS, or configure a new gateway).
No, -I- did not send my config anywhere. ATT stole it without my permission; then, without permission, they reached into my LAN and deposited data.
We put people in jail for hacking networks in this manner. When you dismiss it as beneficial, you show an astonishing lack of understanding of the law. When a person throws a hand grenade into a crowded bank, his cry that he “hopes to God no one gets hurt” is no excuse.
This was hacking.
Have you examined the Terms & Conditions attached to your AT&T account? If it they are like the T&C shown on AT&T’s website, they grant AT&T a fair amount of latitude on what they do inside the equipment they own, including specifically the gateway.
Yes, as I’ve written a number of times, I’ve read them and there’s no mention of this at all.
Check in particular sections 7.a and 7.b (emphasis added):
7. Equipment & Software
a. Customer Equipment.
Other than the equipment and/or software provided to you by AT&T for use with the Service (collectively, the “AT&T Equipment”), you must provide all equipment, devices, and software necessary to receive the Service. Any equipment or software that was not provided to you by AT&T, including batteries, is not the responsibility of AT&T and AT&T will not provide support for, or be responsible for ongoing maintenance of such equipment.
Regardless of whether the equipment used to access your Service (modem, gateway, or otherwise) is owned by you or AT&T, AT&T reserves the right to manage such equipment for the duration of your Service and retains exclusive rights to data generated by the equipment. Neither you nor a third party may change, interfere with, or block access to equipment, the data or settings while you continue to receive the Service.
b. AT&T Equipment.
Any AT&T Equipment, including modems, routers, antennas or gateways, will be either a new or a fully inspected and tested refurbished unit.
AT&T will repair or replace damaged AT&T Equipment as AT&T deems necessary and may charge you a fee for repair or replacement of the equipment. You understand that repair or replacement of equipment may delete stored content, reset personal settings, or otherwise alter the functionality of such equipment.
4 Likes
This is why you should never use the router provided by your provider. Buy your own…and if cable your own modem as well…and configure them, that way they have no visibility inside your LAN. With those T and Cs…they clearly reserve the right to manage your gateway…but if they don’t have the password and you’ve turned off WAN management as you always should…then their reserved right in the conditions is meaningless.
I’m ordering a router and will disable the Gateway’s WiFi. I’m wondering how to avoid double-NAT but going through my router’s WAN port would seem to be the only way to resolve the privacy issue.
This is what I’ve done with my AT&T setup (long ago for reasons I don’t remember anymore), but I left the Gateway’s WiFi on and give it to guests if they need WiFi. I suppose there could be interference from having concurrent networks in the same basic location, but I haven’t noticed any (not to mention I live in an urban environment and there are dozens of other WiFI networks visible).
Check with ATT…you may be able to give them the MAC address of your router and take theirs out of the picture completely. If not…put a static IP into the WAN side of your router and use a different subnet on the LAN side of yours…anything in the 10.x.x.x pr 192.168.x.x range will do. I’ve done this in the past and never had any issue with double NAT but maybe I just wasn’t going to any site where that made a difference…from an IP networking standpoint it shouldn’t really make any difference. Then kill the ATT wifi and whatever they can control is outside your network. I think that them controlling the LAN side of the router without your explicit permission n is wrong no matter that their T and
and C says they can.
If it’s Fiber then what is coming out of the LAN side of the fiber modem is just Ethernet and you can run it straight into your router…that’s what I did with my FIOS and it just worked as the ATT equipment stopped at the WAN side of the modem which I’m happy to have them control.
See my note earlier this thread for some tips about doing this. Note that I left AT&T several years ago, but the general technique should still work.
I searched my tech shelves and found an Apple AirPort Extreme (the 6.5"x6.5"x1.25" model from a few years back). It was a simple matter to connect its WAN port to my AT&T Gateway and one of its LAN ports to the Ethernet switch to which all wired devices I have are connected. Then I connected all the wireless devices to the AE’s WiFi. Presto Now my LAN is protected from AT&T. I don’t do any gaming so the double-NAT doesn’t interfere with anything. Network throughput seems the same as before.
I want to reiterate my concern as being one of they’re probably not doing anything nasty but why worry?. But they do need to have a means of warning their customers than the Firewall is being breached and LAN settings are being changed in a more serious and truthful manner. With the setup paperwork declaring that the “WiFi settings will automatically transfer from the old Gateway to the new one”, it’s actually “we stole your wifi credentials and stored them on our server, then breached your firewall again and changed your wifi settings on the new gateway”.
Again, no protestation of benign intent is sufficient to mitigate the breach. If you believe it does, please PM me with your credentials so I have the ability to come into your LAN. I promise I won’t do so. Don’t you trust me?
This seems excessive.
The router shouldn’t matter. The problem is that AT&T apparently needs some special authentication mechanism for the DSL modem part.
I still think it may be worth calling them to see if you can configure your own modem for your account. The tech these days is pretty standard.
With FiOS, it depends on what services you subscribe to. If all you have is Internet access, then yes, you can do this. You can have Verizon configure your ONT output for Ethernet and use any router you like.
If you subscribe to FiOS TV services, then they need to use coaxial output (for the set-top boxes) on the ONT. You’ll need a router with a MoCA transceiver built-in (as is the case for the ones Verizon provides).
Also, some TV services may break if you completely remove Verizon’s router (vs. using yours in addition to theirs). The Verizon FAQ on DSL Reports has several pages talking about this.
A good starting point is Do I have to use Verizon’s router?, and the correct answer really depends on what services you subscribe to and which ones you are willing to let break (e.g. remote access to your DVR or on-screen caller ID popups).
See also What are the tradeoffs between the various router configurations