AT&T can reach into your LAN

By the way, after reviewing the instructions AT&T provided, they want you to keep the old Gateway plugged into power while you connect the new Gateway and say the new Gateway will get the settings from the old Gateway. I completely disconnected the old Gateway prior to connecting the new Gateway so their bullsh-t about the old Gateway transferring its settings to the new Gateway is just that. The only way the new Gateway could have been given the old Gateway’s WiFi settings is exactly as I suspected (and then confirmed by a AT&T tech supervisor). They stole my credentials, stored them on their server (at least since I renamed the network and provided a new password some years ago), and then breached my network again in order to configure the WiFi settings of the new Gateway.

And that is the plain and simple of the situation. If I did that to AT&T’s corporate firewall, they’d have the feds at my door in a New York minute, even if I didn’t actually do anything evil.

It seems very possible that the device has an automated setup script that looks for a configuration file for your account online and downloads and applies it on the user’s behalf, rather than AT&T pushing a file to your device. (So at&t is not pushing something past your firewall but instead pulling a file from inside.)

That could be true…but if AT&T is uploading the users LAN details, WiFi password, and router admin password and config to their server without specific permission from the user…that is a problem. The user then has his WiFi and admin passwords potentially compromised…we’ve seen over and over how supposedly smart, secure companies get hacked. I would agree that for the technically clueless this might lower the ATfT support load…but essentially stealing the WiFi and admin password without specific user permission is just wrong.

Doug Miller wrote:

It seems likely that’s exactly what they’re doing, and I 100% agree that it’s a problem even if they pinky swear that they’ll never abuse that information and promise that their systems are “unhackable” due to their use of “military-grade encryption.”

It is possible that the AT&T box follows best practices [poster trying not to laugh] and internally stores the user credentials as salted hashes and does not keep the plaintext password anywhere. They could then store the hashes on their servers with relative safety, and pass the credentials on to a new box without ever having knowledge of the actual credentials. In fact, using such a system they wouldn’t even be able to sign into the customer equipment to compromise the firewall.

On the other hand, if they have the capability to remotely install firmware updates then it’s security-game-over in any case. Your only defense is to place your own firewall equipment immediately LAN-side from theirs.

So it’s a trojan horse they’ve planted.

And that’s exactly what I’ve done using a spare Airport Extreme I scrounged from a pile of hardware. Problem solved. I use a VPN often, as well.

As I’ve stated a couple of times already, all ISP’s have the ability to install firmware update to modems on their network and have always routinely done so. AFAIK, no modem manufacturer has ever made such updates available to any user.

That’s different, of course from what’s being alleged here about access to the LAN configuration of a router.

A few years ago I had a Comcast home Internet account and they configured the modem as a bridge for me. I used a firewall appliance behind the modem to do the DHCP serving and separate the LAN from the WAN, which avoided the double-NAT issue. If you have Comcast business internet, you get a group of valid static IP addresses to use on your LAN, and their modem operates as a bridge by default.

I would be interested in hearing some verified factual information regarding this issued ISP behavior, rather than just opinions based on what appears to be speculation.

Storing a CPE (Customer Premises Equipment) configuration file which may have encrypted local passwords and then downloading it back to the CPE does not necessarily constitute either ‘reaching into your LAN’ or bypassing any firewall function. One common service required by users is reset of the gateway access password used to configure local options like SSIDs and port forwarding. The ISP can reset the password to default, but has no mechanism to utilize a locally changed password. All this takes place at a lower or separate level than IP traffic handling.

Another point is that, so far, there have been no reports of deliberate back doors installed by ATT, Comcast, Spectrum, or other ISP via CPE software. There is no business case for doing so, as it would eventually become both a support and PR nightmare.

From another, mostly orthogonal view, NAT or double-NAT is not an issue for IPv6 users. This means that one can connect a local router which accepts DHCP-PD for configuring local IPv6 prefix usage. Access control for local IPv6 connections is optional both in ISP-provided CPE and locally-provided CPE.

Okay, here’s the relevant portions of the chat I had with AT&T (and I’ve emboldened and/or italicized where appropriate):

Me : Okay, so where are the wifi credentials stored when the old gateway is no longer available to talk to the new one?
Punita : Let me explain in detail.
Punita : ATT server maintains all the information. When we send a box to the customer we maintain the record on the server it called the ATT network server. When ATT sends the gateway and technician/self installation is complete the gateway gets activated on the network server and the serial number for the gateway gets registered under customers name/account and online user ID.
Punita : This is to ensure no two customers have the same serial number.
Punita : Now when the gateway stores the serial number ATT stores all the information related to the gateway including your network password and the devices connected to Internet.
Punita : This is to ensure no data breaching happens and when a device connects to Internet only when the server verifies the password through the ATT network server the device can connect to Internet.
Punita : This is a policy that every network provider follows to avoid any fraud access.
Punita : Say for instance if AT&T does not store this information anyone who can view your wifi name can access the internet.
Me : That last statement makes no sense.
Me : The password is stored on the LAN side of my network.
Me : Not on the WAN side
Punita : It is always stored on the AT&T server.

I rest my case. This is not speculation. This is factual information from the AT&T tech supervisor. Regardless of whether this is rationalized as a customer convenience, it is certainly AT&T hacking my network for information that was private (my wifi passwords, at least), stealing it for storage on their server and, once again, hacking into my LAN to alter the settings of my wifi. Again, please do not go down the path of “oh, it’s for your convenience” because that is totally beside the point. This was a network hack and they need to own up to it, update their printed instructions so that itthey aren’t lying (the old gateway sends the info to the new gateway when it’s still powered up - my old gateway was already in the box for shipment back to them - the old gateway has nothing to do with the new gateway at this point), and provide a plain English EULA that truthfully deals with the issue; finally, they need to provide a switch in the settings that lets those of us who wish to prevent this behavior block AT&T from breaching the Gateway’s Firewall.

Interesting discussion.

A few points. But first let me state that I manage networks for some clients.

This discussion in general seems to be conflating the management of a network/device with the USE of a network or device. Term like “firewall” apply to the use of a router/gateway, NOT to the mangement of said device(s).

Anyone who is managing a device gets to know almost everything about said device. If you don’t want that person or entify to know such things then you can’t allow them to manage. That is it. Like it or not.

Now with AT&T they as a very large corporation that wants fat profit margins to keep stock holder happy wants this to be as assembly line as possible. Which means for consumer accounts “here it is - use it” is the corporate motto. Period. Full stop.

Now if you don’t want them to see past their device or even into it for yoru settings you either have to put it in bridged mode or use the DMZ settings. Neither option is typically in the flimsey docs included with their install kits. At times (with AT&T from experience) the person on the phone can help out, but many times you just get to find the manual online and make the changes yourself. (And tell the client to never never ever call the AT&T support without talking to you first or things will be put back to dumb consumer mode and break everything you have set up.)

And AT&T corporate decision is this is it. Take it or leave it. And as Ernestine would say, “we’re the phone company, we don’t have to care.”

Now if you do set up their device into bridged mode or use a DMZ function then you are managing everything past their box and they will have no access to it. But you are now responsible for all of it. If that’s what you want great, you’re there.

My son is a level 3 support manager for a tech firm and during college was a level 1 support tech for AT&T business customers. The level 1 guys have scripts. If they leave the script they can get fired. That’s just the way it is. And for someone like AT&T, level 2 folks know more and have a bigger set of scripts but still have to stay in their lanes.

As to what the level 1 and level 2 guys say about policies, they are again reading from a script or making it up. My wife just retired from 30 years at a major airline, 18 of that “on the phones”. And yes, it can annoy everyone when the customer wants to do something not in the script.

I’m going to say some things that many people might find unhelpful or offputting or irrelevant. I’m sorry.

I try to take a sort of foundational approach to privacy or security. First, I assume that privacy doesn’t exist in our world. We pretend that it does, to help us get through the day, but it doesn’t.

In a college creative writing class, we had to keep journals. The question of privacy came up. The professor told us never to write down anything that would embarrass us if it were found. That solves the problem. The best way to keep a secret is not to tell anyone.

I keep these assumptions in mind. I also read the Take Control Books on the subject and related web sites. Security researchers discuss assessing your level of risk. It’s individual, varying from person to person.

I don’t do anything personal on the internet. I avoid online banking and investing; I have no use for Facebook, Twitter, and the rest; I use ProtonMail, DuckDuckGo, Firefox, and security extensions like ublock origin; I avoid buying anything from Apple, Amazon, Google or Microsoft; I try to avoid putting my real name, address, and phone number on the internet; I avoid cloud computing or any kind of “syncing”; I use password manager, Radio Silence, and Launch Control. I don’t own a cell phone. I don’t give my email address to the many people who ask for it. I found a way to erase my house from Google Maps.

This is old hat to most people here. My assumptions prevent me from being surprised or disappointed at human behavior in the 21st century.

Usually.

I’m sure that ATT has information about me it shouldn’t. So does Apple, Google, etc. So does the government. But one can do only so much. The rest is out of our hands.

When people don’t recognize limits, when their behavior isn’t guided by some kind of moral brakes, they do whatever they can get away with—pushing until someone pushes back. The question then becomes: How far is too far? I guess we’ll found out in time.

Seems to me that this discussion has run its course, so let’s wind it down.

It’s the terminology of “reaching through the firewall” that’s ambiguous. A firewall is a mechanism for enforcing an access policy. The policy AT&T has configured may be undesirable from your perspective. Whether they are “reaching through the firewall” depends on where the firewall is located relative to the WiFi settings, and what access policy the firewall is designed to enforce.

The fact that they can configure the WiFi settings on your DSL modem doesn’t mean they can access other devices on your LAN. From AT&T’s perspective, being able to help customers by configuring their WiFi settings for them is a customer service.

@countermoon wrote: “How far is too far? I guess we’ll found out in time.”

Big mistake using your dog’s image as your avatar. I ran face recognition on it. I’ll post your dox later.

For what purpose? I pay a rate (which is actually a bargain in these days when clean water is becoming scarce) to the local water company to deliver potable water to my home through their infrastructure, past a water meter, to the head of my plumbing system. Their water meter has a seal on it, and these days has a telemetry system on it so that the number of cubic feet that has passed the meter is reported back to them.

Should I insist that it’s my prerogative to configure the meter as I see fit? Should I have the right to hire a plumber to cut their meter out completely and substitute one from a third-party vendor? Hey, leave out the professional plumber, because I want my meter installed exactly as I choose?

Everything past the meter—pipes, fixtures, water features, whatever—is mine to use as I please. The water system up to the meter belongs to the public water authority, and it has to function in a standard way for the good of all its customers.

Cable modems that are leased belong to the cable company, as does everything up to the point where their coax touches your local infrastructure. We have one option with modems that we don’t with the water company: we can decline the lease on the company’s cable modem and supply our own, as long as it meets technical standards and is configurable by the cable company.

There is no “should” about customers configuring the modem. Everything past it (including the length and color of the cable plugged into the “out” port) is up to you, but the modem itself is part of a system that is supplying many customers. I have no legitimate reason to control the modem itself, and in fact I want my ISP to control it.

I do have many, many legitimate reasons to control the entire LAN behind that modem, and control it I do.