[sp00ls]

Not nearly as large as ATT U-Verse but I found a similar vulnerability in the modem I was provided from a rural DSL provider a few years ago.

It all started when I called to get the admin credentials so that I could open a port. They refused, stating that they use the same PW on all of them so they couldn't provide it to me.

After a day or 2 I found a vulnerability in the WebUI that dumped the password to my browser. Did a shodan scan and found hundreds of these modems connected to the internet. What they said was true, that password worked on the 2-3 I tried just out of curiosity.

I tried reporting my findings to them but they didn't seem to care. So I just changed the password on the one provided to me and let it be.

Now I live elsewhere and use my own purchased modem/firewall/wap. Can't trust ISPs to care about your security.

[samstave]

>Can't trust ISPs to care about your security.

This is the kicker here:

You SHOULDN'T trust an ISP to care about your security - just like you shouldn't trust a the water company to select which Faucet/Shower head you install in your bathrooms.

Raw pipes to info == raw pipes to water (interesting aside, the Mayans always equated thought as being symbolized by water)

I am paying the water company for pipes to my house, I choose which faucets/shower-heads and use the water is consumed for.

Imagine if the water company charged me a different rate for Kohler Faucets used in the kitchen for washing my dishes, vs a Home Depot Hose used in the garden to water my plants? I pay the water company for the volume of water consumed. I pay the ISP for the bandwidth (volume of data) consumed.

Further, if the ISP is ostensibly providing my security to literally anything, then, by contract, they are assuming some of the risk? If "what we do is for your protection" -- then they assume full/some liability.

The water company provides zero such assurances. A broken pipe/leak/flooding/damage has no affect on the water company, my agreement/bill with them.

Further, the water company isn't injecting "paid supplements" (aside from fluoride, which we can equate to NSA backdoors in this example) into my water supply without my will (ads) -- they don't feed me a % of Gatorade in my water supply because Gatorade has a deal with the main faucet - or fertilizers into the garden hose because of a deal with Monsanto.

Source: My family owns an actual water company.

[astrodust]

We're talking about the water equivalent of having the feed to your house that first goes through an open rain barrel at the front of your house, something anyone passing by could lob cigarette butts or other garbage into.

You'd ask the water company "can't I provide my own connection to the water" and they'd say "No". Then you'd want another water company, but no such company exists because they're a monopoly.

At that point you'd be better off collecting water from your roof and filtering it yourself. The water company is not helping.

[samstave]

uh... no we are not.

Please explain yourself further, if I am missing your point.

Thanks

[CrendKing]

If the water company is the only water provider and they require you to use the specific faucet or they don't give you water, good luck arguing them with the fancy words and ideals.

In reality, water is considered utility but internet is not. Therefore water company can do much less than ISP.

[madez]

How is internet not a utility?! Some day people will look back at today and shake their head.

[samstave]

If the INTERNET company is the only INTERNET provider and they require you to use the specific MODEM or they don't give you INTERNET, good luck arguing them with the fancy words and ideals.

--

WTF state do you live in?

[jlgaddis]

Unfortunately, on Uverse you are required to use the ATT-provided CPE (due to 802.1X authentication).

[Spivak]

Nah, all you have to do is redirect 802.1X traffic to their device and you can use whatever device you want.

I have my EdgeRouter performing this function currently.

[jlgaddis]

Any tips or pointers on how to go about this?

EDIT: Nevermind, I have (bonded) VDSL running through a 5268AC so I don't think I'll be able to do it. If it was "normal" Ethernet it would be possible.

[toast0]

Theoretically, it should be possible for vdsl too. If you can find something to do bonded vdsl in real bridge mode, you could probably hook up the 5268ac to that with the Ethernet want port, and if that works, you could proxy the 802.1x auth there too.

[ryanmarsh]

I just returned my EdgeRouter for a USG. I had no idea this was possible. Damn.

[wil421]

How much bandwidth do you lose? I have AT&T fiber and I want as close to 1Gb as I can. Someone else else I saw online did something similar with an EdgeRouter and he lost a ton of speed.

[Spivak]

So there are two ways to add your own equipment. I don't know what method the person you're talking about used.

The first you can put the modem in 'DMZ Plus' mode which is the closest you'll get to a bridge mode. This is where you'll lose bandwidth but it's easier to set up.

The second, which I recommend, is to connect your router to the ONT directly, and use their modem as a client on your network. You have to set up some rules to hook up the 802.1X traffic but otherwise the att modem is no longer in the picture. I haven't lost any bandwidth and I can't imagine that att's provided cheapo box would be faster than an EdgeRouter.

[chrissnell]

The DMZ Plus mode doesn't really kill much bandwidth. I get pretty close to 1 Gbit through it. Maybe 960-980 Mbit. Good enough for me. The real problem with the DMZ Plus mode is that it basically sets up a NAT to your router and the state table of the modem is somewhat limited. I've never had any problems but supposedly it might choke if you have tons of open connections.

[wil421]

DMZ plus mode is now where near bringing your own hardware and plugging it into the ONT. Everything still has to go through the AT&T gateway.

Comcast will let you bring your own modem and plug it into the coaxial. I've heard google fiber will let your bring your own stuff.

DMZ plus is much different than setting up an EdgeRouter to forward the authentication to the gateway. You are in much more control of your network if you don't use DMZ plus.

[tbrock]

Wait, why? I never understood why people with ultrafast connections care so much about this. It's not like you are doing anything that remotely uses 100% of that speed most of the time.

If I had even close to a 1Gb symmetric link I wouldn't care too much if I lost a couple megabits here or there (especially in the name of security or privacy). If I had a 30mbit link that only had 1mbit uplink I'd be upset not to use the whole tube but complaining about 980mbits vs 1000 is just a waste of time.

[wil421]

Simply for the fact that I pay for 1Gb symmetrical and I want the speed which is closer to something like 930mbits. If a lose a hundred or more just to use my own hardware then I'm going to be upset.

I'll do some tests myself. To see what the bandwidth lose is once I get an EdgeRouter.

[chrissnell]

I do 960-980 easily in DMZ Plus mode.

[krallja]

You can put a firewall behind it, which will at least protect you from the inexplicable open proxy.

[milankragujevic]

Can you explain what is Uverse and how does it work?

[ryanmarsh]

Uverse is a residential DSL service offered by AT&T in the US.

[milankragujevic]

But why would you need a custom modem for it to work? Can't you use a different modem and just get them to give you xDSL credentials? Login and password, enter VPI/VCI and plug it into the telephone line..? What is the "802.1X auth"?

[jlgaddis]

No, you can't. It doesn't use a username/password for authentication, it uses a protocol known as 802.1X, which uses certificates (and the associated private key) that's stored on the device.

https://en.wikipedia.org/wiki/IEEE_802.1X

[burnte]

It's also their residential gigabit fiber service, which is bad news for me. The service is great, the Arris gateway device isn't...