JimboTexas's profile

Teacher

 • 

14 Messages

Tuesday, January 23rd, 2018 3:27 AM

SERIOUS FIRMWARE ISSUE OR POSSIBLE MALWARE ON THE PACE 5268AC

I am a network administrator and engineer with 30 years of experience. I have become very concerned about a problem regarding the Pace 5268ac router issued by AT&T.

 

A couple of years ago, I ordered GigaPower fiber service from AT&T after it became available in my neighborhood. I was issued a Pace 5268ac. I changed the LAN address of the router from 192.168.1.254 to 192.168.78.1 because the default addresses conflicts with certain VPN connections.

 

Within 2 weeks of operation, my home network was compromised because I was unaware of the ease with which Wi-Fi Protected Setup can be hacked. This was resolved after I turned off the WPS capability in both the 2.4 and 5 Ghz settings.

 

Since then, I check my network regularly for strange activity and devices with Fing, a free Android app, because it reports changes to the network based upon a list maintained in the cloud.

 

In November, Fing reported a new device on my network even though no devices had been added. The device had a MAC address exactly like the router except for the last octet, it was using IP address .130, replied as "5268ac" using reverse DNS, was listening on port 5555 and appeared to be coming from the 5 GHz Wi-Fi interface. I also checked the Device List and DHCP and, sure enough, there was a "5268ac" shown on those pages.

 

I feared that someone had hacked the router again but after changing passwords and even turning off Wi-Fi completely, it still showed up! I could only imagine the router firmware had been compromised somehow.

 

It was next to impossible to explain this to "Tech Support" and, because of the language barrier, all they do is blame wiring or inside devices or anything else because they possess very limited deduction and logic skills. When I was finally offered a replacement router, I said fine.

 

While I waited, I got with a neighbor who also has AT&T Internet with a Pace 5268ac router and found that they had the exact same issue as myself!

 

Upon receiving the replacement router, the (except for the MAC address) exact same rouge device appeared after provisioning and startup. That's when I knew the device was created by the firmware because there is no other possible source.

 

Of course, I got back on the phone with "Tech Support." One tech tried to ridiculously blame the issue on Wi-Fi Bandwidth Steering!

 

All of this occurred last month. Since then, the rouge "5268ac" stopped showing up on the router DHCP page and device list but Fing still shows it is present, responding to ping requests and listening on port 5555. I am now VERY suspicious! Why would it now be hidden after I asked questions?

 

In view of my experience, I can think of no valid reason why this should be happening. My gut feeling is that the firmware for the 5268ac is either compromised with some type of malware at Pace or this is some type of intentional monitoring of customer network activity. I attempted to report this to "Tech Support" but they claim they cannot report firmware issues to anyone and kept transferring me to the Billing department!!

 

Right now, I am waiting on a replacement router from a different Pace series, the BGW210. If this issue continues with a different model, I won't bother with "Tech Support" any longer. I'll be calling the Office of the Texas Attorney General and/or getting a lawyer.

 

Expert

 • 

15K Messages

6 years ago

Given your long post I am replying to portions of it in the order I am reading it...

 

I also checked the Device List and DHCP and, sure enough, there was a "5268ac" shown on those pages.

The 5268ac will show up in the device list due to band steering.  Band steering can be disabled when the ssid's of the 2.4 and 5 are different.

 

but after changing passwords and even turning off Wi-Fi completely, it still showed up!

I don't know if the 5268 disappears in the device list even when the ssid's are different.  Maybe when you turn the radios off and reboot they would.  Note, I don't have a 5268ac to test this out.

 

When I was finally offered a replacement router, I said fine.

IMO tech support's standard default response is "when in doubt, replace"!

 

That's when I knew the device was created by the firmware because there is no other possible source.

Excellent deduction.  Yes, it's the way they implemented the band steering.

 

Of course, I got back on the phone with "Tech Support." One tech tried to ridiculously blame the issue on Wi-Fi Bandwidth Steering!

Why is it ridiculous?

 

Right now, I am waiting on a replacement router from a different Pace series, the BGW210. If this issue continues with a different model, I won't bother with "Tech Support" any longer. I'll be calling the Office of the Texas Attorney General and/or getting a lawyer.

I am not sure you won't see the same thing in the 210.  It too is dual band and supports band steering.

 

I suggest you post this stuff to the ATT Uverse DSLReports forum.  They appear to have a lot of router experts over there.

Teacher

 • 

14 Messages

6 years ago

It is ridiculous because no other management or routing protocol requires the creation of a fake or pseudo-device that consumes a DHCP address and listens on port 5555 or any other port. I have found no literature anywhere that even remotely supports this possibility. If, however, the reason is some convoluted implementation of Bandwidth Steering, Pace should make this crystal clear on the Wi-Fi settings page so as to avoid alarming diligent customers.

 

It is further ridiculous because, if my findings are related to an implementation of Bandwidth Steering, it should be disabled because I have purposefully named my SSID's differently. The Wi-Fi settings page clearly states:

"Creating unique network names and passwords for the 2.4GHz and 5GHz radios will disable the optimization feature and potentially result in degraded in-home Wi-Fi performance."

 

Hence, there is no reason to have an unidentified device on my network.

 

Teacher

 • 

115 Messages

I happen to glance at your post and what I'm about to tell you may surprise you. Im on the same page regarding WPS I've disabled the function. However, to my surprise when it came to installing the smart wifi extneder I needed to reactivate WPS in order to bring them online. However if you disabled the WPS , the app warns you about and recommends to keeping the function on at all times. Their reason is because in case the router reboots the extender will need to sync again. 

Contributor

 • 

1 Message

6 years ago

THANK YOU. i have the same exact issue, same exact problems with tech support (do they even need qualifications for this job or is just knowing how to turn on a PC enough knowledge?.. ) 

Are you having the same problems in your new router?   

Have you tried to wireshark your network? I wonder if that may help explain what the unknown device is doing.... 

Not finding what you're looking for?
New to AT&T Community?
New to the AT&T Community? Start by visiting the Community How-To.
New to the AT&T Community?
Visit the Community How-To.