SERIOUS FIRMWARE ISSUE OR POSSIBLE MALWARE ON THE PACE 5268AC
I am a network administrator and engineer with 30 years of experience. I have become very concerned about a problem regarding the Pace 5268ac router issued by AT&T.
A couple of years ago, I ordered GigaPower fiber service from AT&T after it became available in my neighborhood. I was issued a Pace 5268ac. I changed the LAN address of the router from 192.168.1.254 to 192.168.78.1 because the default addresses conflicts with certain VPN connections.
Within 2 weeks of operation, my home network was compromised because I was unaware of the ease with which Wi-Fi Protected Setup can be hacked. This was resolved after I turned off the WPS capability in both the 2.4 and 5 Ghz settings.
Since then, I check my network regularly for strange activity and devices with Fing, a free Android app, because it reports changes to the network based upon a list maintained in the cloud.
In November, Fing reported a new device on my network even though no devices had been added. The device had a MAC address exactly like the router except for the last octet, it was using IP address .130, replied as "5268ac" using reverse DNS, was listening on port 5555 and appeared to be coming from the 5 GHz Wi-Fi interface. I also checked the Device List and DHCP and, sure enough, there was a "5268ac" shown on those pages.
I feared that someone had hacked the router again but after changing passwords and even turning off Wi-Fi completely, it still showed up! I could only imagine the router firmware had been compromised somehow.
It was next to impossible to explain this to "Tech Support" and, because of the language barrier, all they do is blame wiring or inside devices or anything else because they possess very limited deduction and logic skills. When I was finally offered a replacement router, I said fine.
While I waited, I got with a neighbor who also has AT&T Internet with a Pace 5268ac router and found that they had the exact same issue as myself!
Upon receiving the replacement router, the (except for the MAC address) exact same rouge device appeared after provisioning and startup. That's when I knew the device was created by the firmware because there is no other possible source.
Of course, I got back on the phone with "Tech Support." One tech tried to ridiculously blame the issue on Wi-Fi Bandwidth Steering!
All of this occurred last month. Since then, the rouge "5268ac" stopped showing up on the router DHCP page and device list but Fing still shows it is present, responding to ping requests and listening on port 5555. I am now VERY suspicious! Why would it now be hidden after I asked questions?
In view of my experience, I can think of no valid reason why this should be happening. My gut feeling is that the firmware for the 5268ac is either compromised with some type of malware at Pace or this is some type of intentional monitoring of customer network activity. I attempted to report this to "Tech Support" but they claim they cannot report firmware issues to anyone and kept transferring me to the Billing department!!
Right now, I am waiting on a replacement router from a different Pace series, the BGW210. If this issue continues with a different model, I won't bother with "Tech Support" any longer. I'll be calling the Office of the Texas Attorney General and/or getting a lawyer.