BGW210-700 Security Issue

The access code is not irrelevant.  It protects sensitive information in the gateway.  If Att has access to your account which I would expect them to, they can see it.  In general your account details are protected by a four digit pin which you need to consent to provide.  There’s no security concern.  And FWIW, the gateway itself dates back to 2017, so it’s no spring chicken, but it gets the job done.  Barely for wifi, but that likely will be your next forum thread.   

Sorry, I'm new here and I guess this is the only option to reply to the previous three posts.

ATTHelp user said AT&T can't view my account without passcode or without connecting to my WiFi network. 

Let me describe exactly what happened.  An installer came, placed my BGW210, pointed out the default IP, access code, etc.  But there was no connectivity due to an external problem.  Two days later AT&T techs fixed the external problem (on the pole a block away).  Late that night I changed the SSID and WiFi password, as I described.

The following day another AT&T technician arrived, pulled out his phone, and showed me my WiFi password in plain text. 

Let me be clear - I did NOT give him my four digit PIN or my WiFi password. 

So how did he obtain that information?

Please reread @JefferMC reply.  Don’t stress over it.  There’s nothing special going on there and Joe Sixpack can’t get onto your home network.  

Hey @NewGuyInIll, thank you for writing back to us!

We just wanted to let you know that AT&T technician are there to fix your Wi-Fi or internet issue through all the troubleshooting means.

As our @ACE mentioned using smart home manager app you can manage your home network handy.

If you still feel that is not ok, we suggest you to change your Wi-Fi password.

However, you need not worry in terms of security and privacy, your security would be always our priority.

Please let us know if this helps or if you need any further assistance.

Bruce, AT&T Community Specialist 

As JefferMC wrote:

"AT&T has remote management capability into your Gateway (it's how Smart Home Manager is able to accomplish what it does) and how your installer was able to obtain Gateway information without connecting to your Network. "

and ATTHelp wrote:

"If you still feel that is not ok, we suggest you to change your Wi-Fi password."

Remote management capability that allows a technician to obtain my WiFi password without connecting to my network is called a BACKDOOR.  And changing my password will only update the password in AT&T remote management software.

If an AT&T technician who happens to be near my house can access my home network, as this one obviously did, then that is a security risk.

Any reasonable person would recognize this. 

I doubt that you would you find it acceptable if Asus, TP-Link, or Linksys gave their employees backdoors to their products.

AT&T should at least disclose this so their users can take appropriate action.  In my case I've turned off the BGW210 WiFi.  Only one cable is connected to the BGW210 LAN ports and that goes to my own routers.  My home network sits behind those routers.  IOW, I use the BGW210 as a modem only.

My only reason for posting this is to alert other users.

AT&T's position is to help their customers not have trouble accessing the network, so they make the information available to you from the Gateway on the local network AND to employees who have access to your account (because they're assigned to it or because you called).  If you know anything about computer security, you've seen the convenience / security tradeoff graph, and they've chosen the convenience side on this issue.

You can do exactly what you said and turn off Wi-Fi and provide your own.  A lot of us do that for a variety of reasons.  Can't blame you at all.

If you think Att techs run around jumping on customers’ wifi just because and you want to make a federal case of it, that’s your business.  First time in well over a decade I’ve seen this sort of nonsense.  Good day.