Tutor
•
3 Messages
Possible major security hole in ATT modem/router
I've only been a Uverse customer for a couple of months. Things have been working reasonably well. Today, however, I needed to find the IP address of a particular printer that has no control panel/display of its own. As I've done for twenty-plus years I decided to check the client DHCP list on the router. I browsed to my modem's IP address and the Home page appeared. I didn't have to supply any login credentials, and yet, staring me in the face was my home wi-fi configuration INCLUDING my passphrase(s) in plain text. I quickly browsed around the modem configuration to find somewhere to set a login ID and password to access the top level (Home) page of the modem. No luck.
This is extremely disturbing inasmuch as it means any neighbor within reception range of my modem and APs can very easily discover everything they need to know to login to any of my wi-fi SSIDs which otherwise would be secure. So the question is: how the heck can I either secure access to the modem configuration with login credentials or, at the very least, prevent the wi-fi passphrases from being displayed simply by accessing the modem's home page? In my opinion, ATT is just asking for customer's networks to be breached and hacked by pretty much anyone with a fourth-grade education. That's totally unacceptable.
Accepted Solution
Official Solution
_xyzzy_
Expert
•
15K Messages
7 years ago
There are similar threads on this topic in these forums.
But isn't it a "chicken and egg" problem? How could someone who doesn't know your wifi ssid/password get into your router via wifi to see your ssid/password? Note, if you are running some kind of wide open (unsecured, no password) wifi then IMO it's your problem and shouldn't be doing that.
Of course if you had a guest in your house who had physical access to your router then that's a problem.
0
Accepted Solution
Official Solution
JefferMC
ACE - Expert
•
35.2K Messages
7 years ago
As _xyzzy_ correctly points out, your neighbor must not only be in reception range, but also already know your passphrase, to be able to connect to your Wi-Fi network and visit your gateway's home page and get your passphrase. If he already knows it, what is the harm in displaying it?
I will agree that this is not the most secure of arrangements, but the idea was to avoid calls to support asking "what's my passphrase." If this really bothers you, then the solution would be to get your own access point or wireless router and use it instead of the U-verse Gateway for Wi-Fi.
0
TheGrayFox
Tutor
•
3 Messages
7 years ago
As much as I hate to admit it, you are both absolutely correct. I didn't think through the issue completely. When I first "discovered" what I thought was a problem, I panicked a bit, and stopped thinking. For anyone that I might have caused alarm, I believed that anyone within range of my WiFi network would be able to browse to the modem's IP and access the configuration info. _xyzzy_ and JefferMC were correct in that a potential hacker would need to have established themselves on my network before being able to browse to the modem's IP which would have required prior knowledge of my network passphrases.
Please forgive my paranoia. In almost 35 years of IT work I've not encountered a modem or router that displayed configuration info without having to login with my specified credentials. I suppose I need to relax a bit after so much time. 🙂
Thank you _xyzzy_ and JefferMC for pointing out what should have been the obvious.
0
4tran4
Contributor
•
1 Message
6 years ago
So I had a similar situation that I'm still scratching my head about. I just bought a new HP Officejet printer. Downloaded and ran the setup program. At a certain point the setup program identified my WiFi network including the password. I'm speculating that it got the SSID because my computer was connected to it, but I'm a bit surprised that it was able to determine the password. Any ideas how that could happen?
Thanks!
0
0
_xyzzy_
Expert
•
15K Messages
6 years ago
Did you set up a default wifi ssid and password to use in your computer? I assume the software you installed on your computer got it from there some how.
1
0