I recently recent swapped from Spectrum to AT&T. Long story short I didn’t like it and switched back. However, I did I notice something interesting and decided to order a device off of ebay to experiment with.
The first interesting thing I noticed was that the modem’s WiFi network name and PSK could be retrieved in plaintext from anywhere on the internet by logging in to att.com and taking the following steps.
Search for “forgot wifi password” in the search bar. Click “Find network name & password”
Click the blue “Get it” button when it appears as shown. Make sure the correct Modem / gateway is selected.
After a several seconds the WiFi network name and password appears near the bottom right hand corner of the screen. It doesn’t work in the screenshot below because my service has been disconnected for several weeks.
This feature works regardless of whether or not the user is on their home network or in another country. Therefore we can conclude that the ISP is retrieving this information directly from the modem and transporting it over the internet. Notice in the same photo the “Manage My Wi-Fi” link which allows the user to overwrite these parameters as well.
A full tcp portscan gives only two open ports (no UDP ports were scanned).
It is important to note that not only are these ports only available from the WAN but that in the case of 61001 that I can only connect to it from an ip that is not AT&T U-verse. The reason only other U-verse ip addresses are blacklisted remains a mystery. Throwing some random garbage into port 49152 yields promising results.
Port 61001 appears to be a TLS enabled web service (presumably password protected).
Note that the existence of these services is not limited to the 5286ac modem and seems to be present on the majority of Uverse DSL modems. Understanding the inner workings of these services will be the focus of this series of posts.
But first we must root the gateway. The saga begins with Exploring the AT&T U-verse 5268AC DSL Modem – Part 1.