[TriLUG] open ports on Uverse 2wire gateway

Igor Partola igor at igorpartola.com
Sun Jan 26 03:29:12 EST 2014


So your setup looks like this?:

WinXP box ----- Router/Modem ----- Internet

Are there other hosts on the LAN?

So assuming the router/modem is doing NAT, and if you disconnect it from you server (or you LAN) and still see the open ports, then it is the router/modem that has them open and the WinXP box has nothing to do with it. I suspect this is the case since the open ports don't show up in the router/modem's configuration UI.

Why are these ports open if the above is true? Your suspicion is probably correct: for some remote management feature. Have you tried connecting to these ports to see what they respond with?

The practical security implications here are that AT&T has some type of access to your router/modem which could mean that they can monitor your traffic and possibly change your DNS settings etc. Of course they can do the exact same thing upstream in their data centers much easier.

They could also potentially see into your LAN and access ports on your WinXP box not open to the WAN. This they could not do without a backdoor into your router. This is a potential area of concern.

My biggest security worry here would be the fact that the management features (if that is what they are) are open not just to AT&T but to everyone. It is possible that some malicious third party can gain access to your router/modem, and thus to your LAN. This would likely be game over in terms of compromising the WinXP box or at least stealing data from it as it communicates to the Internet.

So assuming these ports are not forwarded to anything on the LAN and are indeed a management backdoor into the router/modem itself  and given all these security implications, what can you do?

First, getting your own hardware firewall (possibly just a small consumer router) between the modem and the LAN would actually mitigate most of the practical security concerns. A third party might still gain access to the router/modem and be able to monitor your traffic (normally not easy to do), but you can already assume that lots of third parties are listening in on you (AT&T, NSA, any backbone network operator, etc.)

You are right: this will not solve the issue with passing a security scan, but it would fix the underlying problem. To pass the scan the only thing I can think of is to actually get an engineer from AT&T on the phone who knows what these ports are for, or to get different equipment.

Good luck.
Igor


More information about the TriLUG mailing list