FTTN ATT Man-in-the-middle attack?

[JamesG]

Since getting upgrading my Fusion service to FTTN I have been getting certificate warnings from various apps on my Macbook, including OpenVPN, iTunes, Calendar, etc. What seems to be happening is that ATT is trying to serve an SSL/TLS connection with its own certificate. This could be a bug, but also could be a man-in-the-middle attack: If anyone accepts the attlocal certificate without noticing what they are doing, ATT can now monitor all of their encrypted traffic.

Below is the error message from OpenVPN client.

Untrusted Certificate warning

Host: ovpn.sonic.net
Reason: X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: self signed certificate in certificate chain
SHA1 fingerprint: 41:1F:7D:E7:AC:B2:53:2B:A0:CD:5F:F1:E4:A1:76:F2:E7:39:95:93

Subject:
C: US
CN: attlocal.net
O: 2Wire
OU: Gateway Device

Issuer:
C: US
CN: Gateway Authentication
O: 2Wire
OU: Gateway Device
serialNumber: 36161N078826

[JamesG]

Just to be clear, the attlocal certificate is being supplied where other certificates are requested, including Apple certificates and Sonic's OpenVPN certificate.

The app is requesting a certificate from Apple or Sonic, and instead is provided with a self-signed certificate from attlocal.

This is really not how things are ever supposed to work.

[Mahera]

hello JamesG

Thanks for he heads up.

Perhaps someone from sonic could comment on this?
If this is happening than sonic needs to address this with att. Would of this even be legal better att?


Hopefully sonic has an good answer.

[drew.phillips]

I'm by no means a connectivity specialist here but I have FTTN service at home that I use once in a while and have noticed occasionally after it's been a long time since I used it or when the connection was dropping it would try to redirect all my web requests to gateway.attlocal.net or some such address to do gateway authentication.

Do you frequently notice issues with your connection or times where you don't have service? I suspect maybe it's the modem trying to redirect you to that page so the modem can authenticate with the network.

This isn't anything malicious but if it's happening a lot it *may* indicate something is up with the connection to ATT's network.

[Mahera]

Hello Drew.

Thanks for the reply.

However.
The authentication of the modem is/should be done on a different level way before we get access to the att network.
I am by no means a "network guy"
But redirecting my request to connect to a side looks a lot like highjacking ?

Trying to intercept a vpn Connection isn't good thing either.

That is if this is what is going on here.

Usually there is a reason for people to use vpn.
Most of the time it is used for work and to keep others out.
After all it is called virtual private network and it is used to keep traffic privat.
Can you imagine if my company finds out that att is intercepting our traffic??

Or any company for this matter.


Sonic seemed to be big on privacy, so I hope that sonic looks into this and let's us know if there is anything fishy going on with unwanted re-directs and even more with a possible "fake" vpn connection.

It happens sometimes that I get disconnected from the sonic vpn and sometimes have to restart the von service a few times to get a connection again? I starting to wonder if this is related.



On the other hand. Is there any help on setting up the vpn to ensure that there is no "man in the middle attac" possible.
OpenVPN has many possible settings.
All I can find is settings for the app but nott on how to configure the vpn as a service.


Thanks for looking I to his and the help

I'm by no means a connectivity specialist here but I have FTTN service at home that I use once in a while and have noticed occasionally after it's been a long time since I used it or when the connection was dropping it would try to redirect all my web requests to gateway.attlocal.net or some such address to do gateway authentication.

Do you frequently notice issues with your connection or times where you don't have service? I suspect maybe it's the modem trying to redirect you to that page so the modem can authenticate with the network.

This isn't anything malicious but if it's happening a lot it *may* indicate something is up with the connection to ATT's network.

[drew.phillips]

It might look like a MITM but it's not paying attention to the traffic you're sending and it's not sending it anywhere beyond the modem.

It's the modem trying to redirect your browser to it's gateway page because in my experience when I got these messages, my internet connection was down and the modem needed to authenticate and it won't pass any traffic until it does. The issue is described here: https://forums.att.com/t5/AT-T-Internet ... 647#M23655

When the modem comes online it tries to authenticate with ATT's network using proprietary protocols and for any number of reasons that authentication is failing. When the modem is unauthenticated, you're connection is effectively down (even if the DSL link is good). Rather than just drop all traffic, they try to redirect http & https traffic to the modem. Over SSL this manifests as a certificate error/warning because the names don't match where you're trying to go. Trying to access a site that uses HSTS (HTTPS Strict Transport Security) would completely fail because by design it's purpose is to prevent invalid certificates from being used so you'd be "protected" from MITM in this case.

If you're still seeing these errors I'd encourage you to give our support department a call to do some troubleshooting.

If it happens frequently, there may be a connection problem.

If it's very rare, then it could be transient but does *not* mean your traffic is at risk or being sent to or intercepted by AT&T.

This is similar to what happens sometimes if you connect to open WiFi that requires authentication. The WiFi gateway will attempt to intercept all http/https traffic (and drop everything else) and send you to the hotspot login page where you agree to terms and/or pay for service. Only then will it pass your traffic through.

[mahera]

hello drew,,
i can follow your reasoning for the "link down" and be send to a "login page" like in hotels.

that this would work like this on a home router would be new for me.


when my link is down i simply cant connect and i do not get redirected to the modem page.


anyway, the OP is saying that he gets served a ovpn certificate that seems to come from ATT.

so you are saying that when the modem is not authenticated and the user tries to connect to a vpn that the modem delivers a vpn certificate on its own? that seems kind of unusual.


however, where can find someone information on the ovpn settings other then the app for iphone or android.

i had a hard time setting up the ovpn on my router and was only be bale to do so after a extensive search on the web.
some users shared their knowledge (partially) to get this going. i am sure there a more settings to watch out for.

does sonic provide any information on their ovpn service for whole house (router) setup
as they advertised years ago?
btw. what happened to the idea that sonic my have a whole house solution?

thanks for the help

[drew.phillips]

Hi mahera,

I think the gateway authentication redirect happens (at least for me) when the physical and DSL links are up (so the modem is communicating with ATT) but not authenticating itself or needs to. The few times I experienced it was when I'd left the modem idle (online) with no devices attached for a long time. If it's link is down, I don't think it does any kind of redirection.

The reason ATT's cert is appearing in the OpenVPN connection is likely because the router is indiscriminately replacing certs in all TLS handshakes. So any protocol, whether HTTPS, SMTP, OpenVPN, or even a proprietary one that uses TLS would be susceptible to the certificate injection. Of course in the case of OpenVPN, it'd totally break the connection. They're just hoping when you open the browser, you'll see the cert warning, accept it, and get redirected to the gateway page. A pretty flawed approach in general.

Regarding whole home VPN, Sonic currently doesn't have any official recommendations or solutions for that. There are quite a few ways to do it but each with their own issues (i.e. price, performance, or complexity). If you want to run a whole home VPN and support multiple devices at once providing good throughput to each, you'll really need to look at a system that has an Intel Celeron or better (or something AMD now that they're back in the game) so it can handle the encryption/decryption for the clients at a fast rate. Off the shelf consumer routers can be extremely limited in throughput.

[smarterthanyou]

ATT modems don't deliver local modem traffic over HTTPS.

It's all over HTTP.

This is why issues such as https://www.reddit.com/r/computer_help/ ... tes_due_to/ exist.

HTTPS traffic will never be affected by the ATT modem since it doesn't use HTTPS to communicate, it only provides passthru.

This is why, when your ATT service ends if you stop paying for it, communicating with websites HTTPS will still work for weeks until the physical connection is terminated at your local junction.

In other words, STOP WASTING YOUR TIME and just refresh your connection -- or better yet stop using ATT. :D