Slashdot Mirror
Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.
The first thing would obviously be MAC whitelisting on the router, though if he is smart enough, he would just spoof his MAC to one of the ones on your network, so its unlikely it would stop him. Depending on where you need your wireless router, have you considered turning down the radio strength and putting the router in an area where it covers where you want to use it without the WiFi signal going too far outside the bounds of your house?
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
Do i really have to say it? WPA2, 63 characters pwd.
Not necessarily effective if his intention isn't web browsing. Internet is cheap. It sounds like an elaborate attempt to conceal illicit activity to me.
If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.
-1 Uncomfortable Truth
If someone had an extension cord plugged into my outside outlet and it ran to their house to steal power, I would walk over, knock on the door, and ask them to stop it. And yes, I would also unplug it.
If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
In places like Florida, Stand Your Ground lets them legally shoot you dead for that.
== Jez ==
Do you miss Firefox? Try Pale Moon.
If you're going to go so far as to let them on to your network, instead of pranking them you could passively watch who they log into websites as in order to determine their identity, gather evidence, and file charges. Of course, disconnect your other systems - since if he's hacking your wifi he'll probably also try to probe your other devices.
Of course, IANAL, and perhaps monitoring such things is illegal even though it's going over your private network.
Why would he even send a DHCP request?
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
# cat
Damn, my RAM is full of llamas.
Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.
No. In this case it is irrelevant. The attacker has already demonstrated relatively sophisticated attacks. We are well past SSID broadcast as being remotely relevant.
He is using tools that will find your network regardless of whether SSID is on or off. There is no point in inconveniencing yourself.
Its the equivalent of trying to hide by putting on dark clothes and a hat when you already know your pursuer is using infrared, passive sonar, and motion sensors to find you.
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
Anyway, in case it is genuine: Somebody has been freeloading, so what?
Ask yourself, why would someone go to such great lengths to use someone else's bandwidth?
Give me Classic Slashdot or give me death!
Leaving aside the fact questionable legality of your little nerd-vigilante justice fantasies and granting for a moment that the fact that what the guy is doing is technically a felony...
Ignoring the possibility that the poor sap that opens the door might have nothing to do with the attempt - could be his 15 year old kid... worse yet, it could be a zombie machine trying to connect...
Leaving all that aside and assuming that everything is as it appears on it's face. You go over and knock, assault the guy and get the right person...
This all falls under a category I like to call "things I don't want to have to explain to a judge".
TL;DR: You're being criminally stupid.
Touch everywhere, even when inappropriate.
Spoofing a MAC address is trivial. You can do it in your network settings in Windows, and every router I've ever used gives the option. Finding a whitelisted MAC address is likely trivial for the hacker in this article (who broke in through WPS - much harder) because the MAC address is broadcast in the clear, so packet inspection will reveal the whitelisted MAC addresses. IP whitelists are also worthless.
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
That's great advice. "Commit a felony to find out who's trying to leach off your WiFi." I think there are better solutions.