Slashdot Mirror
Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
And punch him in the nose.
WPS works by giving out your WPA keys, so if they've gotten in once through WPS, they will continue to have access.
Setup squid and redirect all web traffic through it. Replace all images on machines that are not yours with goatse.
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
Do i really have to say it? WPA2, 63 characters pwd.
Not necessarily effective if his intention isn't web browsing. Internet is cheap. It sounds like an elaborate attempt to conceal illicit activity to me.
start knocking on doors and asking your neighbors if they would mind terribly if you spoke with their 15 year old son for a few minutes, because you've determined he's been hacking your wifi. Eventually, you'll hit the right house. For the wrong houses, act confused and say you must have miscalculated by a house or two, and that you're sorry. Bring cookies to show you're not an ass, though.
Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.
I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.
That seems to work for me.
If they crack that, they aren't leeches. They are crooks. Call the FBI.
"For every complex problem there is an answer that is clear, simple, and wrong."
-H. L. Mencken
Brute force attacks take time, lots of time. Just start changing your key every week and he will probably go away. Having your computer run 96 hours to get a password that then changes 72 hours later just isn't worth it, even for a criminal. If he keeps at it then someone just enjoys the challenge, and you should hunt them down just for the mystery.
And THEN break his legs.
Right?
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
Make a little shield with a bit of foil and a coathanger. While tracking the incoming attempts, shield your WAP from various directions until it stops. Gives you a direction, and you can bend the coathanger into a little stand to hold the shield in place next to your WAP. It's likely to be in the direction of a near wall, isn't it?
Amazing stuff, tinfoil.
Do not mock my vision of impractical footwear
Knock up a cron job to change your WPA2 key every 24 hours. Use a QR code generator to print out the code on paper for your new key every morning, so you can just snap it with your phone and you're on. He'll get bored of trying to break something that changes faster than he can break it, and he'll move onto someone else.
Agree also with disabling wireless at the times he uses it, and when you're not, if this is feasible for your lifestyle.
And 5GHz also sounds sensible.
If you do find out who he is, change your SSID to *his* name and address. That should freak him a bit.
Calling local ham radio enthusiasts would probably lead to some very entertaining results.
The most memorable story I've ever heard along those lines was that a couple of hams had access to a fairly large dish antenna and were setting up some sort of satellite communications (for work, not play). A guy nearby was running a horribly unshielded CB amplifier that was crapping all over their signal. They told him to knock it off. He refused. They pointed out that he was blowing way past FCC limits on transmission power. He ignored them. They pointed the dish straight at his shack and transmitted maximum power at it. Within a few minutes smoke was pouring out of it... bet you could fry a router pretty easily.
The evil twin makes finding the culprit a cakewalk. Download inSSIDer and walk around. When the evil twin's signal is strongest, you're outside his door.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Why would he even send a DHCP request?
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
# cat
Damn, my RAM is full of llamas.
Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.
Make sure you don't allow admin over wifi. Most routers have a setting so you can only administer it from a wired connection. This isn't an absolute or a fix for the base situation, it's just an extra hurdle for them if they get in and want to screw with you for fighting back.
It is widely known by security professionals that hiding your SSID actually decreases security. For starters, it is easy enough to sniff a SSID out of the air. What is more concerning is that wireless clients configured to connect to a hidden network will constantly try to connect to any wireless network, essentially asking "Are you my network?" A malicious access point could say, "Yup, sure am!" At that point your wireless client will be more than happy to divulge your preshared key. There are even affordable retail products that accomplish this out of the box. Check out the Wi-Fi Pineapple.
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
I once took an excursion to Reddit, and later HN. Unlimited up/down voting sucks when dealing with a hive-mind.
"My guess is that this individual is conducting illegal activities through yours and your neighbor's connections"
This is highly likely. The guy has invested much time and effort in this so they clearly have motives other than saving a few bucks. OP should make attempts to locate this guy and to shut him down. Use laptops or cell phones with wireless monitoring applications to locate the guy's AP. Nothing too fancy, just do a bit of sneaker-netting while watching the signal strength. You don't need to triangulate the location to within a foot, you just need to get a general idea of where this thing is. Once you get close you should be able to tell which building/car it is in. If this yields inconclusive results then contact the local HAM club. They may be able to assist you in locating a rogue AP or wifi leech in exchange for beer and pizza.
Also, OP needs to file a police report. Will the police do anything? No, of course not. However, it will help to shield OP from liability when the FBI comes knocking in regard to whatever illegal activities are being conducted through his internet connection. He'll be able to point to the police reports as evidence that someone else was on the network long before the authorities showed up.
-1 disagree is not a modifier for a reason. -1 troll, flaimbait, redundant, overrated are NOT acceptable substitutes.
First of all, just to be clear: this isn't leaching, this is someone doing something nefarious. If they just wanted free bandwidth, they would never set up an evil twin network. Most of the replies on this thread are bad advice assuming it's a leech. The person responsible might be nearby, but probably not; if you track down the computer that's responsible, you're likely to find that its owner doesn't know what's going on and it's been taken over by an anonymous attacker over the Internet. Or you'll find a PwnPlug.
The first thing you need to do is notify the police that you're being targeted by hacking. This is important; if your computer/network is taken over and used for something illegal, which is likely to happen, this will protect you. Second: you need to notify your employer, as well as anyone whose confidential data you're in possession of. And third: you need to harden your computer security, and figure out why you might have been targeted.
Do a quick search online to get hold of some identity theft / credit card harvesting malware and modify it so it sends the capture to you.
Then, setup a transparent linux proxy server that replaces any executable file downloaded with your malware, and put it between your internet connection and an open wireless network.
Let the little turd use your free wifi internet to his heart's content, and wait for him to install the malware when he's trying to install something legitimate. Then, wait for your malware to send you the details of who he is, what his credit card numbers are etc.
Finally, go to the local coffee shop that gives out free wifi with every coffee purchased, and drop all those details you collected on pastebin.
Problem solved.