Forgot your password?
typodupeerror
Networking Wireless Networking

Ask Slashdot: Dealing With an Advanced Wi-Fi Leech? 884

Posted by Soulskill
from the call-the-internet-police dept.
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
This discussion has been archived. No new comments can be posted.

Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?

Comments Filter:
  • by h4rr4r (612664) on Wednesday February 20, 2013 @04:29PM (#42959105)

    So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.

  • Some quick basics (Score:4, Insightful)

    by Pubstar (2525396) on Wednesday February 20, 2013 @04:29PM (#42959121)
    The first thing would obviously be MAC whitelisting on the router, though if he is smart enough, he would just spoof his MAC to one of the ones on your network, so its unlikely it would stop him. Depending on where you need your wireless router, have you considered turning down the radio strength and putting the router in an area where it covers where you want to use it without the WiFi signal going too far outside the bounds of your house?
  • by ruir (2709173) on Wednesday February 20, 2013 @04:30PM (#42959133) Homepage
    Lets hope this article is just a marketing scheme. Anyway, in case it is genuine: Somebody has been freeloading, so what? You have got two options: 1) upgrade your security. double up encryption with MAC authorization. Hide your SSID. Maybe even going to digital certificates.Use only encrypted communications protocols. Many other options. Many time invested. 2) Setup a honeypot. Something open or better yet with poor security. Let him break, monitor the activity, eventually you will get a his personal data. Then decide on the course of action. Cheers
  • by faedle (114018) on Wednesday February 20, 2013 @04:31PM (#42959149) Homepage Journal

    If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.

    Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.

    The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.

  • by faedle (114018) on Wednesday February 20, 2013 @04:32PM (#42959167) Homepage Journal

    Doubt it would even slow him down. Some of the semi-automated leecher tools do this automatically already.

  • by eksith (2776419) on Wednesday February 20, 2013 @04:32PM (#42959169) Homepage

    On my Android phone, it will detect the closest Wifi signals and you may be able to pinpoint where exactly this evil twin is. A directional antenna may help, but without knowing exactly where to direct it to, you may be aiding the leech. You can try disabling SSID broadcast and reducing transmit power.

    No one will trouble themselves this much just to avoid paying a monthly fee and just by the fact they're knowledgable in these means they've spent a lot of time online already. My guess is that this individual is conducting illegal activities through yours and your neighbor's connections, so you or your neighbors may get a visit from law enforcement pretty soon.

  • Oh come on... (Score:5, Insightful)

    by lesincompetent (2836253) on Wednesday February 20, 2013 @04:33PM (#42959197)
    Do i really have to say it? WPA2, 63 characters pwd.
  • by Anonymous Coward on Wednesday February 20, 2013 @04:33PM (#42959199)

    Not necessarily effective if his intention isn't web browsing. Internet is cheap. It sounds like an elaborate attempt to conceal illicit activity to me.

  • by Rob the Bold (788862) on Wednesday February 20, 2013 @04:33PM (#42959205)

    Wouldn't a leech just look for an open access point? One with a fast connection would be a bonus.

    Your interloper would seem to be doing something more nefarious. Why does a simple leech need an evil twin?

    Is your local constabulary at all competent in this sort of matters, or are they the kind that go around wardriving for open access points? Because it's gonna suck to try to explain the problem if they don't have a clue, but something's up, and to me it sounds like something leaning toward the criminal.

    I think I'd get the directional antenna. Maybe you're dealing with the neighbor's 12 year old, so just alerting the parents could do the trick. If it's your local psycho, that's another story.

  • If you find him... (Score:5, Insightful)

    by ShieldW0lf (601553) on Wednesday February 20, 2013 @04:34PM (#42959225) Journal

    If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.

  • by CambodiaSam (1153015) on Wednesday February 20, 2013 @04:37PM (#42959259)
    If someone had an extension cord plugged into my outside outlet and it ran to their house to steal power, I would walk over, knock on the door, and ask them to stop it. And yes, I would also unplug it.

    If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
  • Daily disconnects (Score:2, Insightful)

    by A Friendly Troll (1017492) on Wednesday February 20, 2013 @04:38PM (#42959275)

    I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt).

    No, that is only indicative of perfectly normal behaviour in most of the world, since your connection is reset (and your IP changed) every 24 hours.

  • Be enlightened (Score:4, Insightful)

    by Kohath (38547) on Wednesday February 20, 2013 @04:39PM (#42959299)

    Change your SSID to "Do_not_steal_my_WiFi". It's the enlightened approach -- the same approach that the "Gun Free Zone" and "Drug Free Zone" people use. Only backward, ignorant people would disagree.

  • by gstoddart (321705) on Wednesday February 20, 2013 @04:40PM (#42959313) Homepage

    Is your local constabulary at all competent in this sort of matters

    Do you seriously need to ask this?

    Have you seen any evidence anywhere that the local police are knowledgeable or interested in such things? If so, where?

  • by Anonymous Coward on Wednesday February 20, 2013 @04:41PM (#42959329)

    if i have a device not work for some reason and i see an IP conflict then i'll know right away

    Unless you're setting your subnet mask to only be 10 or so addresses, I'd just pick an address outside of your DHCP scope and I'd never conflict. You're treating DHCP as a security measure when it's a convenience measure.

    captcha: gateway. How fitting.

  • Re:Some ideas (Score:2, Insightful)

    by Anonymous Coward on Wednesday February 20, 2013 @04:46PM (#42959399)

    As I'm sure somebody else will point out, SSID hiding won't hide the fact that the network is there. The only good thing that you mentioned is turning off your wifi at night, but that's not necessarily a real solution (servers and such like to do things at night, however if you're running servers off of wifi and they are at all important there's something wrong with you anyways).

  • I don't get it (Score:5, Insightful)

    by chord.wav (599850) on Wednesday February 20, 2013 @04:46PM (#42959419) Journal

    Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.

  • Re:Oh come on... (Score:2, Insightful)

    by Time_Ngler (564671) on Wednesday February 20, 2013 @04:50PM (#42959467)

    Have you heard of reaver?

  • by jez9999 (618189) on Wednesday February 20, 2013 @04:54PM (#42959531) Homepage Journal

    In places like Florida, Stand Your Ground lets them legally shoot you dead for that.

  • by JLennox (942693) on Wednesday February 20, 2013 @04:59PM (#42959589)

    Phones, tablets, etc lack Ethernet ports. It's pretty close to deprecated for consumer electronics and understandably so.

  • by tftp (111690) on Wednesday February 20, 2013 @05:00PM (#42959603) Homepage

    ..of course it won't take long for them to find out who set up the redirects and is actually responsible for the kiddie porn.

    That is very, very far from being "of course." Police wants convictions, and there is nothing else to convict than an asocial nerd in a basement, with a stash of CP in his browser's cache. Those files do not carry an indication through which router they were obtained, since the browser keeps no logs. If you have them, you have them.

    The nerd, naturally, may confess to a lighter crime - such as stealing your keys and connecting to your router. You should be ready for a raid yourself, and better you keep your own nose clean - the pr0n that most people collect rarely comes with notarially certified age of all participants. This is a good example of "sow the wind, reap the whirlwind."

    Framing the thief for CP would be a massive overreaction. But the thief can compromise your own IP address by *really* downloading politically incorrect materials. So I wouldn't accept any honeypot scheme where the thief is actually allowed to go outside of your LAN. Doing a good job on a honeypot for just one guy is too expensive. In essence, if you cannot guarantee that your Wi-Fi is secure then what are you doing with it? Just hoping that no hacker shows up? Either make sure it is secure, or turn it off. There is no middle ground because it can lead to trouble.

  • by interkin3tic (1469267) on Wednesday February 20, 2013 @05:08PM (#42959703)

    They'll just laugh at your little WiFi problem.

    You must have exceptionally smart cops where you live if you think they'd understand what OP was talking about. If I called cops with this problem any place I've lived, I suspect I'd be transferred about three times before someone would ask "Son, are you talking about the child porn?" and would just hang up when I said no.

  • by Deekin_Scalesinger (755062) on Wednesday February 20, 2013 @05:08PM (#42959713)
    I don't know about the hiding portion - any hacker with any skills at all are going to find them. I for one would be far more interested in someone who hides their SSID than someone in a faceless mass of wifis. Makes me think that they are relying on being hidden, and thus have fewer layers of defense.
  • by nedlohs (1335013) on Wednesday February 20, 2013 @05:09PM (#42959723)

    Because it's not like the MAC addresses that are allowed get broadcast over the air when they are in use or anything.

  • Re:Use squid (Score:5, Insightful)

    by DigitAl56K (805623) on Wednesday February 20, 2013 @05:12PM (#42959751)

    If you're going to go so far as to let them on to your network, instead of pranking them you could passively watch who they log into websites as in order to determine their identity, gather evidence, and file charges. Of course, disconnect your other systems - since if he's hacking your wifi he'll probably also try to probe your other devices.

    Of course, IANAL, and perhaps monitoring such things is illegal even though it's going over your private network.

  • by bcmm (768152) on Wednesday February 20, 2013 @05:22PM (#42959877)
    Why would he even send a DHCP request?

    (Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
  • by LukeWebber (117950) on Wednesday February 20, 2013 @05:23PM (#42959889)

    Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.

  • Re:Some ideas (Score:5, Insightful)

    by vux984 (928602) on Wednesday February 20, 2013 @05:29PM (#42959969)

    No. In this case it is irrelevant. The attacker has already demonstrated relatively sophisticated attacks. We are well past SSID broadcast as being remotely relevant.

    He is using tools that will find your network regardless of whether SSID is on or off. There is no point in inconveniencing yourself.

    Its the equivalent of trying to hide by putting on dark clothes and a hat when you already know your pursuer is using infrared, passive sonar, and motion sensors to find you.

  • Re:CO-OP (Score:3, Insightful)

    by Anonymous Coward on Wednesday February 20, 2013 @05:54PM (#42960273)

    No, it'd be much more satisfying to engage in a little frontier justice.

    Any solution that doesn't end with you telling the leech, "Bite the curb. I said, put your teeth on the motherfucking curb," is a non-starter, frankly.

  • Re:Whitelist!? (Score:4, Insightful)

    by jon3k (691256) on Wednesday February 20, 2013 @05:55PM (#42960275)
    And I can also spoof MAC addresses. MAC filtering is about 1/100th of a secure wireless network.
  • by girlinatrainingbra (2738457) on Wednesday February 20, 2013 @05:56PM (#42960289)
    re: For example, I regularly walk 6 miles to a farmer's market and 6 miles back to save a couple of dollars on the price of vegetables. That's three hours of walking to save a minute or two's income.
    .
    Bonus for you is that you got three hours of aerobic cardiovascular workout time! You'll be healthier, and (two or so dollars) wealthier, and wise! The strange this is that there are people who actually pay other people and companies money for the opportunity to exercise on a treadmill or a stationary bike. These people tend to gas up their SUV and drive the two miles over to their "gym" to do pretend walking and pay for that privilege. You, sir or madam, on the other hand have gamed the system and not fallen for the idiocracy. You get the benefits without the costs.
    Also, you're not a leech, so you're also a good person. Plus you also eat vegetables: double-plus good person! (My mom has me convinced that stealing the carrot sticks from the fridge is bad, so I'm tempted more and do it more! It was just a year ago that I figured out that carrots were healthy! I've been conned into liking veggies!)
    ;>)
    Bonus point of spelling pickiness: your response was to Re:I've used Wifi Analizer . Surely, the GP poster meant "Analyzer", unless the word "analizer" tells us more about the GP and his probings by alien species than we wanted to know....
  • by MyFirstNameIsPaul (1552283) <myfirstnameispaul@gmail.com> on Wednesday February 20, 2013 @06:08PM (#42960427) Homepage Journal

    Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.

    WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.

    In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).

  • by Ralph Ostrander (2846785) on Wednesday February 20, 2013 @06:18PM (#42960527)
  • by Hatta (162192) on Wednesday February 20, 2013 @06:31PM (#42960605) Journal

    Anyway, in case it is genuine: Somebody has been freeloading, so what?

    Ask yourself, why would someone go to such great lengths to use someone else's bandwidth?

  • by PyroMosh (287149) on Wednesday February 20, 2013 @06:32PM (#42960613) Homepage

    Leaving aside the fact questionable legality of your little nerd-vigilante justice fantasies and granting for a moment that the fact that what the guy is doing is technically a felony...

    Ignoring the possibility that the poor sap that opens the door might have nothing to do with the attempt - could be his 15 year old kid... worse yet, it could be a zombie machine trying to connect...

    Leaving all that aside and assuming that everything is as it appears on it's face. You go over and knock, assault the guy and get the right person...

    This all falls under a category I like to call "things I don't want to have to explain to a judge".

    TL;DR: You're being criminally stupid.

  • by spire3661 (1038968) on Wednesday February 20, 2013 @07:07PM (#42960857) Journal
    OK, how about hands around throat? Fights make deadly turns very fast. Someone punching me is enough for me to pull my weapon at the very least. I can say this because i dont instigate fights, ever, so if someone is engaging me physically, its serious. All fights are potentially mortal and i react accordingly. I also avoid trouble as much as I an, but once it gets physical, im thinking of ways to end the threat extremely quickly.
  • by mabhatter654 (561290) on Wednesday February 20, 2013 @07:08PM (#42960859)

    alternately, leave the old one turned on but not physically connected to anything... waste more time!

  • by MyFirstNameIsPaul (1552283) <myfirstnameispaul@gmail.com> on Wednesday February 20, 2013 @07:23PM (#42961047) Homepage Journal
    Spoofing a MAC address is trivial. You can do it in your network settings in Windows, and every router I've ever used gives the option. Finding a whitelisted MAC address is likely trivial for the hacker in this article (who broke in through WPS - much harder) because the MAC address is broadcast in the clear, so packet inspection will reveal the whitelisted MAC addresses. IP whitelists are also worthless.
  • by RoboRay (735839) on Wednesday February 20, 2013 @09:23PM (#42961929)
    That's great advice. "Commit a felony to find out who's trying to leach off your WiFi." I think there are better solutions.
  • by anubi (640541) on Wednesday February 20, 2013 @11:11PM (#42962673) Journal
    This problem of WiFi leeching is far greater than one guy losing some of his bits... rather now it is wide open that WiFi is not all that secure.

    Copyright Infringement... How are the courts to assign guilt to anyone for violating copyright on the net if it can not be proven, with forum discussions like the one you are reading right now, that one is the perpetrator of internet mischief?

    The ones that should be most concerned is the MAFIAA. All the lobbying of politicians to pass their carefully crafted laws is moot if it is shown in courts of law that the wifi routers themselves are compromisable. It will be hard, if not impossible, to place without-a-doubt liability on anyone for what went through their system.

    I am sure this entire forum will be copied off and presented to the Judge as evidence that it cannot be proven beyond a shadow of a doubt that the copyright violator indeed did what the MAFIAA alleged he did.

Algol-60 surely must be regarded as the most important programming language yet developed. -- T. Cheatham

Working...