Ask Slashdot: Dealing With an Advanced Wi-Fi Leech? 884
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
Re:i like to limit my DHCP scope (Score:5, Insightful)
So then he sets his MAC address to one on the allowed list. Not exactly a tough thing to do.
Some quick basics (Score:4, Insightful)
Why lose your time? (Score:3, Insightful)
Shut off your radio. (Score:5, Insightful)
If they're going to go through the trouble of setting up a honeypot, you might was well give up and just shut the radio off and run 100% wired.
Or, go rogue yourself and capture all his traffic. Bonus points if you rate-limit the wireless to effectively have no bandwidth.
The local cops? If your local police department is anything like mine, they don't even send out officers to investigate real property crimes like theft anymore. They'll just laugh at your little WiFi problem.
Re:i like to limit my DHCP scope (Score:3, Insightful)
Doubt it would even slow him down. Some of the semi-automated leecher tools do this automatically already.
I've used Wifi Analizer (Score:4, Insightful)
On my Android phone, it will detect the closest Wifi signals and you may be able to pinpoint where exactly this evil twin is. A directional antenna may help, but without knowing exactly where to direct it to, you may be aiding the leech. You can try disabling SSID broadcast and reducing transmit power.
No one will trouble themselves this much just to avoid paying a monthly fee and just by the fact they're knowledgable in these means they've spent a lot of time online already. My guess is that this individual is conducting illegal activities through yours and your neighbor's connections, so you or your neighbors may get a visit from law enforcement pretty soon.
Oh come on... (Score:5, Insightful)
Re:If he joins your network... (Score:5, Insightful)
Not necessarily effective if his intention isn't web browsing. Internet is cheap. It sounds like an elaborate attempt to conceal illicit activity to me.
Sounds worse than a leech (Score:4, Insightful)
Wouldn't a leech just look for an open access point? One with a fast connection would be a bonus.
Your interloper would seem to be doing something more nefarious. Why does a simple leech need an evil twin?
Is your local constabulary at all competent in this sort of matters, or are they the kind that go around wardriving for open access points? Because it's gonna suck to try to explain the problem if they don't have a clue, but something's up, and to me it sounds like something leaning toward the criminal.
I think I'd get the directional antenna. Maybe you're dealing with the neighbor's 12 year old, so just alerting the parents could do the trick. If it's your local psycho, that's another story.
If you find him... (Score:5, Insightful)
If you find him, give him props and buy him a beer and ask him to share how he's doing what he's doing with you. Sounds like some pretty cool shit.
Stealing Electricity (Score:5, Insightful)
If you have the means to determine where they are it's worth asking them to stop. That alone might change their attitude toward poking at networks.
Daily disconnects (Score:2, Insightful)
I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt).
No, that is only indicative of perfectly normal behaviour in most of the world, since your connection is reset (and your IP changed) every 24 hours.
Be enlightened (Score:4, Insightful)
Change your SSID to "Do_not_steal_my_WiFi". It's the enlightened approach -- the same approach that the "Gun Free Zone" and "Drug Free Zone" people use. Only backward, ignorant people would disagree.
Re:Sounds worse than a leech (Score:4, Insightful)
Do you seriously need to ask this?
Have you seen any evidence anywhere that the local police are knowledgeable or interested in such things? If so, where?
Re:i like to limit my DHCP scope (Score:2, Insightful)
if i have a device not work for some reason and i see an IP conflict then i'll know right away
Unless you're setting your subnet mask to only be 10 or so addresses, I'd just pick an address outside of your DHCP scope and I'd never conflict. You're treating DHCP as a security measure when it's a convenience measure.
captcha: gateway. How fitting.
Re:Some ideas (Score:2, Insightful)
As I'm sure somebody else will point out, SSID hiding won't hide the fact that the network is there. The only good thing that you mentioned is turning off your wifi at night, but that's not necessarily a real solution (servers and such like to do things at night, however if you're running servers off of wifi and they are at all important there's something wrong with you anyways).
I don't get it (Score:5, Insightful)
Some neighbor comes in good faith and opens his digital life to you, so you can MITM him and this is how you react? That is rude man. I think that guy deserves an apology sent from one of his social networks accounts.
Re:Oh come on... (Score:2, Insightful)
Have you heard of reaver?
Re:Figure out where he is located (Score:5, Insightful)
In places like Florida, Stand Your Ground lets them legally shoot you dead for that.
Re:Shut off your radio. (Score:4, Insightful)
Phones, tablets, etc lack Ethernet ports. It's pretty close to deprecated for consumer electronics and understandably so.
Re:Local police won't be much help (Score:4, Insightful)
That is very, very far from being "of course." Police wants convictions, and there is nothing else to convict than an asocial nerd in a basement, with a stash of CP in his browser's cache. Those files do not carry an indication through which router they were obtained, since the browser keeps no logs. If you have them, you have them.
The nerd, naturally, may confess to a lighter crime - such as stealing your keys and connecting to your router. You should be ready for a raid yourself, and better you keep your own nose clean - the pr0n that most people collect rarely comes with notarially certified age of all participants. This is a good example of "sow the wind, reap the whirlwind."
Framing the thief for CP would be a massive overreaction. But the thief can compromise your own IP address by *really* downloading politically incorrect materials. So I wouldn't accept any honeypot scheme where the thief is actually allowed to go outside of your LAN. Doing a good job on a honeypot for just one guy is too expensive. In essence, if you cannot guarantee that your Wi-Fi is secure then what are you doing with it? Just hoping that no hacker shows up? Either make sure it is secure, or turn it off. There is no middle ground because it can lead to trouble.
Re:Shut off your radio. (Score:4, Insightful)
They'll just laugh at your little WiFi problem.
You must have exceptionally smart cops where you live if you think they'd understand what OP was talking about. If I called cops with this problem any place I've lived, I suspect I'd be transferred about three times before someone would ask "Son, are you talking about the child porn?" and would just hang up when I said no.
Re:i like to limit my DHCP scope (Score:4, Insightful)
Re:i like to limit my DHCP scope (Score:3, Insightful)
Because it's not like the MAC addresses that are allowed get broadcast over the air when they are in use or anything.
Re:Use squid (Score:5, Insightful)
If you're going to go so far as to let them on to your network, instead of pranking them you could passively watch who they log into websites as in order to determine their identity, gather evidence, and file charges. Of course, disconnect your other systems - since if he's hacking your wifi he'll probably also try to probe your other devices.
Of course, IANAL, and perhaps monitoring such things is illegal even though it's going over your private network.
Re:i like to limit my DHCP scope (Score:5, Insightful)
(Several posts here are talking as if DHCP is a vital stage in setting up a network connection.)
Re:Why lose your time? (Score:5, Insightful)
Freeloading? If that was his only intention, he wouldn't have troubled to set up the evil twin. This guy is serious trouble, and you don't want him on your LAN.
Re:Some ideas (Score:5, Insightful)
No. In this case it is irrelevant. The attacker has already demonstrated relatively sophisticated attacks. We are well past SSID broadcast as being remotely relevant.
He is using tools that will find your network regardless of whether SSID is on or off. There is no point in inconveniencing yourself.
Its the equivalent of trying to hide by putting on dark clothes and a hat when you already know your pursuer is using infrared, passive sonar, and motion sensors to find you.
Re:CO-OP (Score:3, Insightful)
No, it'd be much more satisfying to engage in a little frontier justice.
Any solution that doesn't end with you telling the leech, "Bite the curb. I said, put your teeth on the motherfucking curb," is a non-starter, frankly.
Re:Whitelist!? (Score:4, Insightful)
Walk to the farmers' market! (Score:4, Insightful)
.
Bonus for you is that you got three hours of aerobic cardiovascular workout time! You'll be healthier, and (two or so dollars) wealthier, and wise! The strange this is that there are people who actually pay other people and companies money for the opportunity to exercise on a treadmill or a stationary bike. These people tend to gas up their SUV and drive the two miles over to their "gym" to do pretend walking and pay for that privilege. You, sir or madam, on the other hand have gamed the system and not fallen for the idiocracy. You get the benefits without the costs.
Also, you're not a leech, so you're also a good person. Plus you also eat vegetables: double-plus good person! (My mom has me convinced that stealing the carrot sticks from the fridge is bad, so I'm tempted more and do it more! It was just a year ago that I figured out that carrots were healthy! I've been conned into liking veggies!)
;>)
Bonus point of spelling pickiness: your response was to Re:I've used Wifi Analizer . Surely, the GP poster meant "Analyzer", unless the word "analizer" tells us more about the GP and his probings by alien species than we wanted to know....
Re:i like to limit my DHCP scope (Score:5, Insightful)
Clearly you do not have someone trying to leech your network, or you are not able to detect such a user. MAC addresses are broadcast in the clear. This is because otherwise every device on the network would have to decrypt every single packet in order to determine whether or not the device is the intended recipient of the packet. All the attacker has to do inspect a packet, find the MAC address, then spoof that MAC address.
WiFi Protected Setup (WPS) is broken, and on many routers it cannot be fixed without disabling WiFi completely. Even a 64-character, high entropy password on WPA2 AES will not work. This is the problem faced by the poster of the article.
In my mind, the best solution is high entropy, long password, WPA2-AES with a router that does not have WPS or is known to be able to safely disable WPS (such as latest versions of DD-WRT).
Mess with him like this. (Score:3, Insightful)
Re:Why lose your time? (Score:5, Insightful)
Anyway, in case it is genuine: Somebody has been freeloading, so what?
Ask yourself, why would someone go to such great lengths to use someone else's bandwidth?
Re:"Unauthorized Access" is a Felony. (Score:5, Insightful)
Leaving aside the fact questionable legality of your little nerd-vigilante justice fantasies and granting for a moment that the fact that what the guy is doing is technically a felony...
Ignoring the possibility that the poor sap that opens the door might have nothing to do with the attempt - could be his 15 year old kid... worse yet, it could be a zombie machine trying to connect...
Leaving all that aside and assuming that everything is as it appears on it's face. You go over and knock, assault the guy and get the right person...
This all falls under a category I like to call "things I don't want to have to explain to a judge".
TL;DR: You're being criminally stupid.
Re:Figure out where he is located (Score:2, Insightful)
Re:If he joins your network... (Score:4, Insightful)
alternately, leave the old one turned on but not physically connected to anything... waste more time!
Re:Change your WPA keys (Score:5, Insightful)
Re:Nah, teach the little hacker about malice. (Score:5, Insightful)
This whole topic is a gem! (Score:3, Insightful)
Copyright Infringement... How are the courts to assign guilt to anyone for violating copyright on the net if it can not be proven, with forum discussions like the one you are reading right now, that one is the perpetrator of internet mischief?
The ones that should be most concerned is the MAFIAA. All the lobbying of politicians to pass their carefully crafted laws is moot if it is shown in courts of law that the wifi routers themselves are compromisable. It will be hard, if not impossible, to place without-a-doubt liability on anyone for what went through their system.
I am sure this entire forum will be copied off and presented to the Judge as evidence that it cannot be proven beyond a shadow of a doubt that the copyright violator indeed did what the MAFIAA alleged he did.