Ask Slashdot: Dealing With an Advanced Wi-Fi Leech? 884
An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"
Power & antenna placement (Score:5, Interesting)
-Move or buy a directional antenna
Have time on your hands?
http://www.ex-parrot.com/~pete/upside-down-ternet.html
Re:Power & antenna placement (Score:5, Interesting)
That link [ex-parrot.com] is exactly what I came to post. It's clearly overkill, but overkill is the perfect tool to show someone that they are hopelessly outclassed and they should seriously reconsider their actions.
Re:You could troll them in return. (Score:5, Interesting)
If it has internet access and you don't feel like waiting for the MPAA to be their usual selves, sign up for a new gmail account and send a threat letter to a high ranking government official. You'll get a far faster and more dramatic response. You can be pretty much guaranteed that the issue will be investigated.
Change Password (Score:5, Interesting)
Letterbox drop: 'how to secure your wireless' (Score:5, Interesting)
There are two ways of dealing with this: getting this person off [i]your[/i] network, and getting this person off [i]everyone's[/i] network.
Personally, I think if you can get everyone to squeeze him off their networks then that will probably be the nicest kind of vengeance.
Consider writing up a simple letter (starting with: Just a note from a neighbor), detail that someone in the area has been breaking into wireless networks and may be pirating stuff/doing illegal things which could lead to difficulties for the actual owner of the OP. Then, provide a basic summary of what to do to avoid it (e.g. disable WPS, etc etc) and maybe even provide URLs for the major router manufacturers.
With [i]some[/i] luck, [i]some[/i] people will pay attention and lock down their network.
If you know who it is doing it (using handy phone apps to detect signal strength, or a directional antenna) then you could do a 'special' letterbox drop for that one person with a 'how to buy an internet connection'.
Mind you, if this person is using an 'evil twin' they may be doing more than just stealing Wifi. If their MAC address is stable (i.e. they are not modifying it) you may want to capture some sample traffic with that included. If things do go awry you can use that to provide evidence it was that person's computer, possibly.
Re:Isn't there an OS box that'll solve this? (Score:4, Interesting)
Isn't there FreeBSD or Linux disk image that'll solve this?
<WIFI> <=> [Router] < routes only to > [IP address of solution]
Where the solution does something like the standard coffeeshop login +
* Special account gets unlimited time & bandwidth
* Non-special account needs to sign up every hour & gets diminishing bandwidth (if you want to allow visitors)
Something like http://dev.wifidog.org/ [wifidog.org], but under active development?
This, [myshopify.com] perhaps?
Tinfoil hat cure (Score:5, Interesting)
Make a little shield with a bit of foil and a coathanger. While tracking the incoming attempts, shield your WAP from various directions until it stops. Gives you a direction, and you can bend the coathanger into a little stand to hold the shield in place next to your WAP. It's likely to be in the direction of a near wall, isn't it?
Amazing stuff, tinfoil.
Re:Some ideas (Score:5, Interesting)
Knock up a cron job to change your WPA2 key every 24 hours. Use a QR code generator to print out the code on paper for your new key every morning, so you can just snap it with your phone and you're on. He'll get bored of trying to break something that changes faster than he can break it, and he'll move onto someone else.
Agree also with disabling wireless at the times he uses it, and when you're not, if this is feasible for your lifestyle.
And 5GHz also sounds sensible.
If you do find out who he is, change your SSID to *his* name and address. That should freak him a bit.
Re:i like to limit my DHCP scope (Score:3, Interesting)
if i have a device not work for some reason and i see an IP conflict then i'll know right away
Unless you're setting your subnet mask to only be 10 or so addresses, I'd just pick an address outside of your DHCP scope and I'd never conflict. You're treating DHCP as a security measure when it's a convenience measure.
captcha: gateway. How fitting.
I think that's the point; I set my subnet mask to /30 and assign a MAC to each IP. That way, any attackers have to sniff the MAC of an active connection and kick that connection in order to connect. This is very noticeable, and any leecher's going to have a really bad connection (as when my device gets kicked, it's going to attempt to reestablish, kicking them off). Doesn't stop passive surveillance, but it'll stop the leechers.
Re:Does your router support captive portal? (Score:5, Interesting)
The most memorable story I've ever heard along those lines was that a couple of hams had access to a fairly large dish antenna and were setting up some sort of satellite communications (for work, not play). A guy nearby was running a horribly unshielded CB amplifier that was crapping all over their signal. They told him to knock it off. He refused. They pointed out that he was blowing way past FCC limits on transmission power. He ignored them. They pointed the dish straight at his shack and transmitted maximum power at it. Within a few minutes smoke was pouring out of it... bet you could fry a router pretty easily.
Re:Shut off your radio. (Score:5, Interesting)
If you can find out who's stealing your bandwidth, you don't need the police -- you need a lawyer. In civil matters they are a *lot* more scary.
Re:i like to limit my DHCP scope (Score:5, Interesting)
And somebody like me would completely own you for it:
1. I have the technical know how to set my SSID to hidden: red flag #1
2. What else do I have running if my SSID is hidden?
In my case, I log all my traffic, and honestly it might take me a second to notice, all it would take is a few hiccups of my bandwidth for me to take a quick look at the settings and at that point, I'd log your traffic for a while, see what I can gather, and go find a zero-day, break through, escalate privilege, send your pr0n to your mom via the facebook login I logged, and delete your registry before I'm done.
So in short, you never quite know what you're logging into when you go rogue on wifi :)
CO-OP (Score:4, Interesting)
Here's a solution - organize a neighborhood open wireless mesh network co-op.
It would be much more satisfying to make stone soup, than reinforce a stone wall.
Re:Figure out where he is located (Score:4, Interesting)
Microwaves are particularly troublesome for WiFi [wikipedia.org]
So, you could effectively jam the leech with a Microwave transmitter.
Re:i like to limit my DHCP scope (Score:2, Interesting)
Slowing him down is a good idea. Traffic-shape any non-whitelist MAC to a frustratingly slow but still believable bandwidth. He might just think your connection sucks and move on, without suspecting you've throttled him. It can't be impossibly slow, just pretty slow, like 28.8kbps modem slow.
Re:i like to limit my DHCP scope (Score:4, Interesting)
Lots of problems as others point out.Another solution: QOS. Do MAC filtering. Those in the trusted list get full speed. Those not get a much slower speed. Play with it a bit you want it fast enough that the hacker things they own you and doesn't try to figure out your MAC address but slow enough you don't mind losing that much bandwidth and it is painful to the hacker so they go on to other networks. Say 2Mbps with a 64kbps upload. Fast enough to be reasonable for a bottom tier internet package slow enough that no sane leech would choose you as the preferred target. Then enable logging, reduce signal strength, etc other games.
Turn off your WiFi (Score:3, Interesting)
Turn it on at the power button only when you need it. That will make a very poor quality connection for the attacker and they will move on, and it will also save you money on your electricity.
If you can't live without an always-on connection then you will have to get aggressive and really go after the attacker.
Re:Some ideas (Score:4, Interesting)
The techniques you describe will be effective against someone who just wants free Internet access, but if they're attacking for any other reason, it's like going into a bar in the bad part of town and proclaiming how tough you are: it does nothing to improve your safety, but makes you a much more attractive target.
Re:Figure out where he is located (Score:5, Interesting)
Yes, the nerdy solution is to pull the cavity magnetron out of your microwave oven, add a highly directional antenna to the waveguide output, fire that baby up, and blow out the RF stage of his router. Extra nerdy points for plating/honing the cavities to re-tune the cavity magnetron tube to the correct wi-fi frequency (the diameter of the cavity is determined by c=f/lambda where c is the speed of light, f is the wi-fi center frequency, and lambda is the wavelength. Remember, electrons circulate (because of spin=1/2) around the hot cathode, and the basic operation is like that of a whistle or pop bottle (small amount of air moving across opening resonates according to the size of the bottle / small amount of electrons moving across the opening resonate according to the size of the cavity, remember that air is a pressure wave and travels slow, electrons and em radiation travel at the speed of light). Its been too long since I studied radar/electronics engineering.
Re:Why lose your time? (Score:2, Interesting)
My friend is just a script kiddy, but he can use BackTrack Pro 5 to break into almost any wireless network in 15 minutes (WEP) or 2 days (WPA2 using rainbow tables)
This can be alleviated by obfuscating the SSID and using a long non-dictionary PSK. If your SSID is something like "#@$%MFklsfdl;aksdf#$%@$" there are unlikely to be rainbow tables available.
Pwn him with a zero day (Score:4, Interesting)
Insert a Javascript zero day into his HTTP traffic and take care of his computer. He'll never know what took him out.
Nah, teach the little hacker about malice. (Score:5, Interesting)
Then, setup a transparent linux proxy server that replaces any executable file downloaded with your malware, and put it between your internet connection and an open wireless network.
Let the little turd use your free wifi internet to his heart's content, and wait for him to install the malware when he's trying to install something legitimate. Then, wait for your malware to send you the details of who he is, what his credit card numbers are etc.
Finally, go to the local coffee shop that gives out free wifi with every coffee purchased, and drop all those details you collected on pastebin.
Problem solved.
Re:Why lose your time? (Score:4, Interesting)
I run an unsecured WiFi network (no WEP, WPA or WPA2).
On the other hand, the only traffic accepted by my access concentrator is OpenVPN traffic. So yes, anyone can get an IP address from my DHCP server, but they can't do much with it unless they somehow break SSL public-key auth or obtain a copy of my key and certificate.
Re:"Unauthorized Access" is a Felony. (Score:4, Interesting)
Under State law, I am required to stop the progress of a Felony by law, or be an accessory.
Cite? I'm quite familiar with this area of the law in several states, and I'm skeptical that Florida requires you to intervene.
Re:I've used Wifi Analizer (Score:3, Interesting)
Most ham radio clubs have fox hunting events now and then, where they see who can be the first to find a hidden transmitter. I know you mentioned possibly contacting the local ham radio club. I have never participated in a fox hunt, and don't know much about doing that, but presumably they would each use a held directional antenna to see which direction the signal is strongest from.
I wonder which wireless monitoring applications on a laptop or cell phone would show more than just the nearby wireless routers? The old laptop that I occasionally use, only shows the nearby wireless routers.
Since he is an advanced Wi-Fi leach, he is probably has a high gain directional antenna, and is likely to be somewhat further away from the wireless router than is typical for Wi-Fi. I am not sure how far away he could be with such an antenna.