Ask Slashdot: Dealing With an Advanced Wi-Fi Leech?

An anonymous reader writes "Recently, I had found out (through my log files) that my wireless router was subject to a Wi-Fi Protected Setup (WPS) brute force PIN attack. After looking on the Internet and discovering that there are indeed many vulnerabilities to WPS, I disabled it. After a few days, I noticed that I kept intermittently getting disconnected at around the same time every day (indicative of a WPA deauthentication handshake capture attempt). I also noticed that an evil twin has been set up in an effort to get me to connect to it. Through Wi-Fi monitoring software, I have noticed that certain MAC addresses are connected to multiple WEP and WPA2 access points in my neighborhood. I believe that I (and my neighbors) may be dealing with an advanced Wi-Fi leech. What can I do in this situation? Should I bother purchasing a directional antenna, figuring out exactly where the clients are situated, and knocking on their door? Is this something the local police can help me with?"

Change your WPA keys

[supersat]

WPS works by giving out your WPA keys, so if they've gotten in once through WPS, they will continue to have access.

Re:i like to limit my DHCP scope

[fruitbane]

Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.

Re:i like to limit my DHCP scope

[faedle]

Doubt that would work. The leecher has already demonstrated a knowledge of layer-2 attacks against 802.11, I doubt limiting your DHCP scope is going to stop them. They'll just null handshake one of your devices off the WLAN.

Re:Change your WPA keys

[Anonymous Coward]

I hope parent meant WPA2 rather than WPA.

And use a strong pass phrase with a non-dictionary-word ssid.

Some ideas

[Proudrooster]

Lock incoming connections down by MAC address and disable your SSID. This will probably make them go away. Also, run WPA2+AES and pick a longish WIFI key.

If you have an ASUS Dark Knight router you can setup multiple SSIDs (guest networks) that disconnect every 60 seconds and name them "StopStealingMyWifi". This way you real SSID is hidden and your multiple guest networks are visible, but are unusable. You can also set hours of operations for your radios on the ASUS and turn off your radios at night and when you are not home. Lastly, if you are running dual band, turn off the 2.4 Ghz and run on the 5Ghz band. The 5Ghz signal travels poorly outside your home. WIFI is tough to secure with all of the WIFI hacking tools, but get a good router and rotate shield frequencies and should go away.

Lastly, here is an article on the subject.... this article disagrees with me on disabling your SSID and I am sure others will have an opinion....
http://www.wikihow.com/Secure-Your-Wireless-Home-Network [wikihow.com]

WPA2-Enterprise

[Rinisari]

* Use enterprise auth to a RADIUS server with an LDAP backend?
* Lower the transmit power to something that just works within your place?
* Use just A or just B or just N? Maybe they're on older tech?
* Configure your router not to well, route. Use it as just an AP and you have to manually set the IP info on your machines, and the router is not *.*.*.1 on the network.
* Do the above, but use an external VPN for all of your traffic. A static route in the router gets you onto the VPN.
* Change your SSID to something threatening to indicate that you're onto them and that you asked Slashdot how to make them stop?

Re:i like to limit my DHCP scope

[ios and web coder]

Why even do that? Simply set up a list of accepted MAC addresses and give them assigned IPs. Don't provide any service to a MAC address not matching known. Unfortunately, that only stops your router/AP from handing out IPs. They can still eavesdrop and work on listening in on traffic.

I use reserved MAC addresses and a non-trivial WPA2 password. The router won't connect any unknown MAC addresses.

That seems to work for me.

If they crack that, they aren't leeches. They are crooks. Call the FBI.

a few options, but annoying

[datapharmer]

So yes, I've dealt with it. The easy solution is go wired for a while, setup a honeypot and track them down. Once you know where they are let them know you are less than pleased and if they don't stop there will be a call to the FCC and local authorities as well as a civil suit for harassment. If you can't go wired Lower your ACK timing and transmit power so they can't get a good signal without standing on your doorstep. switch to a certificate based system instead of a password based system with a new ssid. On the new system setup a proxy that requires additional authentication to reach the internet. Assign static macs to your own devices and block all other local IPs via iptables to prevent them from self-assigning one. As for deauthentication attacks, the best bet is to find them and ans send over a nastygram.

Your options depend on your hardware

[BlueBlade]

Basically, there's nothing you can do if you keep using WPA.

One option is to lower your wi-fi antenna power to exclude the area where the attacks are coming from. This can be hard to do if you need good coverage for a whole house or some such.

Your best bet would be to use either 802.1x or EAP-PEAP. That's highly dependent on what router you're using, usually only high-end routers support these options, although some home routers certainly do (I remember the good old WAP54G supporting it). If you're going 802.1x, just setup a radius server, configure your devices and you're pretty much set. If you go the PEAP route, you'll need some certificates, and possibly a radius server unless you use client certificates for authentication.

Both options will foil your wannabe hacker. Plus, you'll likely have the only advanced Wi-Fi setup around, gaining you geek creds ;)

Re:i like to limit my DHCP scope

[Synerg1y]

Let's see...

As per OP set up MAC address filtering, if this guy is trying to set up evil twins & trying to do handshake captures on your network, MAC addresses are spoofable.

I also like to hide the SSID just to make things harder, but if he's passive listening, that may not help either... though at this point, a hidden SSID with WPA2 encryption does not make for an attractive target, esp. when the MAC needs to be spoofed (I wouldn't know this till i broke through the 1st 2).

However, the single most effective thing you can do is limit your antenna's radius... if your router's stock firmware can't do it, dd-wrt and friends can. Stand outside your house till you can't connect to your wifi at your fence anymore, adjusting the radius in increments.

Last, but not least, go buy a steel fish line and drywall saw at home depot and wire up your house w ethernet ports and disable your wifi. Tough luck on the phones though, unless you can find an adapter for them.

Re:simple

[icebike]

Won't work if the hackers are on the same transformer leg as you. In an apartment building, that is almost guaranteed to be the case.

Re:i like to limit my DHCP scope

[Anonymous Coward]

This is why I am flabbergasted that with all the problems people have with security with WEP and WPA that it never occurred to anyone to do a DHE key exchange before swapping anything that requires the preshared key and adding an artificial minimum to the time between authentication attempts of any kind, such as 15 seconds. That would instantly fix the current weakness with WPA2 and slow down all unknown attacks in the future.

Re:Figure out where he is located

[Artraze]

This is news for nerds, jock solutions like that aren't welcome here!

Correct solution:
Pinpoint the attacker using a highly directional 2.4 GHz waveguide antenna. Once you're sure only the attacker is visible, attach a microwave magnetron to the antenna and watch him burn.

Re:Change your WPA keys

[gweihir]

Make that WPA2 and use a random-key. AFAIK WPA2 is still unbroken.

evil twin

[Spazmania]

The evil twin makes finding the culprit a cakewalk. Download inSSIDer and walk around. When the evil twin's signal is strongest, you're outside his door.

Re:Sounds worse than a leech

[Nefarious Wheel]

Come to Australia. You might accidentally get killed from the local fauna, but there are some very intelligent people in the constab. They're not all on the streets running the breathalysers, perhaps, but the ones I've dealt with actually show up if you report you heard a gun shot, and ask questions as if they're thinking about your answers, rather than just recording them. It's almost as if they require the ability to think from their troops. I'm originally from Los Angeles, and the contrast between the two police cultures seems pretty dramatic to me.

Re:brute force 63 characters?

[Time_Ngler]

reaver doesn't brute force the WPA2 password, it attacks WPS. If WPS is enabled on your router, and an attacker cracks that (which has around 11,000 combinations), your router will give the attacker the WPA2 password.

Re:i like to limit my DHCP scope

[Anonymous Coward]

At least it slows him down. He has to find and grab an accepted MAC, and you'll know he's trying to connect as soon as you have a collision on the DHCP.

Yea, it'll take him another 30 seconds to spoof his MAC address. That will really slow him down. *nod*

Re:Figure out where he is located

[Anonymous Coward]

This should be modded Funny, not Insightful.

Re-read the law. Stand Your Ground "lets you shoot" only if fearing for your life or at risk of being badly wounded. Not if you're afraid of being punched.

Re:i like to limit my DHCP scope

[meerling]

Make sure you don't allow admin over wifi. Most routers have a setting so you can only administer it from a wired connection. This isn't an absolute or a fix for the base situation, it's just an extra hurdle for them if they get in and want to screw with you for fighting back.

Hidden SSID = Bad Juju

[kroby]

It is widely known by security professionals that hiding your SSID actually decreases security. For starters, it is easy enough to sniff a SSID out of the air. What is more concerning is that wireless clients configured to connect to a hidden network will constantly try to connect to any wireless network, essentially asking "Are you my network?" A malicious access point could say, "Yup, sure am!" At that point your wireless client will be more than happy to divulge your preshared key. There are even affordable retail products that accomplish this out of the box. Check out the Wi-Fi Pineapple.

Re:i like to limit my DHCP scope

[icebike]

Don't you have to crack the WPA2 before you can find one of the valid mac addresses?

Don't think so.

Stations brodcasts its mac address to the access point in clear text.
http://www.maxi-pedia.com/how+to+break+MAC+filtering [maxi-pedia.com]

The stations may also send beacons, depending on how they are configured.
http://www.wi-fiplanet.com/tutorials/article.php/1492071 [wi-fiplanet.com]

Re:If he joins your network...

[Anonymous Coward]

no such word as administrate, the word is "administer". An administrator, administers he does not administrate !

Re:Does your router support captive portal?

[Mr. Freeman]

This story contains a hilarious amount of bullshit.

Re:brute force 63 characters?

[buddyglass]

OP already said he disabled WPS.

Re:I've used Wifi Analizer

[Mr. Freeman]

"My guess is that this individual is conducting illegal activities through yours and your neighbor's connections"

This is highly likely. The guy has invested much time and effort in this so they clearly have motives other than saving a few bucks. OP should make attempts to locate this guy and to shut him down. Use laptops or cell phones with wireless monitoring applications to locate the guy's AP. Nothing too fancy, just do a bit of sneaker-netting while watching the signal strength. You don't need to triangulate the location to within a foot, you just need to get a general idea of where this thing is. Once you get close you should be able to tell which building/car it is in. If this yields inconclusive results then contact the local HAM club. They may be able to assist you in locating a rogue AP or wifi leech in exchange for beer and pizza.

Also, OP needs to file a police report. Will the police do anything? No, of course not. However, it will help to shield OP from liability when the FBI comes knocking in regard to whatever illegal activities are being conducted through his internet connection. He'll be able to point to the police reports as evidence that someone else was on the network long before the authorities showed up.

This is an attack, not a leech

[Jimmy_B]

First of all, just to be clear: this isn't leaching, this is someone doing something nefarious. If they just wanted free bandwidth, they would never set up an evil twin network. Most of the replies on this thread are bad advice assuming it's a leech. The person responsible might be nearby, but probably not; if you track down the computer that's responsible, you're likely to find that its owner doesn't know what's going on and it's been taken over by an anonymous attacker over the Internet. Or you'll find a PwnPlug.

The first thing you need to do is notify the police that you're being targeted by hacking. This is important; if your computer/network is taken over and used for something illegal, which is likely to happen, this will protect you. Second: you need to notify your employer, as well as anyone whose confidential data you're in possession of. And third: you need to harden your computer security, and figure out why you might have been targeted.

Re:i like to limit my DHCP scope

[bcmm]

On a modern network, it is.... at least at the consumer level where nobody knows how to configure a subnet manually, but if you're managing any kind of large scale network it becomes very difficult to work with static configurations on every workstation even when you know how.

My point is that it is *incredibly* trivial to connect to a wireless router that has DHCP enabled and just use an IP address of your choosing. It's a perfectly normal thing to do if you want to be able to predictably SSH a machine or something, and even MS Windows has a GUI way of doing it. Somebody who is sniffing network traffic and cracking encryption keys can easily determine which addresses are already in use, and in practice, if you take an address at the high end of the range (e.g. 192.168.1.250), you won't run in to any trouble with other clients.

Re:Figure out where he is located

[khallow]

Note that Martin didn't allegedly just punch Zimmerman, but also beat his head into the concrete several times. That's a lot more harmful than a punch.

Re:Change your WPA keys

[petermgreen]

There are two operating modes for WPA2, PSK and enterprise. The vast majority of wifi networks run in PSK mode.

In PSK mode all nodes (both end user and access point) use a shared secret key. Anyone with thatkey can decrypt any packet, spoof any user etc. So you had better make sure only truested devices have the key.

In enterprise mode each end user has their own login and the system is supposed to protect the users from each other as well as from outsiders. The article you linked was about a flaw in enterprise mode that effectively degraded security to equivilent to PSK mode. It's a fairly serious issue for large enterprise deployments but not something that should be a concern for end users.