problem neighbour keeps stealing wifi

e_dawg

Storage Freak
Joined
Jul 19, 2002
Messages
1,903
Location
Toronto-ish, Canada
Hi everyone,

Been a long time (maybe 8-9 years?) Anyways, hoping you guys can help me out. Last year, I got notifications from my ISP that I have exceeded my monthly cap within days of starting the month. Turned off tablets and anything that could possibly be using content, and the next day I was still using bandwidth at 15+ GB a day. Obviously, someone hacked into my Wifi. So I changed what I thought was a secure WPA2/AES password (~20 characters with punctuation, numbers, letters, mixed case etc) to something much longer and no problems until last month.

Now it happened again. For some reason, I never got notifications from my ISP, but my bill was $500 over the past month+. Checked my logs, and I was consuming 700 GB over the past 7 wks, most of it uploading. It's gotta be a neighbour uploading torrents or something. How do I lock down my Wifi to stop this from happening again? Last time I called the ISP and they were useless. They kept asking if me or my family were downloading videos, if I recently subscribed to Netflix, or left YouTube on, and told me to install an antivirus/malware program.

Keep in mind that I never broadcast my SSID, use WPA2/AES with long secure passwords, disabled WPS, remote / wireless mgmt, and even tried MAC address filtering (although had to disable that because none of my devices could connect even though I whitelisted them).
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Howdy e_dawg! It has indeed been a while.

I don't think it is your WiFi. I think one of your internet-connected devices has been hacked. Could be the modem itself or some other "smart thing".

Of course, it could also be your devices doing updates and the like...the Win10 pre-load is a monster and they don't ask.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Turn off your wifi and see what happens. You could also have a device with a bot or other malware on it. Or your cloud based backup is misconfigured.

Lastly, are you sure your wireless router isn't vulnerable to a reaver attack?
 

e_dawg

Storage Freak
Joined
Jul 19, 2002
Messages
1,903
Location
Toronto-ish, Canada
Turned off my wifi. Need to wait 24 hours to see if the next day is close to zero GB of uploads. My antivirus is usually up to date. Just downloaded malwarebytes and ran a scan, but there is nothing. PC is clean.

Also inspected the tablets and phones browsers and YouTube histories for the past week, and for the Android devices, the Wifi usage logs, and nothing had been used except for one of the tablets for a couple hours of YouTube this weekend, which should barely be enough for 500-600 MB or so, maybe a bit more.

Googled what a reaver attack is... it seems to be a WPS attack, right? But I always have WPS disabled, so it wouldn't work, would it? Or does it bypass the control panel setting anyways?

The router is an old Dlink which supports 802.11n, but not ac. I guess that makes it more vulnerable?

Called my ISP and asked for them to help me out on the bill. They said a case manager will call me to discuss, but indicated that if I switch to the unlimited tier, they should be able to waive the fee (phew!). Still, I want to stop this from happening again. Will let you guys know tomorrow how much internet usage happens with no wifi.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Googled what a reaver attack is... it seems to be a WPS attack, right? But I always have WPS disabled, so it wouldn't work, would it? Or does it bypass the control panel setting anyways?

The router is an old Dlink which supports 802.11n, but not ac. I guess that makes it more vulnerable?
I don't remember which brand, but one of the major router brands still had WPS enabled even when you set it to disabled in the menu. I'm not entirely sure how you can make sure it's really disabled. I guess try to use the WPS functionality. Otherwise, start rotating your WPA2 keys regularly. A reaver attack should get in in well under 24 hours after a key change so if it takes months for them to get in they may be doing something else. Or they could be abusing lots of people's wifi and it took them that long to get back to you.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
I don't think it is your WiFi. I think one of your internet-connected devices has been hacked. Could be the modem itself or some other "smart thing".

I'm with Ddrueding on this. Except for the updates part; Windows 10 is bad on this regard, but not this bad. Just to be on the safe side, if you have Windows 10, verify that your Windows Updates aren't set to spread the updates on your LAN and on the Internet. The bastards at Redmond regularly reset this parameter (check after every monthly updates batch). I know my setting has been switch to global sharing a few times.

You can generally see who's connected to your Wireless network on your router's web interface. And yes, being an old whatever-brand (D-Link in this case) and having never done a firmware update is bad, security wise.

You could also wrap your router in aluminum foil.
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
BTW, if you can't find a recent firmware update for your router, replacing it with a more modern unit might save you a lot of trouble. Think about it: the 500$ you've wasted could have bought a damn nice router.
 

mubs

Storage? I am Storage!
Joined
Nov 22, 2002
Messages
4,908
Location
Somewhere in time.
D-Link had major vulnerabilities discovered a year or so ago - shockingly bad stuff. In addition, they published some stuff that wasn't meant to be. I don't recollect the details, but I too would recommend you go with a contemporary product and retire your old D-Link.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
You need better logs from your router to determine what to do next. What is the model?
Suffice to say that a determined attacker can Crack WPA2 and spoof mac addresses.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
Are you absolutely sure you aren't running a spam relay or something?
The amount of work required to hack WPA2 isn't really proportional to the amount of benefit from uploading 15GB of data in a day.
If nothing else, your AP should have an indication of what MAC addresses are connected to it. Yes, MAC addresses can be spoofed, but you might want to get a handle on what all is connecting to your AP in the first place. If your neighbor really is using your network, you should be able to figure out the correspondence between connected devices and devices you own with relative ease. If there are no extra devices, you know the traffic has to be generated by something that does already belong to you.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Suffice to say that a determined attacker can Crack WPA2 and spoof mac addresses.
I wasn't aware that WPA2 was hackable if you use a long key, aside from a brute force attack which will take forever. I thought it basically didn't have any known weaknesses and was still considered secure.
 

Mercutio

Fatwah on Western Digital
Joined
Jan 17, 2002
Messages
22,303
Location
I am omnipresent
I wasn't aware that WPA2 was hackable if you use a long key, aside from a brute force attack which will take forever.

Anything that uses Temporal Keying (TKIP) is considered vulnerable at this point. CCMP-AES is only vulnerable to brute force. If AES is broken any time soon, it'll be an encryption holocaust but TKIP has been considered insecure for several years now.
 

Howell

Storage? I am Storage!
Joined
Feb 24, 2003
Messages
4,740
Location
Chattanooga, TN
Yes, it would have been better for me to say that just having WPA2 is not a guarantee. The length of the password is a direct reaction to how quickly a certain length can be brute forced combined with how often you change it.
 

e_dawg

Storage Freak
Joined
Jul 19, 2002
Messages
1,903
Location
Toronto-ish, Canada
So I turned off my Wifi and the bandwidth usage dropped the next day, but was still 8 GB for the day (almost all of it upload). At first, I suspected my desktop computer, but there wasn't enough throughput to even hit 500 MB, and it was mostly download. I then remembered I should check my NAS, so I logged onto my NAS and looked at the performance monitor, and it showed it was uploading ~100 KB/s, which works out to ~8 GB for 24 hours, which basically matches the usage logs from my ISP.

So now I have to wonder why would my NAS be uploading so much data. I don't have cloud backup or anything else enabled where it would have to upload so much. Do you think someone hacked into my NAS? How could I find out? Is there some sort of antivirus or malware utility for NAS devices? I suppose I could try scanning the mounted folder, but what I would like to do is scan the entire drive and remediate it. Any ideas on how to do that? It is a Synology.
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
What NAS do you have? Is it a DIY NAS? Where is the data going? What's on your NAS? Is there stuff on the NAS that isn't yours or you don't recognize?
 

CougTek

Hairy Aussie
Joined
Jan 21, 2002
Messages
8,729
Location
Québec, Québec
So now I have to wonder why would my NAS be uploading so much data. I don't have cloud backup or anything else enabled where it would have to upload so much. Do you think someone hacked into my NAS? How could I find out? Is there some sort of antivirus or malware utility for NAS devices? I suppose I could try scanning the mounted folder, but what I would like to do is scan the entire drive and remediate it. Any ideas on how to do that? It is a Synology.

Update to DSM 6.0 and change your admin password.
 

e_dawg

Storage Freak
Joined
Jul 19, 2002
Messages
1,903
Location
Toronto-ish, Canada
What NAS do you have? Is it a DIY NAS? Where is the data going? What's on your NAS? Is there stuff on the NAS that isn't yours or you don't recognize?

Synology DS409. Not sure what is on there that isn't mine. I don't know how to access system folders and the like. Just took a quick poke around my data folders and couldn't find anything... I really don't know what I am doing on this thing. It just has a basic GUI and I don't know how to troubleshoot it like I would a Windows box. If I could install malwarebytes, a good antivirus program, Glasswire (like wireshark, but easier to use) and other such utilities on it, I could probably tell you more.
 

ddrueding

Fixture
Joined
Feb 4, 2002
Messages
19,747
Location
Horsens, Denmark
Just change the default gateway to take it off the internet. See if your bandwidth issues go away. If that is indeed the culprit, there is a way to re-install the OS without losing your data (of course, you should have a backup somewhere anyway).
 

Stereodude

Not really a
Joined
Jan 22, 2002
Messages
10,865
Location
Michigan
Why is the NAS connected to the internet?
Most devices that pull an IP from your DHCP server connect themselves to the internet. Maybe to check for updates, maybe to use NTP, etc... The NAS is probably set up so you can share content over the internet.
 
Top