How Difficult is it to Break Into a Wireless Network in 2020?

Zarathustra[H]

Extremely [H]
Joined
Oct 29, 2000
Messages
38,744
Hey all,

I am curious about this.

A few years ago before I really was as concerned about privacy and IOT as I am today, I bought a few Nest thermostats. They have worked very admirably, saved me energy, and in general I am very happy with them, but over time the data collection and security angle increasingly has me concerned, especially now that Google owns them.

So, I decided to take opportunity when moving to a new house to reconfigure my network. At the very least I should isolate those fuckers on their own VLAN on a separate subnet.

A vastly oversimplified view of the relevant portion my network is as follows:

pfSense Router -> Main Mikrotik Switch -> Secondary Mikrotik Switch -> Ubnt Unifi AV LR access points

So, I created a new VLAN on my pfSense router, with it's own dedicated subnet and DHCP address pool. I firewalled off access to and from the subnet from the other subnets on my network. I configured the VLAN's on my switches. Then I created a new SSID dedicated to Nest with a strong password using WPA Personal, and assigned it the appropriate VLAN, and logged on to the dedicated SSID with my laptop to test.

- Internet access works. (Unfortunately that's how Nest theormostats work, need to communicate with the Google mothership)
- Cannot reach the configuration for pfSense, which is good
- Cannot reach any other subnets on my network, which is good.

Alright, time to install the thermostat.

A mac address starting with 18:b4:30:xx:xx:xx shows up in the dedicated subnet, and it works the way it is supposed to. Great!

Until next day when I discovered a strange mac address in my client list in the Unifi server.

Strange. Mac address is 0e:83:36:27:7e:5f, which has no vendor associated with it in mac address lookup.

NOTHING else has been connected to that dedicated net that I am aware of.

I did some googling, and found some reports of spurious mac addresses popping up in Unifi during sleep or improper shutdown startup of wireless devices resulting in malformed headers. This could have caused it I guess. Strange that I've never seen it before though, as I've been using Unifi for 8 years.

Just to be sure, I decided to check the pfSense logs. If this were just a spurious header, then there shouldn't be anything in there, as it would never have requested an IP from the DHCP server. I found that it DID request an IP from the DHCP server. Further review of Unifi data suggests that this mystery mac address proceeded to download some 268MB and upload 16MB.

So I can only think of two reasons for this.

1.) Someone has broken into my dedicated Nest network, and did so the same day I set it up, after never getting into my main network. Hung around for a couple of hours, and now has not been seen in 24 hours.

2.) Nest devices spawn a secondary MAC address for some purpose, either a second wireless connection, or some sort of internal VM or alternate thing. Who knows what sneaky shit Google has going on.


I'm not sure how likely #1 is, which is why I am asking. I understand breaking WPA is pretty trivial if WPS is enabled, but I don't have WPS that on my Unifi system. It's WPA Personal with AES/CCMP (I presume it is WPA2, but the user interface just says "WPA Personal"). I used to live in a tighter in suburb in a very tightly populated and busy area. In 6 years of using Unifi there with the same settings I never had an unexplained mac address. Here I'm comparatively more rural. Seems odd.

As far as #2 goes. I've had these Nests for years. If they randomly spawned alternate MAC addresses for whatever nefarious purpose Google uses them for, I think I would have seen it before...

I'm a little stumped.

Any thoughts/recommendations?
 
Last edited:
For starters block all MACs other than the ones printed on the NESTs. OR Setup a packet capture to capture all traffic on VLAN excluding what you believe to legitimate devices.

Also, according to your logs to what IP did this spourious MAC connect to for it up/downloads? Who owns it?
 
For starters block all MACs other than the ones printed on the NESTs. OR Setup a packet capture to capture all traffic on VLAN excluding what you believe to legitimate devices.

I'll look into that, thank you.

I had been under th eimpression that filtering by mac address was mostly useless due to how easily it is spoofed, but I guess if only the mac addresses that are in active use by the Nest's are allowed, any spoofer would have to choose a mac that is already in use, which would just cause problems, so I guess it would work for this application.

I know, you wouldn't tell by the setup I'm running, but I am more of a home pro-sumer hobbyist, and have no real background in IT stuff professionally.

I'm not familiar enough with packet capture to know how to do that, but I'm going to read up on it. Thanks.

Also, according to your logs to what IP did this spourious MAC connect to for it up/downloads? Who owns it?

Sadly I don't have that level of detailed logging turned on. I am going to enable it in case I have any future issues.

I may have to add a larger drive to my pfSense box though, as I have it booting off of a tiny little biWin SSD which I'd imagine could quickly be filled up with logs.
 
Are you sure it wasn't just a case of MAC address randomization/privacy? It may have happened when you initially connected to the new SSID to test it. Your PC wouldn't have known the network is trusted and generated a new MAC. Do the times in the logs correspond at all to when you were setting things up?

It's possible the Nests are doing this, but it seems unlikely. Unless someone left the randomization code in the network stack.
 
For starters block all MACs other than the ones printed on the NESTs. OR Setup a packet capture to capture all traffic on VLAN excluding what you believe to legitimate devices.

Also, according to your logs to what IP did this spourious MAC connect to for it up/downloads? Who owns it?
Do you know how easy it is to spoof a MAC?
 
Are you sure it wasn't just a case of MAC address randomization/privacy? It may have happened when you initially connected to the new SSID to test it. Your PC wouldn't have known the network is trusted and generated a new MAC. Do the times in the logs correspond at all to when you were setting things up?

It's possible the Nests are doing this, but it seems unlikely. Unless someone left the randomization code in the network stack.


This is possible. I did not know randomization of Mac addresses was a thing. I've never seen this in my logs before.
 
Also, according to your logs to what IP did this spourious MAC connect to for it up/downloads? Who owns it?

Sadly I don't have that level of detailed logging turned on. I am going to enable it in case I have any future issues.

I may have to add a larger drive to my pfSense box though, as I have it booting off of a tiny little biWin SSD which I'd imagine could quickly be filled up with logs.

Alright, I figured out how to increase the rolling log file size from it's default of 499.5kB to about a gig.

Then I figured out how to enable logging on the default "pass all" rule at the bottom on the lan.

So, if this happens again, I'll have more of an idea what was going on.

I just hope it doesnt wear too much on the crappy 60GB biwin SSD I used for my custom pfSense build
 
This is possible. I did not know randomization of Mac addresses was a thing. I've never seen this in my logs before.
I believe it's a setting for 'untrusted' networks in Windows, and of course, most operating systems will allow administrators to change MAC addresses on interfaces; this is even useful and sometimes necessary for virtualization for say DHCP organization too.
 
Can you point the logs to an aggregation VM or container on a fileserver?

Yeah, I could pass it to a remote syslog server, but then I'd have to create another VM, and create another project I haven't done before. I have a few things on my to do list which are higher priority.

I'm probably just going to wind up monitoring the SMART data on the pfSense box every now and then.
 
Do you know how easy it is to spoof a MAC?
Terribly easy, doing it right now in fact. As it is none of my ISP's business what I have connected to their network. I used to smile when I called into support and they would not understand what the device was connected to the cable modem. At that time it was even more amusing to tell them it was an RS/6000 running Firewall-1 and hear the silence of not understanding a word I just said on the other end. Yes, I'm that kind of asshole. Same fake MAC today different obscene hardware for a home... :)

That said, if the only MACs allowed are the devices that are online then it will be dead obvious something is awry when it gets spoofed. I'm not convinced something nefarious is going on which is why it would be easiest to start with finding out the endpoint and its owner. My money is on Google. Still BS mind you but not the BS the Op is suspecting. If the owner turns out to be suspicious I would go packet capture route and try to find out what they are doing.
 
Well,

I decided to go ahead and create a container on my main VM server to capture logs using rsyslog. It was surprisingly simple.

It's capturing ALL the firewall logs now. No idea how large the log files will wind up being, but I set them up so they are writing to my main NAS, so no matter what I don't expect any out of space issues :p

Thank you for all the suggestions.

And I agree, some sort of quirk is more likely to blame than nefarious activity, but it always makes sense to prepare for the worst with these things, IMHO.
 
Terribly easy, doing it right now in fact. As it is none of my ISP's business what I have connected to their network. I used to smile when I called into support and they would not understand what the device was connected to the cable modem. At that time it was even more amusing to tell them it was an RS/6000 running Firewall-1 and hear the silence of not understanding a word I just said on the other end. Yes, I'm that kind of asshole. Same fake MAC today different obscene hardware for a home... :)

Nice. I used to do this back in the very early days of broadband, when ISP's were trying to tell us that you needed one subscription per PC, and routers were verboten.

Had the cable guy come in and set it up on my main PC, then as soon as he left I spoofed the WAN MAC on the router to match that of the PC he set it up on.

These days I don't even bother. If they look up the WAN Mac on my pfSense box it will say "Intel Corporation" and they won't be able to do much with that information, even if they wanted to.

Edit:

Actually that's weird. The OUI on my NIC is "Intel Corporate" not "Intel Corporation". Either way, same thing applies.
 
My guess is mothership-seeking VM on the nest. How many times have you installed the nest on a new network configuration (or locale), or has it lost power for a significant amount of time in the previous years? My be an initialization / check for updates step; weird way to do it but, eh -- I don't typically grok what the googleheads are doing (and usually automatically ascribe stealing every facet of my online personality to them, hahaha).
 
Back
Top