How to secure old hardware against WiFi snooping?

Joined
Jun 26, 2020
Messages
24
I have a legal adversary who spends a fortune on private investigators and informants to learn more information about me to gain leverage and discredit some of my statements. I receive "Your WiFi is not secure..." hints by credible law enforcement and 911 EMS connections, but they can't say more. Those hints include looking into "EPDG WiFi Calling", "KRACK Attack", and "Horses". One of my neighbors owns horses, has very tight business and money-related beneficial connections to my legal adversary. That same neighbor has horse-related WiFi SSID names and they are almost in range for my phone to pick it up when I am in my room.

Sometimes random strangers come in contact with my friends, household residents (usually in person) and throw hints, vague suggestions, and insinuations that both I and my household residents should go outside with our phones or WiFi devices and spend time in areas that just happen to be in good range of my neighbor's horse-named WiFi SSID points or specific areas of town with insecure public WiFi. Following those suggestions results in either the same or different strangers throwing hints about learning something new that occurs in my friends', household residents', and/or my network. The more I secure my house residents' digital life and household network (especially WiFi), the more aggressive those strangers become in their hints and vague suggestions. They also increase their frequency of showing up in random outfits around my household, pretending to be performing some public work, such as blowing leaves.

The problem is that I can't control and secure everything in my household network. Using secure email accounts, WhatsApp/Signal, stopping use of IMS, changing all landline and mobile phone numbers, carriers, deleting some accounts, changing some account usernames, emails, passwords, adding 2-step authentication, blocking ports, blocking local network device discovery, etc. is not going to prevent WiFi snooping on at least 2 WiFi-only devices (no SIM cards) that are without VPN and are very susceptible to KRACK Attack. The data coming from those 2 WiFi devices to router is leaking I don't know what to do about it... These devices are too dear to household residents', can't be updated further, and do not have VPN support. The only good part is that no person-to-person communication takes place on those devices. They are exclusively for media playback, but they are connected to several accounts. What can I do?
 
Last edited:

Nicklebon

Gawd
Joined
May 22, 2006
Messages
661
I'm not going address most this, keeping with the theme, horsesh*t but I will address this part.

The data coming from those 2 WiFi devices to router is leaking I don't know what to do about it... These devices are too dear to household residents', can't be updated further, and do not have VPN support.

If you know that you have compromised devices on your network you remove those devices. It does not matter how anyone feels about the inanimate, infinitely replaceable, consumable, junk. It is not special. If you feel differently about knowingly keeping these devices on and active on your network then you are the problem.
 
Joined
Jun 26, 2020
Messages
24
Household resident response: "I don't care if its compromised. I have nothing to hide!" Explaining how having nothing to hide is BS and how it affects everyone else on the network does not help. I can only explain, advice, and if allowed, make changes.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
661
Household resident response: "I don't care if its compromised. I have nothing to hide!" Explaining how having nothing to hide is BS and how it affects everyone else on the network does not help. I can only explain, advice, and if allowed, make changes.
Is it your house your network? If so act like it. If not move or disconnect from it.
 

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
869
I can only explain, advice, and if allowed, make changes.

You are not the adult of the house? Or are you not related to the other people? If this isn't your family you're living with, it's time to move out.

Or, consider this approach: ACCIDENTS HAPPEN.

"Oh no! I tripped and crushed your thingy! I'll buy you a new one."

"Oops, I didn't realize it was on the edge of the sink and bumped it into the water, guess I'll have to replace it."

"The power cable was damaged and shorted out your device? My bad!"

Etc.

Other solutions exist if you're willing to spend the money. KRACK has been fixed for 2 years at the device level, buy an enterprise AP and keep it updated. Or, make your own subnet off the network and run a VPN through that. Doesn't matter what the rest of the house is doing, your stuff is separated.
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
4,721
Repaint the house with emr paint, say you were tired of the old color?
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
22,766
Is it your house your network? If so act like it. If not move or disconnect from it.
that^^

tenor (1).gif
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
If I'm correct i'd assume these 'residents' are renters or employees on your own network, and you're the one providing wifi for them. Short of removing them from the network the other option is to segment them. Put them on their own subnet, create FW rules that only allow them to talk to each other, and the Internet. Don't all them to talk to anything else on your network, if they must access the media server, segment the media from your main network as well. Allow communication from your main network to your media server, and from those wifi devices to the media server. Than block any traffic from the wifi to your main network, and block any traffic originating on the media server to your main network, but allow established traffic originating from your main to your media server. This way if they try to pivot from these bad wifi devices to your media server than they'll be blocked, but you'll still be able to access you're media server because your main network will be the one initiating the traffic
 
Joined
Jun 26, 2020
Messages
24
If I'm correct i'd assume these 'residents' are renters or employees on your own network, and you're the one providing wifi for them. Short of removing them from the network the other option is to segment them. Put them on their own subnet, create FW rules that only allow them to talk to each other, and the Internet. Don't all them to talk to anything else on your network, if they must access the media server, segment the media from your main network as well. Allow communication from your main network to your media server, and from those wifi devices to the media server. Than block any traffic from the wifi to your main network, and block any traffic originating on the media server to your main network, but allow established traffic originating from your main to your media server. This way if they try to pivot from these bad wifi devices to your media server than they'll be blocked, but you'll still be able to access you're media server because your main network will be the one initiating the traffic

That is basically what I am doing...
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
That is basically what I am doing...
If you're doing all that and your "legal adversary" is still gathering a bunch of information from you, I'd bet he/she/they aren't using wifi snooping to get the information, if in fact they are getting information, they are getting it another way. There are two other possibilities here, but this is approaching movie level paranoia/fiction but still possible. It could be they are using a Evil Twin attack/or you have a rogue access point on your network. Then there is the ultra-paranoia level where they could be in van using an IMI catcher, neither of these have any real defenses against them and you're SOL
 
Joined
Jun 26, 2020
Messages
24
If you're doing all that and your "legal adversary" is still gathering a bunch of information from you, I'd bet he/she/they aren't using wifi snooping to get the information, if in fact they are getting information, they are getting it another way. There are two other possibilities here, but this is approaching movie level paranoia/fiction but still possible. It could be they are using a Evil Twin attack/or you have a rogue access point on your network. Then there is the ultra-paranoia level where they could be in van using an IMI catcher, neither of these have any real defenses against them and you're SOL

IMSI catcher and info from residents is definitely used, but IMSI catchers are expensive. Carrier WiFi calling (non-encrypted) also catches IMSI - https://thehackernews.com/2016/11/imsi-track-cellphone.html . There are also 2 hidden WiFi points called SV1 and SV1_Ext1 that keep showing up and disappearing when I am in my room, but signal gets stronger in those areas I am advised to visit. I have their MAC addresses, but they point to Apple as vendor. I didn't know Apple makes routers...
 
Last edited:

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
4,721
IMSI catcher and info from residents is definitely used. There are also 2 hidden WiFi points called SV1 and SV1_Ext1 that keep showing up and disappearing when I am in my room, but signal gets stronger in those areas I am advised to visit. I have their MAC addresses, but they point to Apple as vendor. I didn't know Apple makes routers...
Yeah, Apple Airport (various models). Never used one, personally.
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
22,766
IMSI catcher and info from residents is definitely used. There are also 2 hidden WiFi points called SV1 and SV1_Ext1 that keep showing up and disappearing when I am in my room, but signal gets stronger in those areas I am advised to visit. I have their MAC addresses, but they point to Apple as vendor. I didn't know Apple makes routers...
SV = spy van, you know... ;)
apple makes "airport" routers
 

Machupo

Gravity Tester
Joined
Nov 14, 2004
Messages
5,202
Even I decided to put my nethunter manta out to pasture at some point.... time to move on.

Based upon the spy drama level of the OP, I'd imagine you're not interested in sharing your network topology? I'd imagine you also don't have a bunch of home surveillance devices laying around (nest, alexa, google, etc)? If you're already segmenting, as described above, you could build a separate media server for the dirty network (or cut the luddites off until they get with the program) and completely air gap your wired lab segment. Do you have VOIP set up in your house with a strict no cell (hard shutoff/remove battery) policy?

You can go further high and right with the physical security (e.g. desoldering a microphone and a speaker from something is a pretty quick job), but that seems rather aggressive. Granted, I don't have your level of drama in my life, so what I consider crazy may be your normal.

What sort of IDS/IPS are you running?
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
661
There are also 2 hidden WiFi points called SV1 and SV1_Ext1 that keep showing up and disappearing when I am in my room, but signal gets stronger in those areas I am advised to visit. I have their MAC addresses,
So these same MAC addresses are following you to these other places you are advised to go? Are these other locations in the same facility or elsewhere?
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
This sounds to me like someone figured out the very basics of wire shark and networking and is completely paranoid over something that really isn't happening. "OMG ook at all the errors in Event Viewer....my computer is being hacked by the Russian Government!"
 
Joined
Jun 26, 2020
Messages
24
Thank you for all the productive feedback. I know I didn't answer all the questions yet, but I have one of my own - how to secure a telephony cable modem (SIP 2.0, PacketCable 2.0, eMTA) ? Does it even need securing? I have a basic old analog phone that plugs into the telephony cable modem via landline RCA cable. I assume that the cable modem converts the analog signal into a digital one. The management system is online-based (not via modem, but via ISP website). That's all the control there is. There is no encryption. I think I could get MagicJack, but the internet is vague about how to route SIP 2.0 through OpenVPN or WireGuard.
 

Nobu

Supreme [H]ardness
Joined
Jun 7, 2007
Messages
4,721
Thank you for all the productive feedback. I know I didn't answer all the questions yet, but I have one of my own - how to secure a telephony cable modem (SIP 2.0, PacketCable 2.0, eMTA) ? Does it even need securing? I have a basic old analog phone that plugs into the telephony cable modem via landline RCA cable. I assume that the cable modem converts the analog signal into a digital one. The management system is online-based (not via modem, but via ISP website). That's all the control there is. There is no encryption. I think I could get MagicJack, but the internet is vague about how to route SIP 2.0 through OpenVPN or WireGuard.
Your provider would need to support encryption if you wanted your connection to them secure, and both your provider and the person you're calling would need to support end-to-end encryption for complete protection.
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
22,766
Thank you for all the productive feedback. I know I didn't answer all the questions yet, but I have one of my own - how to secure a telephony cable modem (SIP 2.0, PacketCable 2.0, eMTA) ? Does it even need securing? I have a basic old analog phone that plugs into the telephony cable modem via landline RCA cable. I assume that the cable modem converts the analog signal into a digital one. The management system is online-based (not via modem, but via ISP website). That's all the control there is. There is no encryption. I think I could get MagicJack, but the internet is vague about how to route SIP 2.0 through OpenVPN or WireGuard.
just toss it, toss all your connected devices, youll be safer.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
661
So these same MAC addresses are following you to these other places you are advised to go? Are these other locations in the same facility or elsewhere?
OP I'm guessing the lack of response means you and Nurse Ratched err adversary got things worked out?
 

/dev/null

[H]F Junkie
Joined
Mar 31, 2001
Messages
14,940
Thank you for all the productive feedback. I know I didn't answer all the questions yet, but I have one of my own - how to secure a telephony cable modem (SIP 2.0, PacketCable 2.0, eMTA) ? Does it even need securing? I have a basic old analog phone that plugs into the telephony cable modem via landline RCA cable. I assume that the cable modem converts the analog signal into a digital one. The management system is online-based (not via modem, but via ISP website). That's all the control there is. There is no encryption. I think I could get MagicJack, but the internet is vague about how to route SIP 2.0 through OpenVPN or WireGuard.

Find out what your sip provider supports. Probably TLS 1.3 is the answer.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
It takes years to resolve lawsuits like the one in which I have involvement. BTW, here's a good example of cheap hacking due to poor WiFi security - https://www.theregister.com/2020/09/17/dot_pentesers_expose_wifi/ .
Did you read your own link? Evil Twin attack, AKA's setting up another access point, wouldn't have ANYTHING to do with your old hardware being insecure, in addition to quote the article
"Without network segmentation, an attacker, once inside a bureau’s network, can pivot to other bureaus and their computer networks without restriction or detection," the red team explained. "
proper network segmentation was their downfall.
 

Grebuloner

Gawd
Joined
Jul 31, 2009
Messages
869
proper network segmentation was their downfall.

Indeed. It will cost money, but making a setup direct from the router that creates two separate networks that cannot communicate with each other ensures that what you do to keep yourself safe (weekly password change? SSID change? etc.) has no bearing on what the rest of the house does. But, you won't be able to share hardware or resources with them. Two media servers, two APs (router AP is no longer acceptable), two switches, etc. (I know there are ways to have multiple non-interacting VLANs on the same infrastructure, but this is another layer of segmentation that removes possible weaknesses in that infrastructure).

Turning off AP features like scanning for other APs is also important. But I will say, I enjoy looking at the lists in my Unifi controller of all the cars driving by my house and how insecure many of them are.

I have segmentation in my home network through my pfsense router. It's very easy to do.
 
Joined
Jun 26, 2020
Messages
24
just toss it, toss all your connected devices, youll be safer.

I am not going down the road of hiding in a closet wrapped on tinfoil, breaking tenants' WiFi devices, dictating how to use their mobile/WiFi devices on a network, or telling them not to act as informants. People's opinion of you do count and can be used for you or against in a court of law. Having tenants say "This person is a paranoid control freak!" is not going to go well. Education, suggestion, help, etc. is the only feasible approach.
Did you read your own link? Evil Twin attack, AKA's setting up another access point, wouldn't have ANYTHING to do with your old hardware being insecure, in addition to quote the article
proper network segmentation was their downfall.

I didn't say it had something to do with my old hardware. I brought it as an example. I was thinking of setting up VLAN's, which requires separate ID's from an ISP, but my ISP doesn't support that. I had to escalate it to a higher level tech to get an answer.

I don't have any intrusion detection hardware, only router-modem (WiFi disabled), another router (to which everyone connects), and Raspberry Pi 2 used as local DNS server with AdGuard Home. AdGuard Home is a Pi-Hole alternative with AdGuard DNS servers + AdGuard filters + DNS-over-HTTPS (DoH) encryption for non-VPN traffic. DoH is not end-to-end encryption, but it's better than using plain-text DNS. I don't know if more hardware is necessary because I am not an expert on network. I think pfSense hardware firewall might be a good idea, but maybe not. I don't know how to identify and prioritize vulnerabilities of my WiFi network, aside from researching on the internet. How would I know whether replacing older hardware is or is not the main reason my WiFi signal is snooped upon? I use Wireshark to see what my own traffic looks like, but not general traffic.

In general, the amount of leakage of information significantly decreased after all the changes I made and investigators' irritation levels escalated to a point of saying "You know, when you use a VPN and apps like Signal, you come off as someone who has things to do hide or some hacker or even some kind of a terrorist. Just use Incognito mode and SMS man! Relax!". I think being so pissed off was partly because we were standing next to an industrial shredder when I was disposing of my trash, from which investigators couldn't obtain anything once it was shredded.
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
22,766
I am not going down the road of hiding in a closet wrapped on tinfoil, breaking tenants' WiFi devices, dictating how to use their mobile/WiFi devices on a network, or telling them not to act as informants. People's opinion of you do count and can be used for you or against in a court of law. Having tenants say "This person is a paranoid control freak!" is not going to go well. Education, suggestion, help, etc. is the only feasible approach.
then stop being a pussy and update the shit. i fell like this now just a troll post.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
........ I was thinking of setting up VLAN's, which requires separate ID's from an ISP, but my ISP doesn't support that. I had to escalate it to a higher level tech to get an answer.
........ because I am not an expert on network......
VLAN's don't require anything from your ISP, they are done at the switch level, and in your own LAN. They are typically 100% configured internally only and nothing to do with your ISP. You said in an earlier post you were segmenting these devices, The two lines above make me think that you aren't actually segmenting them at all. If you're hyper concerned. Hire a network/security expert to come verify your configs.
 
Joined
Jun 26, 2020
Messages
24
then stop being a pussy and update the shit. i fell like this now just a troll post.

OK, imagine your landlord knocks on your door and says "Hey, your mobile phone/tablet is too old to be connecting to my WiFi. It is a security risk. Please buy a new one. Also, get a VPN subscription".
 
Joined
Jun 26, 2020
Messages
24
VLAN's don't require anything from your ISP, they are done at the switch level, and in your own LAN. They are typically 100% configured internally only and nothing to do with your ISP. You said in an earlier post you were segmenting these devices, The two lines above make me think that you aren't actually segmenting them at all. If you're hyper concerned. Hire a network/security expert to come verify your configs.

Thank, I will look into that.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
136
Although I think this is a bit of a troll-type post, perhaps unintentionally, but perhaps intentionally I'm not going to speculate on the motive. However, regardless I'm going to share what you can do to make your network a bit safer from the Wifi you're providing to your tenants.

First, Set up VLANs and Gateways on your router. Typically these take the form of sub interfaces. Next Assign seperate supbnets (DHCP pools) to each VLAN ID. Next set up two separate WIFI SSId's....i.e (my wifi), and (tenant wifi), make sure each is assigned to a VLAN. Test to make sure everything. When a tenant connects to your their own WIFI SSID they should receive an IP on different Subnet, example Tenant connects their IP would be 192.168.3.4 on their wifi, but when you connect you receive something like 172.16.1.35, each subnet will have it's own default GW within it's own subnet...these are the IP's you assigned to GWs(typically subinterfaces on your router,) After you confirm they can connect and are indeed getting IP addresses on separate networks, and they can access the internet. Than you can work on your FW rules. Allow their VLAN out to the internet only, and only to whatever else they need, like the media server. Providing your router has some of these features, not all do. This shouldn't be much for any network/security guy to set up, but is generally out of the realm of most 'typiccal users'.

I essentially do that with all my IOT devices, they can talk to each other, and out to the internet, but that's it. Now can some of these be bypasses by a really persistent hacker? sure. But it will make them work much much much harder
 

pendragon1

Fully [H]
Joined
Oct 7, 2000
Messages
22,766
OK, imagine your landlord knocks on your door and says "Hey, your mobile phone/tablet is too old to be connecting to my WiFi. It is a security risk. Please buy a new one. Also, get a VPN subscription".
yeah tough shit, if its being provided as part of rent. it needs to get upgraded to be secure. your shit aint secure and you just keep whinging. fucking do something or stop the troll posts.
 

Nicklebon

Gawd
Joined
May 22, 2006
Messages
661
OK, imagine your landlord knocks on your door and says "Hey, your mobile phone/tablet is too old to be connecting to my WiFi. It is a security risk. Please buy a new one. Also, get a VPN subscription".
If I had a a landlord that allowed tenants onto a common network I would not be using it beyond a transport network. I would seek my own service and if not an option I would certainly wall myself off from it. Further, I would suggest you've opened yourself up for a negligence claim should one your "tenants" hack/snoop/spy on another. Especially so since you now admit knowledge of compromise in a public forum. Playing service provider assumes responsibility you seem to have shirked and willfully continue to do so.
 

Machupo

Gravity Tester
Joined
Nov 14, 2004
Messages
5,202
I would never provide a network for anyone other than family without strict isolation (and even then, all their noise is on its own segment... I don't have enough time to enforce anything beyond basic digital hygiene training). Providing services from my core network to the wild west of tenants? No thank you, Octopus; no pivot points today.
 

daglesj

Supreme [H]ardness
Joined
May 7, 2005
Messages
5,283
then stop being a pussy and update the shit. i fell like this now just a troll post.


Been a flurry of new accounts like this recently. Basically digging for info, not listening to any of it, winding folks up, reporting said folks for getting 'snippy', then quitting. Walk away.
 
Top