possible wifi security issue

[venm11]

I've been noticing some inconsistencies and weird behavior in my home wifi setup. I'm starting to suspect some kind of serious security issue.

Periodically, the router (netgear wnr3500) will become unresponsive and not allow anyone to connect, requiring a reboot of the router. I assumed this was typical death by summer heat.

Recently, I've started noticing that my laptop is connecting to a similarly named wireless network that's unsecured. So, if my ssid is "bobsmith" this would be identified in windows as "bobsmith 2". I thought this was a windows bug, but I suspect windows is automatically connecting to a name and not a sensible unique identifier, despite it being aware that "bobsmith 2" is different so as to rename it.

Today, I was wrestling with my wireless bridge and determined that it wasn't connecting to anything. Refreshing the available ssids, it found "bobsmith 2" (unsecured) instead of "bobsmith" (wpa) - which it is set to connect to.

A reboot of my router eliminated this "bobsmith 2" unsecured network and brought back the "bobsmith" wpa-protected one. Once again.

Does anyone recognize this phenomena?

 

[tangoseal]

Buy a new wireless router or access point. Do not advertise SSID's.

Use MAC ID access control.

Never use WEP or WPA, only use WPA2 with AES, edit it so that the encryption key will change at faster intervals.

Past that point security is only as good as you are willing to learn and to implement protocols.

 

[venm11]

the problem is not that my network is being hacked per se, it's that someone is advertising with an identical name and confusing both computers and people. One of the mysteries is why rebooting my router gets *rid* of the offending ssid (as found by my bridge and laptop).

 

[scottd34]

hiding ssid will keep your technology impared neighbor from seeing your network, but it wont keep out someone with some simple wifi tools from seeing your network so its not really a security feature

go in to your router and check everything to see if any settings look off.. better yet master reset your router.

force https for administration and turn off the ability to remote administer it over the internet.

change the ssid and set up wpa2 with a strong password.

change the admin password to a strong password.

turn off your computers ability to auto connect to an unsecured network and remove the bogus networks from your preferred connection list.

That should get you started at least.

 

[Dogs]

change the ssid and set up wpa2 with a strong password.

Beyond that, turn off WPS if your router uses it. WPS (because someone, somewhere was an idiot) uses a 7-digit pin that authenticates the first 4 digits separate from the last 3 digits. Thus, a maximum of 10,000 attempts is required to gain access to a network with WPS, making brute force attacks practical on many routers. Some routers have received firmware updates to implement various 'anti-brute-force' measures after so many failed attempts, but that's only some routers.

 

[venm11]

Thanks for your responses. Let me clarify my question - How is it possible for someone to broadcast an identical ssid that "knocks off" the original? Why does resetting my router get rid of the bad one?

These are key to understanding what's actually happening

 

[Madnes5]

Buy a new wireless router or access point. Do not advertise SSID's.

Use MAC ID access control.

Never use WEP or WPA, only use WPA2 with AES, edit it so that the encryption key will change at faster intervals.

Past that point security is only as good as you are willing to learn and to implement protocols.

Really? He may have a security issue so he should go out and buy a completely new router? And then block SSID broadcasts and use MAC controls which are both ineffectual to even a moderately skilled attacker? Great advice buddy!

 

[Madnes5]

hiding ssid will keep your technology impared neighbor from seeing your network, but it wont keep out someone with some simple wifi tools from seeing your network so its not really a security feature

go in to your router and check everything to see if any settings look off.. better yet master reset your router.

force https for administration and turn off the ability to remote administer it over the internet.

change the ssid and set up wpa2 with a strong password.

change the admin password to a strong password.

turn off your computers ability to auto connect to an unsecured network and remove the bogus networks from your preferred connection list.

That should get you started at least.

This is good advice. In addition, you may want to read this article.

Anyone can broadcast any SSID they want. I'm not positive but I believe that most OSs will connect to the AP with the strongest signal strength. So it's possible that in some areas, his AP has a stronger signal then your AP is putting out.

I can't explain why resetting your router gets rid of the bad one.

I'm also confused by your "wireless bridge" comment. Do you have a single wireless router or do you have multiple wireless devices?

 

[AliceCooper]

Buy a new wireless router or access point. Do not advertise SSID's.

Use MAC ID access control.

Never use WEP or WPA, only use WPA2 with AES, edit it so that the encryption key will change at faster intervals.

Past that point security is only as good as you are willing to learn and to implement protocols.

Don't bother using MAC ID filter. Once you have WPA2-AES with a strong password, there is no need because if someone is smart enough to gain access to that, the MAC ID filter won't be a problem at all. Hiding the SSID and using a MAC filter just make it more tedious for one to access their own network with no added benefits once WPA2-AES with a strong password is implemented and WPS is turned off.

 

[venm11]

This is good advice. In addition, you may want to read this article.

Anyone can broadcast any SSID they want. I'm not positive but I believe that most OSs will connect to the AP with the strongest signal strength. So it's possible that in some areas, his AP has a stronger signal then your AP is putting out.

I can't explain why resetting your router gets rid of the bad one.

I'm also confused by your "wireless bridge" comment. Do you have a single wireless router or do you have multiple wireless devices?

The wireless bridge connects ethernet devices to the wireless network. It has a web interface that I can view and select access points with.

The one problem with the bridge is that it's WPA only (it's an old buffalo G bridge). I'm not sure if this is causing the router to fall back from WPA2 to WPA for all devices, or whether it can ad-hoc those standards simultaneously. My laptop is currently connected via WPA (!?). The router is set to WPA + WPA2.

 

[Eickst]

Did you actually look at what network you are on when connected to the 'bad' ssid?

It's possibly your router is crap/broken and is doing it on its own. Check your public IP when on the 'bad' network and see if its the same as your 'good' network. That would explain why restarting the router fixes the double ssid issue.....it's not like some guy is broadcasting your SSID and just watching you in case you restart it so he can shut his off.....

 

[venm11]

Did you actually look at what network you are on when connected to the 'bad' ssid?

It's possibly your router is crap/broken and is doing it on its own. Check your public IP when on the 'bad' network and see if its the same as your 'good' network. That would explain why restarting the router fixes the double ssid issue.....it's not like some guy is broadcasting your SSID and just watching you in case you restart it so he can shut his off.....

No, I don't think that person is watching, I think that his advertisement bumps mine, and when I restart, my advertisement bumps his - somehow. As you might suspect, I'm not a networking guy, so this may make no sense technically.

I thought of the errant router theory, but I can't explain why it would suddenly turn off all its security. That sounds like an implausibly preposterous vulnerability. This router does not have a simultaneous public network option.

It's a good idea checking the external address though.

 

[RocketTech]

Vista and newer throws all kinds of warnings and requires Admin permission to join an unsecured AP. You can change local security policy so it can't join an unsecured AP at all.
This is pretty much a non-issue for Vista or newer. He doesn't know your WPA password, so he can't clone/spoof man-in-the-middle your network.

 

[+Eric]

One thing no one has pointed out is, it would be very unlikely your computer would automatically connect to a wireless network that it didn't "know."

So essentially your network is "bobsmith" and when you connected to your network you connected to "bobsmith." Now your PC will remember that network, and automatically connect if its in range.

In order for your PC to connect to "bobsmith2" you would have had to at one time manually told it to connect to that network (as pointed out, vista-newer will warn you that your connecting to an unsecured network). If you did that, then that network would also have been remembered by your PC. So now it would be possible for your PC to connect to this second network automatically. In fact, your PC will attempt to connect to whichever network is stronger.


So in addition to verifying your network is appropriately secured, verifying that you never click the rogue nework (if it does exist) is all the safety you need. You can also "forget" remembered networks, so your PC won't connect to that network in the future. If you're still worried, as others have said, you can eliminate your PC's ability to connect to unsecured networks. However that may hurt you at some point when you're in a public place needing to use wifi.

If this is true, then whoever is setting up a rogue network to try and get you to connect is stupid. They should be easy to defeat. I say this because there is nothing stopping someone from broadcasting the same exact SSID you do, making it even tougher for you to distinguish between the rogue and legitimate networks. The fact that they'd name the network "close but not the same" says to me, they're kinda unintelligent when it comes to wifi. So I'd just shore up some basic things and not worry to much about it.

 

[athlon1.2]

1) Maybe your wireless bridge becomes an AP when it fails to connect?
2) If you unplug both your bridge and router does bobsmith(2) go away!?
3) If you run something link inSSIDer what does it see?

And before you throw everything away why not try to just reset everything to defaults and pick a new SSID and WPA key.

 

[venm11]

You can change local security policy so it can't join an unsecured AP at all.
...
He doesn't know your WPA password, so he can't clone/spoof man-in-the-middle your network.

I still need to connect to starbucks' and other public wifis. Also, the person I'm thinking of DID have my password, because I used to let him use it. It was after I changed the passphrase when these shenanigans started. And actually... I think WPA1 is considered crackable now.

One thing no one has pointed out is, it would be very unlikely your computer would automatically connect to a wireless network that it didn't "know."
....
If this is true, then whoever is setting up a rogue network to try and get you to connect is stupid. They should be easy to defeat. I say this because there is nothing stopping someone from broadcasting the same exact SSID you do, making it even tougher for you to distinguish between the rogue and legitimate networks. The fact that they'd name the network "close but not the same" says to me, they're kinda unintelligent when it comes to wifi. So I'd just shore up some basic things and not worry to much about it.

I actually did connect to it by accident, thinking that it was a windows hiccup that named it "bobsmith 2", as if it unsure of whether it was a new network because it was unsecured, so it renamed it. The main person i'm thinking of is a network engineer (or at least has the certs for it), so it does sound strange that they'd name it subtly differently if they could have named it the same. So maybe I'm just paranoid about that.

1) Maybe your wireless bridge becomes an AP when it fails to connect?
2) If you unplug both your bridge and router does bobsmith(2) go away!?
3) If you run something link inSSIDer what does it see?

And before you throw everything away why not try to just reset everything to defaults and pick a new SSID and WPA key.

The bridge is not a router in bridge mode, nor is it a repeater - it's a straight bridge, so it never announces a network. I will change up the SSID, though.. as soon as I finish my devious plan to identify them.