Neighbor has hacked into my router and is piggybacking - what can I do?

JRJJRJ Member Posts: 4
edited October 22 in Devices & Security
Need help,any suggestions?
Tagged:
RobinVioletChepiljoelos1111

Best Answers

  • Tin_ManTin_Man Posts: 3
    Accepted Answer

    Wow, some great info here but there are simpler solutions. For example, wiring in as many devices that support it and then configuring the guest network (or a vlan if you have business class equipment) specifically for wireless. Isolate them so that if say someone does manage to crack through the wireless they don't have access to the whole house. And if you didn't know, fing makes a nice app you can install on your phone and keep an eye on wireless devices connected to the network. Most wifi vulnerabilities these days take advantage at the moment devices connect to the networks, so just keep an eye out for new devices that show up and if anything you didn't allow shows up, change the password. When adding everything back on, don't give out the password instead you type it into the devices. That way every device allowed hast to get passed you first. With small home networks this type of management is possible and very secure.

    MarcHronosktower101
  • JRJJRJ Posts: 4
    Accepted Answer
    Thank you!!!!!

Answers

  • MarcMarc Member Posts: 427 ✭✭✭✭✭
    edited October 22
    Hey @JRJ , first thing I would do is change your WiFi password, as well as the router’s administrative password.  He can’t piggyback on what he can’t access. I’m going under the assumption that he is not on your wired network, just your wireless.
    There are other things you can do, depending on the routers feature, like whitelist the MAC addresses of the equipment you want to allow access to your network but that’s a bit of work to implement. That will keep him off the network assuming he does not have your MAC address list and can’t spoof a known MAC address.
    Thats Daphnee, she's a good dog...
    PoohVioletChepilkltaylorCrowgrandfatherktower101Lawmanjoelos1111
  • VioletChepilVioletChepil London, UKAdministrator Posts: 2,232 admin
    Hi @JRJ just slightly modified the title of this one to help us get more responses. I agree with @Marc and definitely the first thing to do is change your WiFi password and the router admin. 

    Community Manager at Fing

    MarckltaylorHronosjoelos1111
  • jwnewmanjwnewman Member Posts: 6
    edited October 22
    You should also consider changing the SSID of your WiFi, and turning off the "Broadcast SSID" option. Be aware that some wireless equipment sometimes can't be configured to connect to a router that isn't broadcasting its SSID, though -- poor software design, but it's out there.
    kltaylorMarcVioletChepilKali
  • kltaylorkltaylor Member Posts: 558 ✭✭✭✭✭
    Changing the password, the SSID and using a Hidden Network is sound advice.  Another consideration would be to use MAC address filtering, although that isn't secured if you use it alone.
    Another thing to consider, since you're neighbors in an effort to keep the peace where you live:  Create a guest network and leave them a note or otherwise inform them that they can use that one instead.  You don't know what the situation is and why they use it to begin with, maybe they can't afford it on their salaries?
    Curious though, how do you "know" that your neighbor attached themselves to your network?
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepilMarcjoelos1111
  • Tin_ManTin_Man Member Posts: 3

    Can't tell if you're a tech or not, but if you can keep up there's the following you should do if you suspect that you were targeted or know that your router is volnerable to specific worms out there high jacking equipment. While the advice previously mentioned is sound advice, I will add that if you do change the passwords on the equipment, please be sure to use a fresh new password and not one that you already use for anything else. Also, I would do a hard rest of the device back to factory and I would go to the manufacturer's website and download their latest firmware and manually do an update install. Don't use the auto update nor backup/restore settings. Manually reconfigure it. Some of the worms out there add scripts to the autoconfiguation wizards so don't use anything that makes things easy, and verify all the details in the devices logs.

    VioletChepilMarckltaylorJojogunn69_Hronosjoelos1111
  • VioletChepilVioletChepil London, UKAdministrator Posts: 2,232 admin
    Hey @JRJ some great ideas here!
    Thanks all for your responses. You can choose BEST ANSWERS - by selecting:
    Did this answer the question? Yes/No - choose as many that have helped you :) 

    Community Manager at Fing

    kltaylorjoelos1111
  • MirekmalMirekmal Member Posts: 49 ✭✭✭
    Well, one thing that was missing from the list of advises and sound obvious to me; block all unknown MAC addresses from accessing network using Fingbox... unless neighbor is cloning one of your existing MACs, this should render your network useless for him...
    VioletChepilkltaylorjoelos1111
  • SimplyNadarSimplyNadar Member Posts: 7
    edited October 23

    An attacker can trivially bypass MAC filtering, and a hidden SSID is also pretty much useless for many reasons.

    1. Make sure you are using recent firmware

    2. Make sure that you are using WPA2 or, better, WPA3

    3. Be sure WPS is DISABLED

    4. Be sure admin login from WAN is disabled

    5. Change login and WPA2/WPA3 passwords

    6. Disable uPNP and check port forwards

    7. Scan all internal systems for malware

    8. This is my favorite - since you are effectively controlling your neighbors internet, you can do MitM - Man in the Middle attacks, to scarf their passwords and inject malware into the datastream to take control of your neighbor's computers. You could play harmless pranks, or surreptitiously make their computers do evil things. I will not go into detail out of respect for the family nature of Fing's community, but use your imagination. Just remember that it is your IP address, so don't do anything terribly illegal.

    Read up on WiFi MitM, SSLStrip, Evil Twin and the like, and have some phun with those crooks before you lock them out. :)

    MaxWebjoelos1111
  • PoohPooh Member Posts: 675 ✭✭✭✭✭
    WPA3 is currently a joke. It's barely been out 6 months and already there have been multiple vulnerabilities discovered with it (Dragonblood).

    And this is just the start. The WiFi alliance screwed up big time when they created this standard. I suspect we'll uncover more issues as time rolls on. Meanwhile routers with WPA3 enabled run the risk of not getting fixed leaving them open to attack.
    People say nothing is impossible, but I do nothing every day.
    kltaylorjoelos1111
  • SimplyNadarSimplyNadar Member Posts: 7
    edited October 23

    It isn't ideal yet, but it is more secure than WPA2, and is a step in the direction of fixing long standing known vulnerabilities in the old WPA2. It is just short sighted to say that it is a joke just because it isn't impenetrable. WPA2 Enterprise is also vulnerable to KRACK, so even going so far as advising OP to set up RADIUS would be less secure than the preferred WPA3.

    It is the old routers with WPA2 that are at risk of never being updated, given that it is an old protocol that is being phased out in favor of the new updated standard. Admittedly, I wouldn't rush out and buy new gear just for WPA3 yet, but I *would* have some fun with that neighbor. :)

    joelos1111
  • PoohPooh Member Posts: 675 ✭✭✭✭✭
    edited October 24
    It's worse because it was developed in secret. It's even worse because the very reason it was created (to mitigate against WPA2's KRACK attack) failed - the Dragonfly key exchange orginally used P-521 elliptic curves (and dog knows why those chose that since by 2016 they'd already been shown to be weaker than alternatives, as specified in RFC 7748), however they then found that the first Dragonblood attack downgrades that the the far weaker P-256 ones. The alliances knee jerk response was to change to using Brainpool curves which they thought were much safer. That however introduced two side channel leaks that the allowed the keys to be brute forced.

    OpenRadius is no safer. The current WPA3 implementation has the same risks with EAP-pwd, that means it's no better than WPA2.

    There will be no fixes to WPA3. It is permanently broken. Fixes, if and when they come, will be with WPA 3.1. However the closed door nature of the development of this standard means that it's never going to be properly vetted before it goes public, meaning that there's a very high risk that it'll be broken just as easily.

    Worst of all this is users who are given the illusion of security. Right now, I'd trust WPA2 over WPA3 any day of the week. It's older yes, it's creaky and leaky, sure. But it's a well known standard now. WPA3 is a black hole just waiting for new vulnerabilities to be found on it.

    People say nothing is impossible, but I do nothing every day.
    MarcHronosjoelos1111
  • MarcMarc Member Posts: 427 ✭✭✭✭✭
    Pooh said:
    It's worse because it was developed in secret. It's even worse because the very reason it was created (to mitigate against WPA2's KRACK attack) failed - the Dragonfly key exchange orginally used P-521 elliptic curves (and dog knows why those chose that since by 2016 they'd already been shown to be weaker than alternatives, as specified in RFC 7748), however they then found that the first Dragonblood attack downgrades that the the far weaker P-256 ones. The alliances knee jerk response was to change to using Brainpool curves which they thought were much safer. That however introduced two side channel leaks that the allowed the keys to be brute forced.

    OpenRadius is no safer. The current WPA3 implementation has the same risks with EAP-pwd, that means it's no better than WPA2.

    There will be no fixes to WPA3. It is permanently broken. Fixes, if and when they come, will be with WPA 3.1. However the closed door nature of the development of this standard means that it's never going to be properly vetted before it goes public, meaning that there's a very high risk that it'll be broken just as easily.

    Worst of all this is users who are given the illusion of security. Right now, I'd trust WPA2 over WPA3 any day of the week. It's older yes, it's creaky and leaky, sure. But it's a well known standard now. WPA3 is a black hole just waiting for new vulnerabilities to be found on it.

    @pooh, thanks for this, I has no idea WPA3 was this bad...
    Thats Daphnee, she's a good dog...
    PoohHronosjoelos1111
  • SimplyNadarSimplyNadar Member Posts: 7

    You are not *completely* alone in wrongly thinking that WPA2 is more secure than WPA3, just like anti-vaxers, climate change deniers and holocaust deniers are not alone. You are in the fringe minority, though.

    Nobody thinks WPA3 is the end all be all, but it is upgradable. WiFi Alliance says they are already rolling out fixes, and there are no WPA3 vectors being used in the wild, like there are KRACK vulnerabilities.

    I am genuinely curious about whether your promotion of an old, vulnerable standard is willfully malicious or just based on ignorance, but it is clearly one or the other.

    To anyone following this, check out Bruce Schneier's site, or just do a quick google, don't listen to this clown. There is no immediate need to rush out and upgrade to WPA3, but you do want your next routervto have the new standard since it is the only one with an upgrade path.

    And get your kids vaccinated. 😇

  • MarcMarc Member Posts: 427 ✭✭✭✭✭

    @SimplyNadar , instead of berating someone who does security for a living, why not google the issue a bit and see what comes up. Yup there are pros and cons to every protocol out there but the free dissemination of information, both PRO AND CON, can help people come to their own conclusions.

    For example:



    for anyone who reads this thread thus far, please google the protocol and issues and see what comes up.

    Thats Daphnee, she's a good dog...
    VioletChepilkltaylor
  • JRJJRJ Member Posts: 4
    You guys are great,thanks for the help,used a bit of combination from your comments,feeling good about security.Again,many than thanks!!!!
    PoohVioletChepilkltaylorjoelos1111
  • VioletChepilVioletChepil London, UKAdministrator Posts: 2,232 admin
    Hey @JRJ you can show your appreciation through LIKES and choosing a best answer to! 
    Did this answer the question? Yes/No - select Yes and that will choose a BEST ANSWER. 

    Community Manager at Fing

    kltaylor
  • kltaylorkltaylor Member Posts: 558 ✭✭✭✭✭

    An attacker can trivially bypass MAC filtering, and a hidden SSID is also pretty much useless for many reasons.

    1. Make sure you are using recent firmware

    2. Make sure that you are using WPA2 or, better, WPA3

    3. Be sure WPS is DISABLED

    4. Be sure admin login from WAN is disabled

    5. Change login and WPA2/WPA3 passwords

    6. Disable uPNP and check port forwards

    7. Scan all internal systems for malware

    8. This is my favorite - since you are effectively controlling your neighbors internet, you can do MitM - Man in the Middle attacks, to scarf their passwords and inject malware into the datastream to take control of your neighbor's computers. You could play harmless pranks, or surreptitiously make their computers do evil things. I will not go into detail out of respect for the family nature of Fing's community, but use your imagination. Just remember that it is your IP address, so don't do anything terribly illegal.

    Read up on WiFi MitM, SSLStrip, Evil Twin and the like, and have some phun with those crooks before you lock them out. :)

    Hello Nadar, welcome to our community.
    I'd like to advise you that we do not advise anyone here to issue any sort of attack on anyone else, that's not why we're here.
    WPA3?  Hasn't been mainstreamed yet so please don't provide information that the average consumer cannot implement effectively.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • kltaylorkltaylor Member Posts: 558 ✭✭✭✭✭

    It isn't ideal yet, but it is more secure than WPA2, and is a step in the direction of fixing long standing known vulnerabilities in the old WPA2. It is just short sighted to say that it is a joke just because it isn't impenetrable. WPA2 Enterprise is also vulnerable to KRACK, so even going so far as advising OP to set up RADIUS would be less secure than the preferred WPA3.

    It is the old routers with WPA2 that are at risk of never being updated, given that it is an old protocol that is being phased out in favor of the new updated standard. Admittedly, I wouldn't rush out and buy new gear just for WPA3 yet, but I *would* have some fun with that neighbor. :)


    .It's not a step in the right direction in this case.  You're assuming that our OP is using an old router.

     You should also perform a bit of research before promoting a new protocol from reliable sources so that we're not attempting to fix one issue, and then opening up a brand new issue.

    I appreciate your attempt in trying to help, but please understand that our community consists of folks with variable degrees of technology logic.  If you have questions you can DM any of the founders who will assist you with those.

    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
  • kltaylorkltaylor Member Posts: 558 ✭✭✭✭✭
    JRJ said:
    You guys are great,thanks for the help,used a bit of combination from your comments,feeling good about security.Again,many than thanks!!!!
    You're more than welcome.
    Thanks for allowing us an opportunity to help ease your concerns and assist with regaining control over your network.  Feel free to ask us anything (well .. almost anything =) if something should arise.
    "There's a fine line between audacity and idiocy."
    -Warden Anastasia Luccio, Captain
    VioletChepil
  • CrowgrandfatherCrowgrandfather Member Posts: 34 ✭✭✭
    edited October 28

    There's a lot of advice in here but I'm going to give you the advice that will be 99% effective.


    Change your Wi-Fi password.


    That's it. Nothing more. MAC address filtering is useful but if you're neighbor can hack their way into a Wi-Fi network without the password then MAC address is filtering is trivial to bypass. Same with SSID hiding.


    Radius servers are fantastic, and I run one, but they're a bit more advanced to set up and really don't add much security without implementing EAP-TLS it's not much more secure.


    VLANing is useful but you probably don't have a router that supports it (we're talking about mostly enterprises routers like Cisco, Mikrotik, Juniper, and Ubiquiti).


    Just change your Wi-Fi password and you should be good.


    Also: people keep mentioning KRACK and yes that is a vulnerability but it was parched 2 years ago (I would know, I was working in a SOC and we got emergency called in). If your router doesn't have a patch for KRACK then it's time to replace the router as it hasn't been updated in 2 years.

    JRJVioletChepilkltaylor
  • vcayennevcayenne Member Posts: 2
    Tin_Man said:

    ...When adding everything back on, don't give out the password instead you type it into the devices. That way every device allowed hast to get passed you first.

    On some platforms this isn't as effective as it seems. I believe on Apple's platform, a wifi password entered on an iOS device like a phone or iPad is then shared with any paired* Mac laptop or desktop and the actual password is then viewable by the user in the Mac's Keychain. This means that that user, say a visitor or loosely trusted friend of a family member, though not given the plain text password by you, can retrieve it easily.

    * I'm used "paired" here just to mean the devices that share some sort of trust mechanism for that Apple user - by way of Keychain or Apple ID, for example.
    VioletChepiljoelos1111
  • Tin_ManTin_Man Member Posts: 3
    vcayenne said:
    Tin_Man said:

    ...When adding everything back on, don't give out the password instead you type it into the devices. That way every device allowed hast to get passed you first.

    On some platforms this isn't as effective as it seems. I believe on Apple's platform, a wifi password entered on an iOS device like a phone or iPad is then shared with any paired* Mac laptop or desktop and the actual password is then viewable by the user in the Mac's Keychain. This means that that user, say a visitor or loosely trusted friend of a family member, though not given the plain text password by you, can retrieve it easily.

    * I'm used "paired" here just to mean the devices that share some sort of trust mechanism for that Apple user - by way of Keychain or Apple ID, for example.
    This is a home, not a military facility or even a collocation. Are there going to be ways to defeat security? Sure, but it's not meant to restrict the ones in the home but rather keep it from everyone else. Small group of people, it's easy enough to make sure everyone understands. Is the teenager gonna crack the password? Probably, is the little one gonna drive you nuts typing in the password over and over again? You can pretty much count on it, but it's not hard to get pretty much everyone on your side regarding not allowing just anyone on the wifi. If you get any stubborn ones all that is going to happen is they'll have to keep getting the new password cuz if anything new shows up the password changes. If I remember correctly there's a check box for that in fing. The moment anything new and it notifies you....In any case, point is, it's not fort Knox, but it'll do better than most corporate policy security. Remember, any weakness is really kinda accounted for by making the guest wifi, THE wifi and isolating the lan, most important thing on the internet in a home is at least wired if not both. If it's your security cameras are you gonna wifi that or cable it in? What about a NAS or any home automation stuff? That one is going to be a little tricky but the choice is still a no brainer. Wire in all that you can and if wireless is the only choice then not much to think about there either. Some routers will have the option to configure the firewall between the guest wifi just  enough to allow access of very specific ports, if you reach a limit of your current router, then it time to upgrade to a more robustr firewall. Though I suspect that once any home user reaches business class hardware, they're gong to want t some professional help. It would be silly of them to rely on their 2 hours of watching youtube videos to fell confident that they have properly configured and fully secured their networks without at least being reviewed by a professional. I'm all for DIY but you gotta have some humility to go along with it. Jack of all trades, master of none. Get a professional once you have to upgrade to a professional firewall. Most "pro" firewalls will say specifically that they are intended to be installed by a professional.
    VioletChepiljoelos1111
  • vcayennevcayenne Member Posts: 2
    I agree with a lot of that. My simple and only point was that readers should not come away with the certainty that the only way someone could get the password was to go through the issuer directly if only the issuer types it in on devices.
    VioletChepil
  • OKCOKC Member Posts: 8
    Mirekmal said:
    Well, one thing that was missing from the list of advises and sound obvious to me; block all unknown MAC addresses from accessing network using Fingbox... unless neighbor is cloning one of your existing MACs, this should render your network useless for him...
       The whole time I was reading the responses I was wondering if the OP has a FingBox. I have noticed that there are some people who post and only have the app (no-FingBox) and finally you mention fingbox 
    Thank You
    PS: Should we always ask if the OP has a fingbox?
    Marcjoelos1111Hronos
Sign In or Register to comment.