Is my IoT network being hacked?

randye007
randye007 Member Posts: 10
Name Dropper First Comment
edited October 4, 2021 in Devices & Security #1

Hi,

I have a Ubiquity Edge Router X to isolate various networks in my house. I have an isolated IoT network, an isolated wifi guest network and private network that can access the IoT and guest network. I have a fingbox in both my IoT and private network. I have auto block new devices enabled for both Fingboxes.

The IoT network is where I place all my IoT devices and is isolated so it cannot access any other network. I have an issue with the static address of my raspberry pi 4 in that network. It has been assigned a static IP address through the router but will randomly disconnect and reconnect on some random IP address. AFAIK it’s random and uses an available IP address.

After many weeks of troubleshooting this issue, I finally resolved it by moving the raspberry pi 4 to my private network which includes computers and phones containing sensitive data. Since then, it has remained assigned to the static IP address.

Is it possible one or more of my IoT devices has been compromised and the perpetrator is using it to infiltrate my network and causing the raspberry pi 4 device to keep cycling through various IP addresses at random.

Is there a way of detecting the infiltration? What is the perpetrator possibly doing to cause such behaviour?

I plan on changing the passwords on all IoT devices as a precaution.

Thanks for your advice.

Cheers,

Randy

Answers

  • Jb1965
    Jb1965 Member Posts: 1
    Photogenic First Comment

    In life and technology , anything is possible 😁 . Relax and have a beer.

  • rooted
    rooted Gulf Coast, USModerator Posts: 891
    250 Likes 500 Comments 50 Answers 25 Agrees
    ✭✭✭✭✭

    Have you checked the MAC address of your Pi isn't changing which is causing it to lose the static IP?

  • randye007
    randye007 Member Posts: 10
    Name Dropper First Comment

    Thx @rooted. Yes I have checked that the MAC address is the same. With Auto Block New Devices turned ON, it would have been blocked if the MAC address had changed and it wasn’t.

  • randye007
    randye007 Member Posts: 10
    Name Dropper First Comment

    Update: The cycling of IP addresses is now happening to my Fingbox which is assigned a static IP address.

  • randye007
    randye007 Member Posts: 10
    Name Dropper First Comment

    I've been reading up on several types of attacks. An interesting one is a DHCP Starvation attack where the attacker floods the network with DHCP DISCOVER packets thereby exhausting all the available IP addresses in the DHCP pool. The attacker would then offer up their own DHCP Server thereby leveraging a MITM (Man in the Middle) attack. They are now intercepting all messages through their server. This all being done through a compromised device likely running Linux.

  • randye007
    randye007 Member Posts: 10
    Name Dropper First Comment
    edited October 7, 2021 #7
    Just happened again with my Fingbox. It certainly has some of the symptoms of a DHCP Starvation attack.
    Couple of observations:
    • My Wireless Access Point sees the new IP address (outside the static IP assignment) the Fingbox is on in the Client list (IP HAS CHANGED)
    • My Wireless Access Point sees an unknown device connected via WiFi that neither my router nor Fingbox App can see. (I CAN'T PING IT)
    • I cannot ping/traceroute the Fingbox from anywhere in my network (COULD BE MANAGED BY DIFFERENT DHCP SERVER)
    • My Fingbox app still thinks my Fingbox is connected at the original static IP address (????)
    • My available DHCP pool looks fine. This part is strange if its a DHCP Starvation attack.
    Is there a way for me to see what my Fingbox is attached to?
  • rooted
    rooted Gulf Coast, USModerator Posts: 891
    250 Likes 500 Comments 50 Answers 25 Agrees
    ✭✭✭✭✭

    Your fingbox is attached to your LAN and to remote fing servers.

    Perhaps the unknown wireless device is the fingbox? Is it actually connected to your AP or does your AP simply detect a device?

  • randye007
    randye007 Member Posts: 10
    Name Dropper First Comment
    edited October 14, 2021 #9
    Ok - I've done a major lockdown of my wireless networks as I believe at least one of them was breached.
    1. Rotated the WiFi passwords for all networks for all bands
    2. WiFi Encryption changed to WPA2/WPA3-Personal from WPA2-Personal
    3. Protected Management Frames (PMF) changed to Capable from Disabled
    4. Added an Allow list of MAC addresses per WiFi band
    Since making these changes on my wireless access points, there has been no suspicious activity.  
    rooted
  • rooted
    rooted Gulf Coast, USModerator Posts: 891
    250 Likes 500 Comments 50 Answers 25 Agrees
    ✭✭✭✭✭
    Taking time to better/re-secure your network is never a bad thing.
    randye007