Is my router being spoofed? Duplicate SSID broadcasted on 5 Ghz band.

MilkandGin
MilkandGin Member Posts: 5
First Comment
edited February 20, 2022 in Devices & Security #1
So, for the past several weeks, I have had multiple and deeply concerning issues with my wifi and how data is treated from my various devices. These include a more than insubstantial delay in app updates when open on both my MacBook Pro and iPhone and new data is entered. I'm gay and a very obvious example of this that my iPhone will receive notification of new messages on my Grindr app but if I try to send or receive new messages from inside the app, they will fail unless I am on data. 

Just about every night over the past several when I have changed my router SSID or password, I've received text messages saying, "Per your request, your SSID is XXXX and you password is XXXX" from Xfinity at 2-4:00 a.m., while asleep. I'm like, somehow someone is getting Xfinity to hand over my wifi data and, as a consequence of how the system is set up, I am being notified.

I love Fing because it makes someone like me, who knows little about networking in the grander scheme of things, feel like he does.

I ran a wireless scan today, just now, just to see whether there's something fishy going on. For the first time, I find something that facially appears to be malicious. There are two routers broadcasting my SSID, on the same band, always within 1-5 dBm of each other. The mfg. name for the duplicate is "Xerox," which I know doen't mean anything other than to make a quippy point, and the MAC address, which also doesn't mean anything, is all zeroes. 

Is someone replicating my 5Ghz wifi band in order to divert traffic from one or more of my devices? If so, what can I do about it? See the attached screenshots. At first, there was no 2.4 Ghz band. Within about 20 seconds of capturing the first screenshot, the 2.4 Ghz band appeared, making three routers on two bands broadcasting my SSID.






As you can see, my router is stuck in a very congested area of the band. Because its an XFinity Xfi modem-router combo, most information is managed by Xfinity, including the signal.


I should note that my MacBook Pro is reporting that it is connected to the router that ends in :33. The iPhone tells me something entirely different, and I do not know how to force it unto the :33 router. I'v tried turning "private wifi address" off ad on. Not sure whether they are the same things.

EDIT: one thing I probably should have said upfront, before it’s raised as an obvious question, I do not knowingly have any xerox equipment connected to my router. Nor does Fing show any Xerox equipment connected. I do, occasionally, have a router appear with the mfg. name “Cimsys,” but I think I read that happens on Xfi modem-router combos. No one can explain exactly what it means or why it happens.

Answers

  • MilkandGin
    MilkandGin Member Posts: 5
    First Comment

    223 views and no comment?

  • Cojo7795
    Cojo7795 Member Posts: 3
    First Comment

    Can you change your bandwidth to a more narrow spectrum? This is a bit above my area of knowledge but it’s shitty no one else has said a word about it and there are this many views.

  • Cojo7795
    Cojo7795 Member Posts: 3
    First Comment

    Also, is any part of this demilitarized?

    are you allowing your gateway to be used as a public hotspot? Because the default setting to that, automatically makes you an xfinity hotspot provider.

    also, do you have your advanced security on?

    have you logged into your router admin page to see if anything has been changed within it?

  • MilkandGin
    MilkandGin Member Posts: 5
    First Comment

    Hi, thank you for responding.

    I just received a replacement Xfi modem/router unit. The one that I had been using had options for advanced security, but it would fail when trying to turn it on. The new modem’s advanced security does work, but within a short amount of time I noticed the same odd behaviors. The Xerox access point began showing up for it too.

    No demilitarized zones, and I turned my public Wi-Fi options off for both router-modem units.

    Examples of bizarre things going on include, when NOT on the Wi-Fi, my iPhone will start randomly putting itself into drive focus mode. That disables all notifications and is caused by either manually putting it into the mode or having the iPhone sense that you are in a moving vehicle. While this would tend to show that the cellular mode is the bewitched of the two, my thought is that they were able to recover my passcodes and passwords and can just access and decrypt my devices at their leisure. They would have gotten that by monitoring outgoing signals.

    Both my MacBook Pro and iPhone constantly lose the Wi-Fi connections. I will turn off auto-rejoin on both to ensure my signals is not being tampered with to trick me to logging onto the attacker access point. Every time, auto-rejoin gets turned back on and even if it didn’t, even if I was to sit around with the Wi-Fi passphrase in my clipboard to be able to quickly logon, as soon as you select the access point, MacOS automatically pasted the passphrase and logs on. That’s before there’s an opportunity to check the access point out to ensure it’s secure.

    I have Private Relay Beta turned on in Macos, and things actually go really well for a while on that. But then it will say that the connection to Private Relat has been lost and I will automatically reconnect when it’s back up. Every time, there’s no issue with Private Relay. I click the button to turn it off and right back on and it’s up and running, which means my devices are not reconnecting as they’re supposed to.

    Ive had to reformat my hard drive three times in the past 24 hours. I keep finding upward of 20 hidden volumes connecting to my MacBook remotely. If I turn Wi-Fi off, they disconnect and come right back as Bluetooth connections. Whenever I attach and external drive to create a time machine, it becomes corrupted.

    There are a lot of system “mistakes” while running online recovery mode to erase volumes, partition a drive, etc. It will tell me that my Wi-Fi passcode is not correct, when it absolutely is correct. I’ll type it slower and when the screen zips to the left, as part of its animation for successful connection, it will accidentally go past the “select the volume” screen twice. The passphrase window is supposed to zip to the left onto a new screen asking what drive you want to install on. It “accidentally” goes past the screen one time so it lands on a second screen.

    I just did a recovery mode reset 5 hours ago. I created a partition on the HD volume to house time machine backups. Not recommended, but external devices keep corrupting. Within three hours, I lost the ability to connect to my Apple TV, at least seemingly. It would say “iPhone could not connect to Apple TV.” If you look at the network tab for both, we appear to be on the same network. But not if you ask the Apple TV, the only device with limited snooping value.

    Because it’s Xfinity, they control all the features that would allow me to get out of this situation, including the ability to hop channels. My computer stays on channel 157 and does not move, all congested areas of the band. Wi-Fi Explorer will throw up warnings about the level of noise due to band traffic near my channel or on my channel. But there is no option to force it to change channels, and for the past two weeks it has been stuck at channel 157. (It’s on a different channel now that I have a new router, but it’s staying in that channel now. I won’t disclose it publicly, although there’s no secret to it.) Like I said, I’ll spontaneously get texts at 4:00 a.m. providing my Wi-Fi information, including SSID and passphrase, saying “Per your request, here are your SSID and passphrase.”

    At this point, I’m beginning to think that these people are so good, they’ve already hacked the base system software. Only way around that is to create a bootable drive so you can erase the system’s HD base system volume. When I try, it corrupts before I can use it. I think they may have a script running on the remote system that causes their access point to imitate any changes whenever I make I make a system change, so I’m actually making changes to a template. It’s reading my changes and the template is modifying to show them as effectuated. Unless I use the reset button on the device, when I make changes via 10.0.0.1 admin page, the router does not turn off and back on.

    To highlight, I just received this router two days ago.

  • MilkandGin
    MilkandGin Member Posts: 5
    First Comment

    To give you an example of something that just happened, I just reformatted my HD after taking two hours to get rid of corrupted hidden volumes. Was logging into my newly created MacOS account and got to where you enter your iCloud password.

    I entered it. It didn’t say, “Your password was incorrect,” it said, “Failed to connect to remote server…” I knew my password was, in fact, correct. I re-entered it, fast and slow, about 15 times. Each time subsequent to the first, it said my password was incorrect. As stated, I knew it was correct. To be certain, I went to iCloud in my phone and reset the password. To do so, I had to first enter the [then] current password, which was the same as I had been entering it on the computer. I changed the passcode and then started entering the new passcode. “Your password was incorrect.” Well, no it wasn’t… because I just changed it to that, and also, what is this about a server?

  • Cojo7795
    Cojo7795 Member Posts: 3
    First Comment

    i have xfinity as well. The easiest thing to do is unplug the gateway for ten minutes and let it reset. Log into your router admin page. Default admin password combo. Immediately set new password. Then get in xfinity app and find unknown devices and block them from your network

  • JenJFK
    JenJFK Member Posts: 1
    Second Anniversary First Comment Photogenic

    This might be a dumb question, but.. while your wifi setup (password, security settings, etc) might be in order, have you changed the admin password on the router login?

    i have xfinity and the default router username is admin and the password might be generic, which means someone could possibly login to the router itself and wreak havoc.

    I’m sorry you’re having these issues. You have lots of views bc Fing put your question in their newsletter.

  • MilkandGin
    MilkandGin Member Posts: 5
    First Comment
    Cojo7795 said:

    i have xfinity as well. The easiest thing to do is unplug the gateway for ten minutes and let it reset. Log into your router admin page. Default admin password combo. Immediately set new password. Then get in xfinity app and find unknown devices and block them from your network

    When you run Wifi Scan from the Tools menu on the Desktop app, does it show a duplicate, unlocked access point on a separate channel within your band?

    I ended up switching to CenturyLink. Half the money for double the speed. On top of that Xfinity is no longer micromanaging may settings, hiding verbose logs from me, etc. With CenturyLink, they allow you full control over your modem settings. I also purchased a Firewalla Gold firewall.
  • Techsys
    Techsys Member Posts: 6
    Second Anniversary First Comment Photogenic
    Turn off WPS! Every time I find bogus devices (and it happens all the time!) on a client network, I turn off WPS, clear (forget) all devices and then change the passwords for the wireless. The problem does not return after that.
  • cryptoknight
    cryptoknight Upper Southern Peninsula IslandMember Posts: 12
    Second Anniversary 10 Comments First Answer 5 Likes
    ✭✭
    Your Xfinity device ( :(all of them, I think) might be broadcasting a portion of your bandwidth, under the ever-misleading feature name of "Home Hotspot."

    Instructions for disabling (because of course the customer who never opted in must opt-out) are included at the same link above.
    That's the good thing about opinions... they don't have to be backed up with facts.
  • Sharpstown
    Sharpstown Member Posts: 1
    First Comment
    edited April 10, 2022 #12
    I am I am having almost same issue with Xerox device with same ssid. But I have a tplink router and att cable modem 
  • พัต
    พัต Member Posts: 3
    First Comment Photogenic

    ช่วยด้วย

  • cryptoknight
    cryptoknight Upper Southern Peninsula IslandMember Posts: 12
    Second Anniversary 10 Comments First Answer 5 Likes
    ✭✭
    พัต said:

    ช่วยด้วย

    เราจะช่วยได้อย่างไร
    That's the good thing about opinions... they don't have to be backed up with facts.
    Dylan_From_Fing