3

Recently i noticed that there is an unknown user connected to my modem. I tried to block the mac address by accessing router page(192.168.1.1 ,dlink modem) > parent control > macaddress filter > put the mac address of (unknown user) > apply. but they are still using my wifi. This leads to slower internet . even youtube is slow now. So what should i do? google search lead to this link https://security.stackexchange.com/a/137316/149263 and after reading this, i am sure that someone is stealing my wifi. i just want to block the user . is there any way to block the user permenently?

there is also one thing to notice that the mac address of unknown user is similar to my device (only 3/6 parts are different). if 01:02:03:04:05:06 is my mac address then the mac addr of unknown user is 01:02:03:0a:bb:cc. i will provide screenshots if required. sorry if its offtopic here.

Jayakrishnan
  • 139
  • 1
  • 4
  • The first half of the MAC address is supposed to be the vendor code, so the fact that they are identical says only that the devices are coming from the same vendor (assuming, of course, that those are legitimate MAC addresses). – MiaoHatola May 25 '17 at 16:23

2 Answers2

4

Additional to the already provided answer I'll point few things out and a TO-DO list

Start by getting him off your network.

  1. Turn off your Wi-Fi.
  2. Change your router admin password.
  3. Change the security to WPA2. *
  4. Disable WPS. **
  5. Change the SSID (Network name) ***
  6. Change to a long password easy to remember. ****
  7. Use whitelist instead of blacklist. *****

*If your modem is old, then it might not have WPA2 personal, try WPA instead. (History note: WPA2 needed a hardware change from the old WEP standard, while WPA just needed a firmware update)

**If your router is old WPS have many vulnerabilities, and there's no need to have it available, just connect your devices the normal way.

***Maybe he already have pre-generated keys for the SSID you're using, changing the name would render useless the space-time trade off he previously did.

****You got 63 ASCII, use 3 or 4 four words, add spaces (generally spaces aren't common in charsets), special symbols are hard for humans to remember but easy for computers to "guess", so use only one.

*****Add your three devices - This will eventually render useless as previously stated that spoofing MAC is easy.

Whit all this, the bad guy would have more homework: With no WEP he can't capture/break WEP weak IV's, with no WPS he can't use wash/reaver to get the PIN or pixie dust attacks, etc. With WPA/2 he needs to capture a handshake (now WPA) from any of your devices, bruteforce it (hence the long password-This maybe will take months-years depending on the length), then eventually when trying to connect he will spoof any of your MAC address and then he's in. Hope this helps in any way.

Azteca
  • 1,116
  • 7
  • 16
1

I wouldn't waste time blocking MAC addresses. It's easy for an attacker to change (spoof) their MAC Address at anytime. MAC address filtering should not be used as a security option, it's really just security through obscurity and offers no real protection.

What could be happening is the device may still be showing up as a device that isn't authenticated yet. My router shows all devices, even ones that have not successfully authenticated and just attempted to connect. Such as someone trying to login, maybe an old device that now has the wrong wifi password.

I would suggest if possible you change your WiFi password. This will then remove any unauthorised users.

A small note: The first 3 sections of the MAC address usually indicate the manufacturer of the device. The fact you are saying the first three are the same, then either:

  • The attacker is spoofing to look like a device made by the same manufacturer as your router.

  • Or, you do actually have an authenticated device that you maybe have either forgotten about or didn't know was attached.

ISMSDEV
  • 3,272
  • 12
  • 22
  • thanks for answering quickly. There is only 1 laptop,2 smartphones in my house. no other devices which has wifi in it. After blocking that mac address i changed passowrd, this time i used radom password generator of length 17 . but 8-9 days after there is another user(mac address different) similar to that. I guess they are same user because they are taking my wifi at night. so is there any way to atleast route their request to my local web page (like http:://localhost) so that they wont use my internet that i am paying for. Also note that my router is old , it it helps . – Jayakrishnan May 25 '17 at 13:04
  • If you chose a secure password then there is little chance this device is actually authenticated to your routers wifi access point. I assume you are using WPA2/Personal? This should be the one you use. I do believe it's just showing up as a device that has tried to connect and not capable of stealing your internet data. If you are 100% sure they are stealing your data you could monitor their traffic. Come off your internet for a day and check with your ISP what internet usage has been used - you say you tube is slow so they must be using a lot! Thanks – ISMSDEV May 25 '17 at 13:13
  • I disagree with your assertion that 'MAC filtering is security via obscurity'. Too many people instantly label any technical that might be easy to overcome by itself as "obscurity". MAC filtering is a valid if not very robust control. It is part of the larger picture to securing systems. – 0xSheepdog May 25 '17 at 17:21
  • Your second bullet in the "small note" is incorrect. The fact that the first three octets of the unknown device are the same as a known device means either they are spoofing the vendor code, as you say in bullet one, or the device is actually made by the same vendor. It has no bearing on whether they have an unknown/forgotten device. – 0xSheepdog May 25 '17 at 17:24
  • Otherwise, not a bad answer. – 0xSheepdog May 25 '17 at 17:24
  • 1
    I take your opinion seriously but I'm sorry but I disagree with you and stand by my initial comment. MAC controls have their uses. But blocking access to wifi APs, for solely security purposes, is not one of them. I will not turn this into an argument as it doesn't help the original question. Thanks – ISMSDEV May 25 '17 at 17:27
  • When I mean an unknown or forgotten device I meant did the person have an attached device that came with the AP, such as a wifi booster for example plugged in somewhere within the house they had forgotten. – ISMSDEV May 25 '17 at 17:29