23

For the past week or so I've been having problems with wifi in my house, and it appears that my neighbor set up a Pineapple or something similar that is running a known beacon attack and/or Karma/Dogma. It is also interfering with devices connecting to my WPA2 AP.

Symptoms:

  • A rotating list of 20 or 30 SSIDs show up with common names (attwifi, Google Starbucks, wifi...) and with very specific names (the SSID of the city library wifi, random default router SSIDs like SpectrumXXXX, Fios-XXXX).
  • Connecting to one of the SSIDs prompts for a login, which presents a fake FB, Google, or other phishing page to Android, iOS, and MacOS devices, but not Windows 10 devices
  • There appears to wifi interference of some kind. My WPA2 AP has a stronger signal within my house than the rogue AP, but devices take 10-30 minutes to automatically connect to my network. The devices say connected, no internet and after repeated reconnections will eventually start working, or leaving the device running will allow it to connect. This is especially annoying with the smart TV, waiting 20 minutes for it to begin to function.
  • The evil twin appears to be pretty simple, it presents the same MAC for all SSIDs, starting with 00:13:37, always channel 11, 2.4 Ghz only
  • The thing is powerful. I've used a stumbler app on my phone and it has signal for over a 250m radius and doesn't appear to be directional. Getting too close (within ~100 ft of it) causes my phone's wifi to stop responding and I get a message about wifi being jammed. 100 ft is in the middle of the street, so it's strong enough to cause errors on my phone when I'm driving near my house.

The MAC address indicates it could be a PineAP, or maybe a device running wifiPhisher. The AP names that are echoed back seem like they could be collected by wifi harvester, or maybe from a stumbler or database.

I am primarily frustrated by the interference with my APs. Nothing appears to be wrong that I can see in my APs (Unifi) and router (Frontier, running DHCP), no extra clients or strange traffic, but they have limited data gathering capabilities. I just ordered an Alfa wifi adapter to see if I can detect aireplay or some other unusual activity indicating a DoS or deauth or some other attack on my AP.

What do I need to look for to detect an attack? I'm guessing that airodump should give me indication of an attack if it's happening, but I don't really know what to look for.

What can I do to prevent autoconnecting to SSIDs, or blocking the rogue AP?

Any other ideas for dealing with the device?

Is there an easy tool available to spam the phishing forms with data? Seems like submitting junk logins in a loop to the rogue AP will eventually fill up the storage and may interfere with its operation, with the added benefit of burying any real credentials that were input by unwary people.

Clarification

Most of the comments suggest one of two routes, go talk to the neighbor or call the police. I understand those options, but I would like to understand intent and risk a little more before I do that.

As an analogy, if a neighbor has left their 1000 watt flood light on and it's shining into my bedroom window, it's really annoying and the neighbor is being inconsiderate. The correct response would be to go talk to the neighbor. If a neighbor is hiding in the bushes, filming video and shining lights into my house then the neighbor is a criminal and contacting law enforcement is appropriate.

I'm trying to tell if the neighbor bought a new toy and just left it plugged in, or has malicious intent. If it's the first then politely asking will fix the problem. If it's the second then politely asking will make them aware that they've been detected and could lead to more subtle methods that are harder to detect. Submitting junk to their device would be the equivalent of turning my floodlights on to shine back at their house, perhaps passive-aggressive, but also a nudge toward social conformity.

What would I need to look for to detect an active attack vs a stock pentest device just running? Would it be obvious in airodump? Or some other tool? Is there something else I should be looking for?

To answer some of the questions, I'm in a suburban city in Texas and I don't expect local law enforcement to understand unless I lead them by the nose (and only then if I'm lucky). FCC, FBI, or similar may have a little interest, but attacking some home wifi or transmitting at 1 watt over allowed is very minor.

I haven't seen the device actively impersonate my SSID, and it has definitely not presented WPA, so the interference with my connections would either be noise or something like an active deauth attack (how would I detect this?)

Also, the device does not provide a functional internet connection. After the phishing page it goes to a 401-like message and that's it, so it can't be sniffing http traffic that's not happening.

user15741
  • 330
  • 2
  • 6
  • Your best bet is probably to walk to the owner's house and politely ask them to turn down the signal strength on their testing lab. If that doesn't work, your options vary depending on your legal location. – Monica Apologists Get Out Mar 22 '18 at 21:55
  • 2
    Contact appropriate law enforcement. Depending on where you are, this may be local, county, state, federal or and organization like the FCC (examples from US, who to contact will vary geographically). Switch as many of your devices to 5GHz as possible, as this will avoid any issues from the 2.4GHz offender. Also, trying to DoS they offender seems like a poor choice. – YLearn Mar 22 '18 at 23:26
  • 1
    Try contacting your neighbor. I think you have the same interests. You can also spawn SSIDs with a message :D – davidbaumann Mar 23 '18 at 08:17
  • It seems pretty likely that this is a mistake, not malicious action. If it were malicious, there wouldn't be SSIDs like "Libary Wifi". Additionally, the attacker would be smart enough to know that running an attack out of their private residence is not a great idea, to put it mildly. – Cowthulhu Mar 23 '18 at 14:22
  • 1
    Another possibility: do your neighbors have kids? Might be one of their kids playing around with it, parents may not be aware at all — and a talk with their parents will take care of it. This really sounds like something to ask on [interpersonal.se]... – derobert Mar 28 '18 at 17:05

2 Answers2

7

You are in a tricky spot. If your neighbor is running active attacks against you, and has set up a pineapple that is mimicking your AP, you have a serious problem in my honest opinion. You can't "block" your own SSID which they are impersonating. Best thing to do: turn off the wifi and use local LAN as much as possible.

For everything that has to use Wifi: it is -critical- that you check your urls for HTTP/HTTPS. The most common nasty trick I see in a situation like this is SSL stripping, which basically pretends you are on https but puts you on http so the pineapple can scrape plaintext information. So check your URL bar every time you are about to log into something for that https lock.

Block SSID's with this: http://mywindowshub.com/add-remove-wireless-network-allowed-blocked-filter-list-windows-10/ There are articles for every OS, you can find them with a google search.

Just wiresharking your traffic can tell you a lot about what is going on as far as attacks, but it is hard work to search through that and be able to recognize injections and etc.

You will most likely have no luck with local law enforcement. I'd suggest reporting to S.S. https://www.justice.gov/criminal-ccips/reporting-computer-internet-related-or-intellectual-property-crime

Also, it would be wise to talk to all of your neighbors (as it's most likely all of you being attacked) and go over as a group and demand the Wifi impersonation be stopped. Frankly, I'd call S.S. first and ask what they recommend. Also you can email US-Cert for advice: https://www.us-cert.gov/forms/report

bashCypher
  • 1,839
  • 11
  • 21
  • Not knowing where this is taking place, there really is no reason to say the OP will likely have no luck with local law enforcement. Some local law enforcement is very good at dealing with cyber crimes. Additionally, federal agencies (FBI, SS, etc) will often refuse to get involved in a local matter unless you have first contacted the local authorities. – YLearn Mar 23 '18 at 04:18
  • @YLearn I guess I am assuming they are in America from the tone of the writing, but that might not be fair. IF they are in USA, yeah I'd bet against local cops on this. The law here is confusing and in my experience (I've sat in S.S. meetings, work hand in hand with US 3 letter agencies), is that local cops don't have protocols to deal with this other than possibly "talking to" the guy. It is subjective, and an assumption though. Fair. Also please give example of your experience with local law and a pineapple. Would make me happy to know we are improving. – bashCypher Mar 23 '18 at 14:56
  • There are some Sheriff departments with decent cyber resources, and a couple state police forces as well. I can’t speak for all other local police forces, but depending on size/resources of the community, I would expect a few somewhere to be decent enough not to discount. As for federal agencies, I have heard of several instances reported by other people where the federal agency declined to pursue the issue or recommended that they work with local law enforcement first due to the limited nature of the issue. – YLearn Mar 23 '18 at 16:11
  • In the US, the appropriate law enforcement is probably the FCC (willful interference/jamming, exceeding allowed power, etc), not local police, FBI, etc. No clue how interested they'll be. – derobert Mar 28 '18 at 17:02
  • FCC document on the subject, includes reporting instructions: https://transition.fcc.gov/eb/jammerenforcement/jamfaq.pdf – derobert Mar 28 '18 at 17:10
3

Use LAN for now. You should simply stop using devices that need WiFi.

Try to find out who the disturbing neighbor is and get in contact. If he/she doesn't take down the PineAP call law enforcement.

Do not involve yourself in petty hacker games.

  1. You won't get any help or guidance for these here
  2. you will most likely get the short end of the deal and
  3. you will most likely involve yourself in illegal activities.

Try to deal with this the same way, like you would deal with a neighbor that is listening to deafening music in the middle of the night. Do not go over to their house, manipulating their stereo.
Tell them to turn it off or call someone who has the authority to force them.

Concerning your edit:

"I'm trying to tell if ..", "What would I need to look for to detect .." "how would I detect this?"

This is not your job. That's the job of a detective (or some other person in law enforcement).
Just because you feel that you have some knowledge in this realm - the questions you have asked so far do not support that feeling - doesn't mean that you should (try to) go full Mr. Robot. Leave this to the professionals.

Tom K.
  • 7,913
  • 3
  • 30
  • 53
  • Yes, but more importantly: [it's illegal](https://www.fcc.gov/document/warning-wi-fi-blocking-prohibited). – Tom K. Mar 23 '18 at 14:22
  • Phones do not need WiFi, smart devices can possibly stay off the internet and still function. If you worry about information security, just leave your game console unplugged. – Tom K. Mar 23 '18 at 14:29
  • Concerning the link, I read your question as "looking for a deauth attack against my neighbor". It still is a useful ressource because it includes this paragraph: "What Should You Do if You Suspect Wi-Fi Blocking? If you have reason to believe your personal Wi-Fi hot spot has been blocked, you can file a complaint with the FCC. To do so, you can visit www.fcc.gov/complaints or call 1-888-CALL-FCC." – Tom K. Mar 23 '18 at 14:30
  • Why not use a VPN on those devices? That way he can still use his WiFi including any vulnerable service he might be using. (Of course this only works on devices that support that) – comfreak Mar 30 '18 at 07:10