3

My home router's configuration interface shows a device I don't know, connected via WiFi to my local network. According to the router's history, that device connected to it several days ago. It is named "PC-24".

I know for a fact that this device is not in my home. I have an iPhone connected via WiFi and a Windows laptop via Ethernet (with WiFi disabled), and both are also accounted for in the router's interface.

A ping to this device's local address yielded some responses:

> ping 192.168.1.13
PING 192.168.1.13 (192.168.1.13) 56(84) bytes of data.
64 bytes from 192.168.1.13: icmp_seq=24 ttl=63 time=6.97 ms
64 bytes from 192.168.1.13: icmp_seq=25 ttl=63 time=4.81 ms
64 bytes from 192.168.1.13: icmp_seq=26 ttl=63 time=3.80 ms
^C
--- 192.168.1.13 ping statistics ---
387 packets transmitted, 3 received, 99.2248% packet loss, time 401353ms
rtt min/avg/max/mdev = 3.798/5.191/6.969/1.322 ms

Note the huge amount of lost packets, and the high ping for something that's supposed to be on my local network.

nmap shows no response:

> nmap 192.168.1.13

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 19:26 CEST
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.04 seconds

> nmap -Pn 192.168.1.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-26 19:26 CEST
Nmap scan report for 192.168.1.13
Host is up.
All 1000 scanned ports on 192.168.1.13 are filtered

Nmap done: 1 IP address (1 host up) scanned in 201.33 seconds

Wireshark shows no activity involving that address, apart from the ping packets I sent above.

I thought about a neighbor who somehow managed to connect to my WiFi for their use, but I have set a strong password (20 random characters) on the same day I got the router, and the ping seems too high to me.

My Windows laptop considered the home network as "Private" when I discovered the unknown device. As far as I know, I don't have anything non-standard listening on the network, and nmap localhost returns only closed ports.

What should I do about this device I can't identify? What are the potential risks of it being on my LAN, assuming that I'm going to boot it out now?

EDIT: I reset the router's WiFi password to 63 random characters a few minutes ago, and a device called "PC-42" device has reappeared (notice that the number is different). I have only entered the password into my password manager, my laptop and my iPhone.

EDIT 2: the "PC-42" device has disappeared from the network. It had MAC address 00:26:86:00:00:00, which this website links to "Quantenna Communcations, Inc.". I don't know that company.

Hey
  • 1,905
  • 1
  • 16
  • 23
  • 1
    The high rate of packet loss could be due simply to the device being too far from your wifi, thus getting poor signal. I would have a look at the MAC address. Based on the leftmost half of the MAC address you can identify the network card vendor and maybe make a guess about what kind of device you're dealing with. I would be tempted to monitor the traffic from and to that device with Wireshark and see what goes on. – Kate Sep 26 '20 at 18:50
  • 1
    You might want to login to your router to see the MAC address of the device in question, then use https://www.macvendorlookup.com/ (or a similar site) to lookup the vendor of the device based on the device's MAC address. It's possible that knowing the vendor of the device may shed some light on what the device is. – mti2935 Sep 26 '20 at 18:50
  • @mti2935 See my second edit. The address ends with `00:00:00`, which I guess means it could have been spoofed? I have never heard of the mentioned company in any case. – Hey Sep 26 '20 at 18:59
  • By any chance, is your ISP Comcast / XFinity? – mti2935 Sep 26 '20 at 19:02
  • @mti2935 No, it's a French one. – Hey Sep 26 '20 at 19:04
  • 2
    If you Google this MAC address, you'll find several hits that describe things that are similar to what you are seeing. See https://www.quora.com/There-is-00-26-86-00-00-00-Mac-address-and-on-my-network-How-do-I-delete-it for example. – mti2935 Sep 26 '20 at 19:09
  • The reason I am not putting this as an answer is because it is inconclusive. This is likely your router/wifi device. Theoretically a device on your network can request that particular internal IP for use and spoof a MAC address. But at the same time this is an incredibly common combo for these networking devices. So on one side of a coin you have someone going great lengths to avoid suspicion and on the other it is likely of no concern. I cannot tell you for sure but if this happened to me I wouldn't worry myself too much about it. – Bacon Brad Mar 18 '22 at 23:40

0 Answers0