SSID with very similar name, is this an attempt of hacking?

139

33

I noticed that another SSID pops up in my WiFi with the same name as mine (quite personal so could've only been intentionally copied) but a couple of the letters are capitalized. Their version has no security. Mine has WPA-PSK2. I tested it to be sure by unplugging my router and while mine disappeared after a while, theirs remained.

Is this a ploy at hacking? Are they trying to use this to infiltrate my network - since I closed mine only to approved MAC addresses - thinking I will slip up and join their network?

Example:

  • My SSID: bestfriend
  • Their SSID: BestFriend (with capital B & F)

K. Pick

Posted 2017-06-08T07:18:06.233

Reputation: 1 127

50more people should take security this seriously. Its possible, if it is a targeted attack we call these rogue access points, where you mimic the name of someone else and see if clients connect to it. But we'll need more information, what exactly is the name of your network (ESSID) and how many people use it? Is this personal network? who else knows about this network? does your girlfriend have an ex that wants to get back together with her? you get the idea... some details would be good. – Nalaurien – 2017-06-08T07:58:26.743

57...maybe they are just politely asking you to change the capitalization of your SSID to a "more correct one" because it bothers them when they see it on their available networks list? I can imagine myself doing that... "Never attribute to malice that which is adequately explained by extreme nitpicking" (?) – xDaizu – 2017-06-08T10:55:28.470

21Connect to the network with a throwaway machine and try to scan the entire subnet with nmap to see what they're up to. – André Borie – 2017-06-08T14:26:57.173

21Could just be chance. You'd be amazed at how popular some SSIDs (eg. variations on "FBI Surveillance Van") are. – Mark – 2017-06-08T18:28:21.753

18tread carefully and dont ignore SSL/TLS errors! – n00b – 2017-06-08T19:05:53.707

4Although it could be hacking related, you SSID is so generic, there are a 1000 reason why they named it that. Maybe wifi is their bestfriend also, sad, but completely plausible. Now if it was named jQT1SWVMBEu3 and they copied that then there is no excuse. – cybernard – 2017-06-09T02:32:43.640

13@cybernard: Unless I'm misunderstanding it, "bestfriend/BestFriend" is just a generic example he is using to illustrate the difference. I expect the actual networks are named more along the lines of something like "bennyjacobalfredomcduck" and "BennyJacobAlfredoMcDuck" – Kim André Kjelsberg – 2017-06-09T07:47:36.997

3I'd suggest changing your SSID and turning off broadcast SSID. – mikeazo – 2017-06-12T12:25:13.980

3Regarding the suggestion from @AndréBorie, be aware that this might not be legal. – Jonas Schäfer – 2017-06-12T19:28:11.033

1@xDaizu While plausible, it would be extremely foolish to follow their "suggestion" as long as their network also has this SSID. Therefor, it's a very ineffectual way of making this suggestion. – Jasper – 2017-06-13T08:34:26.950

@Jasper Maybe their SSID has one of those cyrillic characters they use for meanie phising attacks so your change is safe. Or maybe they have a set up such as the moment they see ANOTHER network with that SSID, it disables their own :)

– xDaizu – 2017-06-13T08:42:04.113

Them having an WiFi network with the same or a similar SSID doesn't grant them access to your network. A possible attack is where they would use the same SSID and try to lure your wireless devices into connecting to their network (as devices connect to a WiFi network based on the SSID and signal strength by default). Other than social engineering your visitors that would like to connect to your WiFi network to make them connect to theirs, I don't see a valid attack in creating a WiFi network with a not matching SSID. Maybe they like the name of your network or think it'd hide theirs? – BlueCacti – 2017-06-13T11:16:04.763

2Be aware this maybe a mistake you (or a user has made) in attempting to connect to the wifi by specifying it. In Ad-hoc mode you specify an SSID to become part of. Obviously if you were trying to connect to this one, you'd put it in... but if you spelt it slightly wrong, it wouldn't match up - tada, you've got a duplicate network! – djsmiley2k TMW – 2017-06-13T14:01:54.983

5You're confusing hacking with social engineering. 'Hacking' is a slang term in the first place, but it basically means taking advantage of a vulnerability in a system or piece of software. Social engineering is when somebody takes advantage of another human beings stupidity, naivety, ignorance, or short-sightedness to gain access to something that is otherwise is completely secure behind some security algorithm or system of some kind. – searchengine27 – 2017-06-13T23:37:43.613

1I wonder if one could connect by accident to such free wireless network and use it to run a Tor exit node. Assuming it actually allows connections to the outside... – Daniel – 2017-06-14T13:49:57.080

1Hacking? No. Social engineering? Yes. – Thomas Ward – 2017-06-17T21:12:59.707

Answers

129

Yes, it is most likely some kind of hacking ploy, although it's a guess as to why.

I do point out that locking your router down to specific MAC addresses might provide a tiny bit of security, but not much.

It's also unlikely that their actions are designed to hack your network - they are more likely to try and capture your traffic.

If it were me, I would take advantage of them - I'd get a cheap VPN and some dedicated hardware (low spec PC, large hard drive), connect it up to the VPN and their network and leach hard. Because you are using a VPN they won't be able to intercept your traffic but you can consume all their bandwidth until they wake up. (And you have plausible deniability "Hey, I thought I was connected to my AP - I used the SSID of my device)

Couple of other things to mull over - It's conceivable that both of these APs are actually yours - one in the 2.4 gig band, one in the 5 gig band, and the 5 gig band is simply not encrypted. Check your router configuration to rule this out and/or some kind of Wifi Analyser (There are a few available from the Play store for Android) to help you work out where the signals are coming from by looking at signal strength.

Watch out for de-auth packets. If they are trying to hack your systems it would not surprise me if they are trying to send de-auth packets to interfere with your connections to increase the chance that someone on your network tries to connect to them.

davidgo

Posted 2017-06-08T07:18:06.233

Reputation: 49 152

114He mentions he unplugs the router and the other network remains, this rules out that its his 5gig band. – LPChip – 2017-06-08T08:54:20.443

Can you explain further where a VPN comes into this? – Lightness Races with Monica – 2017-06-08T22:47:27.113

1A VPN encrypts the traffic between your device and the other side of the VPN meaning that the neighbour can't see the contents or modify it. If he were just to use the connection directly the data could be intercepted and manipulated. – davidgo – 2017-06-08T23:15:24.260

13How is this plausible deniability? You were leaching bandwidth on a cheap computer you bought over a VPN that you normally never use. Are you trying to lie to a 5-year-old or to a judge? – user541686 – 2017-06-09T01:19:58.293

20

@Mehrdad Plausible deniability exists as your neighbour was trying to trick you to connect to their AP - and you fell for it. My neighbour behaves like a hacker, so its entirely reasonable to get a VPN to protect myself. (Also, I don't need to lie to a judge, the other party is the one making the claim - my lawyer could simply sow the seeds of doubt). I'm curious on what better legal minds think though, so I've posed this at a question at law.se (https://law.stackexchange.com/questions/19482/clean-hands-doctrine-and-plausible-deniability)

– davidgo – 2017-06-09T02:47:18.760

17@Mehrdad If I'm going to lie about network hacking, I'd take my chances on a judge before a five-year old! – Auspex – 2017-06-09T13:16:32.877

2@Mehrdad Depending on local legislation, it may not even be an offence to use a completely unprotected WiFi ... – Hagen von Eitzen – 2017-06-09T15:04:01.203

1With the traffic being encrypted with the OPs passphrase, how would the "evil router" be able to talk to any clients they've managed to trick into connecting to it? – Gary – 2017-06-09T15:22:55.080

3Regardless of the "plausible deniability," I find it unethical to advocate such shady behaviour, especially since, depending on jurisdiction, it may entirely legal to connect to an open access point. – StockB – 2017-06-09T16:15:25.727

1@Mehrdad You just set up a dedicated machine to download internet videos for offline viewing. However, this isn't something I'd do - not for any legal issues but because it is probably charging somebody else money. (Assigning a virtual device to every IP, each of which hosting a web server that always returns a troll face, however, is fair game.) – wizzwizz4 – 2017-06-09T19:05:03.707

3@Mehrdad: If I punch a burglar in my house, that burglar cannot run to the police and complain that I attacked him without also proving that he broke into my house. So if a hacker sets up a fake network intended to catch traffic, he can't then complain that people have started using the network he intended to be used by others (unknowingly). – Flater – 2017-06-13T13:40:26.987

2@Flater: (a) That has nothing to do with plausible deniability of anything, and (b) You're the one who'd need to prove his network was fake and intended to catch traffic. – user541686 – 2017-06-13T13:48:15.183

2@Mehrdad: (a) Since the hacker intentionally set up his fake network so that you mistakenly connect to it, you can therefore claim that you never intended to use his network. It is plausible because the network has been specifically set up to be a trap, and you claim you blindly stepped into the trap. (b) Since we are talking about plausible deniability, the scenario is one where the hacker tries to get you in trouble (with authorities) because you did something to his fake network that he doesn't like (leeching it). The hacker would have to implicate himself before he can get to you. – Flater – 2017-06-13T13:56:09.873

1@Flater: (a) I was talking about the burglar case. (b) He wouldn't have to say anything about his network name or that it was similar to anything. He could even change it before reporting. This should be obvious. And for you to deny a claim, you'd have to lie under oath. Which is a potentially worse crime. People aren't stupid. – user541686 – 2017-06-13T14:08:54.003

Actually, what ruins plausible deniability is you publicly posting that you would do this very thing. A lot less plausible now... – TOOGAM – 2017-06-16T01:33:23.770

56

It sounds to me that this is something called "Evil Twin".

Basically the attacker creates a network that mimics yours so you (or your machine all by itself) connect to that instead. He achieves that by, as davidgo said, sending de-auth packets to your router so you have to reconnect. By changing the MAC-Address of his own router to the one of yours, your computer automatically connects to the attackers network instead (given that its signal is stronger). This allows the attacker to further harm you by Man-In-The-Middle Attacks or a fake DNS that redirects common websites to phishing sites.

Now you could do some science here and try to prove that this is indeed an attacker with bad intentions and report it, or simply take advantage of "free traffic" but since there might be some DNS shenanigans going on you could risk giving away sensitive information when not being careful while filling out forms.

Echo

Posted 2017-06-08T07:18:06.233

Reputation: 671

54Normally an Evil Twin matches the SSID exactly. I think by capitalizing certain letters they're trying to somewhat Social Engineer potential victims and make the non-capitalized SSID look like the bad clone. "Look at this uncapitalized clone! It's doing a bad job at making me click it. Obviously I should click the capitalized one that looks more official with some thought put into naming it." – Corey Ogburn – 2017-06-08T15:17:30.047

3Why would the attacker bother with a (suspicious) SSID if he can make your device connect to his router automatically by spoofing the MAC address? – JimmyB – 2017-06-09T13:20:44.450

7@JimmyB Likely because the attacker can't manage the "given that its signal is stronger" precondition. So rather than go for the computer that's not cooperating, they go for the inattentive human. – Kevin Fee – 2017-06-09T20:24:42.630

3If the security authentication mechanism is not the exactly the same as the original wireless network, the computer won't connect to the fake network, even if the signal is stronger. – pHeoz – 2017-06-12T15:26:28.240

1@JimmyB Once a device would connect to your fake SSID, you don't need to spoof any MAC address. In an Evil Twin attack you try to lure the victim onto your wireless network by giving it the same SSID and interfere with clients connecting to the real one (by disrupting the signal or - more commonly - by forcing them to de-authenticate from the real AP). Most people don't manually pick an SSID as their device is already connected to the SSID of their home network, only when you have a new device you'll look through the list of available networks, making you susceptible for the Social Engineering – BlueCacti – 2017-06-13T11:12:05.703

43

I ran into a similar "issue" earlier this year while debugging wireless connectivity issues.

My suggestion is a question: do you own a chromecast?

The connectivity issues ended up being entirely the service provider's fault, but I was really stuck on this red herring SSID. By using a wifi signal strength analyzer app on my phone I tracked it down to the chromecast (which was an alternate capitalization of my wifi SSID), and there was much relief.

EDIT:. It is important to note that the Chromecast only needs power (not "internet") to host its own wifi, it will both connect to a wifi as well as hosting its own. You can connect to this but it doesn't do anything unless you are configuring it via the app

Cireo

Posted 2017-06-08T07:18:06.233

Reputation: 531

3Yes I do own a Chromecast. Buts MAC address is added into the original router and it also wouldnt work when I unplugged the router that night. – K. Pick – 2017-06-11T19:08:16.967

I will add that my Chromecast is named SantoRican as well but since it wasnt connected to the internet the Wifi was down it was offline. The cable guy checked it when he came to fix the wifi but said that wasn't what was causing the issue. (but you never know he could be wrong) – K. Pick – 2017-06-11T19:12:57.983

1@K.Pick Chromecast can act as a host, so you can connect to it with your phone and configure it. – emed – 2017-06-12T17:50:39.187

2This seems to be the most likely answer. Devious people could use other more interesting and less obvious ways. The "alternate capitalisation" should be in bold as this is the most obvious clue in my view. – KalleMP – 2017-06-13T18:15:02.447

21@K.Pick: Don't start guessing on how the chromecast is listed in your router. Simply unplug the chromecast and check if the SSID is still there. – yankee – 2017-06-13T19:06:36.010

@K.Pick: So? Was it still there after unplugging and powering OFF the Chromecase? – Stephan Henningsen – 2017-06-18T10:00:05.790

@Cireo: Well done =) Perhaps the Chromecast got disconnected with the wifi so it went into configuration mode and started announcing itself by the name it was given? – Stephan Henningsen – 2017-06-18T10:03:13.690

Lesson learned: Don't give two devices, networks, kittens or anything else really the same name as it will make debugging harder. Good luck you weren't consistent with upper and lower casing, so you can actually double-confirm if it was your Cromecast. I'd suggest renaming your television's Chromecast something like "KPicksTelevsion" when you get the chance. It's a good name. You'll like it. – Stephan Henningsen – 2017-06-18T10:04:46.590

Let me elaborate - I named the home network ''santorican'' I named the chromecast ''SantoRican" because when I first tried setting it up I was at a friends house. So when I brought it home they coincidentally have similar names. – K. Pick – 2017-06-18T23:06:25.393

Stephan - Yes it was still there after turning off the tv (which would cut the power to it). It took a day or so disappear off the network and when the internet was restored it was no longer there even though the chromecast was working fine. Perhaps I should change it anyway – K. Pick – 2017-06-18T23:08:47.207

14

Well - you seem to be taking security quite seriously. It is possible someone is trying to trick people joining the other network. Best way to start looking at this would be to change your SSID to something different - and also quite specific, for example a word with some digits substituting for letters and see if that SSID changes to similar to yours - perhaps your will be st0pthis and theirs StopThis. If you do record their SSID MAC address beforehand to see if the other SSID changed you can be even more suspicious.

A good way on linux to see MAC addresses is iwlist YourInterfaceName scanning | egrep 'Cell |Encryption|Quality|Last beacon|ESSID' And of course you can and indeed should monitor your network for changes and suspicious activity as well keep your machines updated.

r0berts

Posted 2017-06-08T07:18:06.233

Reputation: 1 585

2@r0berts Should implies choice with a strong recommendation. – wizzwizz4 – 2017-06-09T19:08:37.077

I do understand. But on average I'd say people do not know how to monitor their networks so no point making them feel guilty about that. But point taken ) – r0berts – 2017-06-09T19:19:27.763

1Even just keeping your system up-to-date with patches, and having some basic computer hygiene (block-incoming-by-default firewall, up-to-date antivirus) will go a very long way toward ensuring that your system is secure. Unfortunately, that's the bare minimum required today for any system which is connected to the Internet. The days when you could just hook up any random system to the Internet with no precautions whatsoever are long gone... – a CVn – 2017-06-10T15:19:53.853

I totally agree to that. It would be great if the complexity of monitoring your network could be reduced, this still requires a huge time investment to learn this for your home LAN. – r0berts – 2017-06-13T10:20:51.507

11

Simple trick,

Change your SSID and hide it see what happens. If they copy your SSID again then you know you’re in trouble.

Extreme mode

Change your local DHCP network range to something that isn’t used on the open network

Configure a static IP if possible so your PC can't use the open WiFi

Configure your WiFi settings on your PC not to use open WiFi hotspots

Change your WiFi password to something like this: HSAEz2ukki3ke2gu12WNuSDdDRxR3e

Change your admin password on your router just to make sure. And finally use a VPN client on all your devices (also phones)

You use MAC filtering and that’s a good low level security feature. Finally, use third party firewall and AV software and set the settings to annoyingly secure so you have to approve almost every action which has to do something with internet or network activity.

Once you get used to these things it will get easier to maintain and your firewall will relax because it learns from your actions.

Keep us posted! :)

MR_Miyati

Posted 2017-06-08T07:18:06.233

Reputation: 111

10

Yes, this is exactly what you think it is: someone is trying to trick you to join their network by mistake. Don't connect to it. If you realize you just did, run an antivirus scan and remove whatever data you have been downloading as it cannot be trusted. If you happened to also send sensitive data like a password over this rogue connection, change it right away.

If this access point won't go away after a while, I suggest you take a reasonable effort to make it stop (like asking your neighbors to stop that or tell their kids to stop). A device capable of showing the WiFi signal strength, like a cellphone, should allow you to track down the location of this access point precisely enough.

Dmitry Grigoryev

Posted 2017-06-08T07:18:06.233

Reputation: 7 505

The app I would recommend for tracking it down inssider. It is created by the wonderful people at metageek. – Rowan Hawkins – 2017-06-13T23:14:10.040

9

A lot of times people with security concerns are just being paranoid. In this case, you have a very legitimate cause for concern.

Don't conclude maliciousness 100%, it could be an IT savvy neighbor trying to prank you, let's say by redirecting website requests to a joke site. Or someone who tried to set up their own network and just happened to imitate yours (but I am inclined to doubt that, any router nowadays will have a password requirement by default). But basically, the person would be able to see a lot of your traffic, which websites you visit, what you send and receive, apart from what's encrypted (and much is not encrypted). That could be for blackmail, espionage, stalking. On the other hand, it's not super sophisticated and quite easy to discover, so who knows.

More importantly, this isn't some generic mass global attack by foreign hackers, it means a physical access point is located near or in your house. If I was you, I would not alert them, but try to find it. If you have a fuse box, switch off power one course at a time, and wait five minutes and see if the access point disappears. That will tell you if it's something in your house. Otherwise you can use triangulation, a signal strength with GPS logger on your phone and take a walk through the neighborhood, or a Pringles can to find out roughly where it is. You might find an old ex with a knife, a buried box, or a neighbor's nerdy kids. If they care enough to do this, they might also have an audio bug. First track down generally where it is, and if it's inside someone's house, then you might want to call a bodyguard from work and go knocking on doors.

Bob

Posted 2017-06-08T07:18:06.233

Reputation: 91

2I too think it would be interesting to find out the location of the network before it gets turned off. The Chromecast answer above may be the benign explanation though. – KalleMP – 2017-06-13T18:12:29.627

The ssid disappeared the morning the Internet company came the fix the net so I believe if it was someone nearby they may have seen the truck and pulled it down. – K. Pick – 2017-06-18T23:11:22.937

2

The other answers so far give you enough to do about this concrete situation.

However it should be noted that you have noticed a situation that may be an attempt to invade your private data. There are other situations when this kind of attack is less detectable. E.g. if your neighbour knows your Wifi-Password, which you could have told them when they kindly asked, because they were new in the house and there own uplink was not ready yet. But worst of all: If you are on an unencrypted Wifi (or one where the password is commonly known) such has Hotel or Airport Wifi, these attacks will be very hard to detect, because the attacker can set up the wifi with EXACTLY the same settings (same password and same SSID) and your devices will automatically connect to the strongest signal and never tell you that it made a choice.

The only option to actually stay safe is to encrypt ALL your traffic. Never enter your password, emailaddress, credit card number or any other information on a website that is not SSL/TLS encrypted. Consider downloads from unencrypted websites as compromised (malware could have been injected). Before entering/downloading data on an encrypted website, check that you are on the right domain (google.com, not giigle.com. SSL will not help if you are on a domain you do not want to talk to). Install HTTPS-Everywhere or the like Also remember that there are other services than your webbrowser that might transmit data, such as an IMAP email client. Make sure it also only operates on encrypted connections. Nowadays, there is hardly any reason not encrypt all your traffic, nevertheless some developers are just to lazy etc. If you need to use some application that does not support SSL or a similar security measure, then use a VPN. Note that the VPN provider will then still be able to read all your traffic which is not encrypted in addition to the encryption that the VPN provides.

yankee

Posted 2017-06-08T07:18:06.233

Reputation: 595

1

IF it is a hacking attempt, it is being enacted by someone who is ignorant. Each SSID can be protected by a password of some kind and with some kind of cryptographic strength.

Simply having another access point configured with the same name as a near by access point is the same thing as this:

My name is Steve Smith and I've just moved into a house. And as it happens to be true, my next door neighbor's name is Steve Smith. But just because my neighbor and I have the same name, does not mean the key to my front door will work on his front door .... Nor does it mean that my door key will magically re-key itself so that it also works on his door ...

and THAT is how silly it really is in terms of looking at this from a possible hacking scenario ...

Your answers:

1) Is this a ploy at hacking?

 - Maybe, but it won't work.

2) Are they trying to use this to infiltrate my network - since I closed mine only to approved MAC addresses - thinking I will slip up and join their network?

 - They might be, but it doesn't matter, since it won't work.

Michael Sims

Posted 2017-06-08T07:18:06.233

Reputation: 111

1Kindly provide a solution to OP not just comments – yass – 2017-06-14T15:30:20.377

0

The answer is fairly simple,
IF it isn't yours, which you can check by disabling the chromecast and your router (also make sure other AP's are disabled).

If it still persist, it's most likely an attempt to monitor your traffic, in most cases it can't cause any harm, except if you use a lot of unencrypted sites (HTTP) instead off encrypted ones (HTTPS).

If you use HTTP, anything you send will be send as plain text, meaning that if your password is "123abc" they'd be able to see "123abc" as well.

A program which is able to undermine your traffic is for example WireShark.

Marnix Mulder

Posted 2017-06-08T07:18:06.233

Reputation: 1

0

If it was a hacking ploy, the network SSID would be exactly the same as yours and open - so that you would connect to it automatically (if they had stronger signal) and you wouldn't notice.

I often do this to my neighbours at weekends when they are playing youtube on their laptop or phone after 1am - basically clone their network (only one unique SSID allowed) and put a password - it stops them as they go out of signal and come back in and they've not ever figured it out. They just think the WiFi is broken again.

If I left it open, no password - they would connect and I would be able to perform a DNS reroute or man in the middle attack and monitor their net activity or other things that might be considered illegal - sure they might tap in my router IP and see connected devices - but it doesn't happen.

As a security analyst, I would consider that a network ID such as "bestfriend" has simply made a new "BestFriend".

If it was a real hacking ploy - it would be the exact same SSID and open network and you likely wouldn't notice as you reconnected to WiFi, as likley there is autoconnect to name.

It's a very old trick - take a laptop into a coffeeshop and DNS reroute from a wireless dongle to their login site - get people's traffic.

One reason why card readers often work off the WiFi and are hard-lined to the bank - it's too easy to MiM a Starbuck's network and another few seconds to watch the image cache of every device - hotels too, that use repeaters for extended WiFi.

Esp. in USA, where some hotels do not even have a password and are very tall. Sniff that in a few seconds and even access the main desk machines or backoffice from a telephone, sometimes.

(I've had network names such as "I've seen you naked" and someone's changed theirs to "me too" and "I don't want to see you naked". Or sent messages - eg, "working shifts", so neighbours know that it's ok to party all night, but please don't wake me by knocking my door for a chat because I'll be asleep at 0800).

Some guy

Posted 2017-06-08T07:18:06.233

Reputation: 1

Asked: 2017-06-08T07:18:06.233

Viewed: 30 202 times

Active: 2018-12-31T00:41:02.433