1

Our private network consists of a Netgear router flashed with DD-WRT, a QNAP server, a dumb 8 port switch, and a number of Ethernet connected laptops, desktops and 2 x WiFi mobile devices.

A while back, our WiFi was hacked by people with nothing better to do with their lives. We suspect our next door neighbors who work in IT but cannot prove anything - at least from a legal standpoint. Not sure if this would help anyway.

At the time, our network was secured with WPA2-AES and MAC address filtering. Even with these security measures in place, they still gained access by spoofing their MAC addresses and cracking our passwords which are always max length and contain the security industry recommended special chars / symbols, mixed case, and numbers.

These people are like cyber ghosts! I say this because we could never identify their connections from our router logs or GUI. We tried using angryip, whosonmywifi, as well as other tools but nothing worked. We spent countless hours on the phone with our ISP, had our IP changed, running tracerts for traffic routes and so forth. Despite these efforts, it was actually our Windows 10 computers that identified them on our network. We managed to obtain screenshots of their devices with manufacturer details.

Anyway, this went on for some time and after 6 months or so of playing cat and mouse with them, I factory reset all the devices in our network and decided to try WPA2-Enterprise with AES using the built in RADIUS capability on our QNAP server. In addition, I also turned off the 5ghz radios and lowered the TX power on the 2.4ghz radio to 30 (although I am aware they can increase their own radio strength to overcome this). I have set the key renewal frequency to 1800 and also limited the max associated clients on the 2.4ghz radio to 2 devices only.

Despite our best efforts, they are still hacking our network and our own mobile devices are often not able to connect or are getting bounced off the network.

We have tried everything possible and short of disabling our WiFi altogether, we do not know what to do and are therefore seeking some external advice on what our best course of action should be. While we would like to catch and expose them, we prefer to stop them from doing it altogether using the equipment and software we already have.

Through appropriate channels, I am happy to share anything to help anyone willing to help me with resolving this issue.

Please help.

tamosa
  • 11

2 Answers2

1

Microsoft made the mistake in Windows 7/8/10 of using the same Network window to not only show what's really in your network, but also nearby wireless devices that you could make wireless peer to peer connections to. So you're seeing your neighbors phones because you're in Wi-Fi range of them, but they aren't on your network. They're probably just capable of Wi-Fi Direct or Wi-Fi Protected Setup or related technologies Wireless Simple Config (WSC) or Windows Connect Now (WCN).

Want proof? Fully disable the Wi-Fi and Bluetooth radios on your Windows PC and plug it into your network via Ethernet. Reboot it for good measure to clear out any caches, and make sure Wi-Fi and Bluetooth are still off. With Wi-Fi and Bluetooth disabled, your PC won't be able to scan wirelessly for potential peer devices in range, and will only be able to scan your home LAN for devices that are truly on your network. I'll bet those phones don't show up now.

Edited to add: You'll also need to disable WPS (Wi-Fi Protected Setup) on all your APs, and/or disable the WCN (Windows Connect Now) service, WCNCSVC, on Windows. WPS and WCN allow the AP to find WPS-capable devices such as smartphones in radio range that you might want to put onto the network, and relay information about those devices to Windows machines that could participate on the administrator side of WCN/WPS to help get those wireless devices onto the network. So because of those technologies, even wired-only PCs may see unfamiliar nearby phones in Windows' "Network" window.

See also: Windows 10: Phones appearing in Network

You were never hacked, you were just misled by Windows' terrible UI choices. Now all the tweaks you've done to your network based on a misunderstanding have made your network unusable. Go back to pure WPA2-PSK (AES-CCMP only, no TKIP) with a strong passphrase and no MAC address filtering, full power, and no limit on simultaneous client associations.

Spiff
  • 110,156
1

Despite our best efforts, they are still hacking our network and our own mobile devices are often not able to connect or are getting bounced off the network.

deauth attacks, that block devices from connecting to a wifi, are easy and cheap: https://github.com/spacehuhn/esp8266_deauther

Try using 802.11w on the wifi network, at least deauth attacks are blocked.

Other flooding attacks (they don't get inside the network, but make it useless to legitimate wifi clients) are still possible.

FarO
  • 1,968