Author Topic: So yeah I think my wifi was hacked..  (Read 3872 times)

So yeah I think my wifi was hacked..
on: June 24, 2018, 22:05:21 PM
So.. there was me thinking that my network was was pretty kick ass for a home user setup..

I'm running a solid Vigor router and some Cisco WAP121 access points, my Wifi password is 13 characters long and wont be broken by dictionary attack and brute force would apparently take 83 years if you believe the interweb.

So there I am watching a film on my Samsung TV and while watching up pops the below:



..I don't own a desktop, let alone one with that name..

So jump up and take a photo.. and start to panic...  :panic:

I quickly grab my laptop and exactly what happens next was a bit of a blur.. but I try pinging the device.. no luck.. at this point I can only assume that they either panicked and realised they had made their presence known and disconnected or they were just not detectable.. I had a quick scan through my router to look at IPs that had been assigned to see if there was anything dodgy, but couldn't see anything after checking a few MACs online...

At this point I thought I'm not going to find the culprit.. and had no clue if they had found a way in through my router, wifi or if I had a compromised device sat on my network.. I took a few key documents off my network on to a thumb drive and pulled the cable on my server , access points and my router..

I think hot spotted to my mobile and hard wired in to my network from my laptop..

Now I knew there was a DNS vulnerability on my router, as Vigor were very kind to send out an email telling me and that they had a patch available.. now that's service! I had patched this a few weeks previously.. but thought did I miss something.. so checked online again to see what the symptoms were and everything appeared fine.. and no new firmware updates..

So I also have a PiHole setup on my network.. I thought I'd give that a look and saw a spike in DNS traffic from the TV reporting to Samsung cloud and a few other Samsung related sites..

Next I thought, someone can't be on my network.. can you direct connect on my TV? Although my TV does have wifi it's not in use and is hard wired.. But downloaded the app for the PC and gave it a go.. nope, it needed wifi.. So I tried bluetooth and I could connect, but the prompt is a different prompt.. So thought was there an exploit on the Samsung TVs over the web, perhaps a DNS re-direct to the cloud servers or something (hoping there was at least then I knew someone wasn't on my LAN) But no, nothing apart from CIA spying which didn't relate to my model..

So next check.. the Cisco access points.. lets look for a firmware update.. Oh one came out in December 2017.. I wonder what was in it..

Resolved Issues:
CSCvf96789 — Key Reinstallation attacks against WPA protocol

That looks like the badger! So systematically went round updating all 3 access points, changing the SSID and making it hidden.. not that that really seems to make any difference with a bit of wifi sniffing..

So I have logging on my Draytek setup (because I can, not because I have needed to ever use it before) and I see these interesting events.. and assume someone is stealing my MAC.. no I think it just turns out the time on my router is out by an hour.. and that was me hooking up the hardwired connection..

<181>   21:36:16   DrayTek:   [DHCP] Vigor DHCP server has given out an IP [MAC: 5c-f9-dd-55-xx-xx, IP: 192.168.25.27]
<134>   21:51:40   DrayTek:   [ARP][Arp address mismatch - Ethernet destination address doesn't match ARP target address]

So I still don't know for sure what caused my TV to do that.. I can't see anything obvious in any logging that shows any spoofing of MACs or how anyone got in...

But I am still concerned that my network may still be compromised and aside nuking the lot from space I'm not really sure where to start!..

I want to harden my security, ideally I want to put in access restrictions where only permitted devices can gain access, ideally through a method of all requests are notified to me, and I am notified of any new IP or MAC on my network or potential sniffing attacks.. if anyone has any advice.. or ideas they are welcome.. otherwise just enjoy the story!



    • Tekforums.net - It's new and improved!
  • Offline Clock'd 0Ne

  • Clockedtastic
  • Posts: 10,937
  • Administrator
  • Hero Member
Re: So yeah I think my wifi was hacked..
Reply #1 on: June 25, 2018, 06:40:56 AM
I'd still be looking at the TV as the problem here, Smart TVs/DLNA seem to broadcast themselves and are probably very easy to hack in this IoT world. Seems like an overkill setup for a home network with a few devices, would a smoothwall/Pi equivalent box not give you the configurability you need?

Re: So yeah I think my wifi was hacked..
Reply #2 on: June 25, 2018, 10:04:12 AM
I'll take a look further in to the TV side of things, it may be possible to force a connection over wi-fi direct, I'll see if I can replicate the same issue..

TBH the network isn't that overkill, I rely on the internet for a lot of things and an unstable network was causing me issues, so the router gives me a solid connection, 3G fail over for my smart home kit and decent and secure VPN access.. The Cisco APs are only their baby SOHO APs, so not that expensive but incredibly stable and support POE..

I don't think smoothwall would give me much more than the Vigor in terms of functionality perhaps more logging and would need to run on hardware with multiple NICs and throughput to support the fiber connection which the Pi wouldn't be able to provide.. but if there is functionality you think I could use then open to ideas, might set it up on a VM and see what it can do, I've not played with it in a long time..

I need to look in to VLANs properly to see if that will be any use in my situation, but I think this will end up segregating devices that will still need to speak to each other..

Re: So yeah I think my wifi was hacked..
Reply #3 on: June 25, 2018, 20:30:51 PM
So.. after all the panic.. turns out that my TV can be used as a widi device and as such the device requesting access does not need to be on the same wifi network and can just request access!

My personal laptop doesn't support widi, but my work laptop does so was able to test it..

So although annoying, it doesn't look like my network has been compromised..

However glad at least that it prompted me to update my wifi firmware!

And I'd like to at least have a little more monitoring/security in my local network..
Last Edit: June 25, 2018, 20:32:31 PM by XEntity #187;

Re: So yeah I think my wifi was hacked..
Reply #4 on: June 26, 2018, 06:41:41 AM
That reminds me, I really should update the firmware on my cisco WAP after that Key Reinstallation attack was revealed...

  • Offline Serious

  • Posts: 14,467
  • Global Moderator
  • Hero Member
Re: So yeah I think my wifi was hacked..
Reply #5 on: June 27, 2018, 19:36:22 PM
Now imagine someone with absolutely no idea of computing trying this..

IoT is bad and most potential users have no fecking idea :(

Re: So yeah I think my wifi was hacked..
Reply #6 on: June 28, 2018, 18:16:37 PM
Now imagine someone with absolutely no idea of computing trying this..

IoT is bad and most potential users have no fecking idea :(

Most people even with a good idea of computing don't even have a chance! I had a fair amount of logging in place, but these were not default enabled options.. and 99% of consumer grade equipment wouldn't even have that option.

IMHO firmware updates should be automatic, with an option to disable if needed for more controlled environments.. I have a lot of wired and wireless devices on my network and keeping them all up to date is a task in itself..

But IOT is generally a mess anyway, many devices having default passwords left in place, telnet ports open, development backdoors or being susceptible to DNS / man in the middle attacks.. or firmware just not being maintained for the period of it's actual usable life (Especially TVs!).

Re: So yeah I think my wifi was hacked..
Reply #7 on: July 05, 2018, 15:41:04 PM
Most of my stuff auto updates. Well, the Ubiqiti stuff does anyway.
The HP Switches are a PITA, and my router is well out of support, but it is rock stable so reluctant to change it.

Re: So yeah I think my wifi was hacked..
Reply #8 on: July 06, 2018, 08:47:31 AM
I think I’m going to end up moving to ubiquity at least for the APs, the Cisco’s don’t do roaming handoff which can be annoying and the functionality seems much better.. I’m moving in about a month, and will probably upgrade then just need to work out logistics of running network cables

0 Members and 1 Guest are viewing this topic.