So.. there was me thinking that my network was was pretty kick ass for a home user setup..
I'm running a solid Vigor router and some Cisco WAP121 access points, my Wifi password is 13 characters long and wont be broken by dictionary attack and brute force would apparently take 83 years if you believe the interweb.
So there I am watching a film on my Samsung TV and while watching up pops the below:
..I don't own a desktop, let alone one with that name..
So jump up and take a photo.. and start to panic...
I quickly grab my laptop and exactly what happens next was a bit of a blur.. but I try pinging the device.. no luck.. at this point I can only assume that they either panicked and realised they had made their presence known and disconnected or they were just not detectable.. I had a quick scan through my router to look at IPs that had been assigned to see if there was anything dodgy, but couldn't see anything after checking a few MACs online...
At this point I thought I'm not going to find the culprit.. and had no clue if they had found a way in through my router, wifi or if I had a compromised device sat on my network.. I took a few key documents off my network on to a thumb drive and pulled the cable on my server , access points and my router..
I think hot spotted to my mobile and hard wired in to my network from my laptop..
Now I knew there was a DNS vulnerability on my router, as Vigor were very kind to send out an email telling me and that they had a patch available.. now that's service! I had patched this a few weeks previously.. but thought did I miss something.. so checked online again to see what the symptoms were and everything appeared fine.. and no new firmware updates..
So I also have a PiHole setup on my network.. I thought I'd give that a look and saw a spike in DNS traffic from the TV reporting to Samsung cloud and a few other Samsung related sites..
Next I thought, someone can't be on my network.. can you direct connect on my TV? Although my TV does have wifi it's not in use and is hard wired.. But downloaded the app for the PC and gave it a go.. nope, it needed wifi.. So I tried bluetooth and I could connect, but the prompt is a different prompt.. So thought was there an exploit on the Samsung TVs over the web, perhaps a DNS re-direct to the cloud servers or something (hoping there was at least then I knew someone wasn't on my LAN) But no, nothing apart from CIA spying which didn't relate to my model..
So next check.. the Cisco access points.. lets look for a firmware update.. Oh one came out in December 2017.. I wonder what was in it..
Resolved Issues:CSCvf96789 — Key Reinstallation attacks against WPA protocol
That looks like the badger! So systematically went round updating all 3 access points, changing the SSID and making it hidden.. not that that really seems to make any difference with a bit of wifi sniffing..
So I have logging on my Draytek setup (because I can, not because I have needed to ever use it before) and I see these interesting events.. and assume someone is stealing my MAC.. no I think it just turns out the time on my router is out by an hour.. and that was me hooking up the hardwired connection..
<181> 21:36:16 DrayTek: [DHCP] Vigor DHCP server has given out an IP [MAC: 5c-f9-dd-55-xx-xx, IP: 192.168.25.27]
<134> 21:51:40 DrayTek: [ARP][Arp address mismatch - Ethernet destination address doesn't match ARP target address]
So I still don't know for sure what caused my TV to do that.. I can't see anything obvious in any logging that shows any spoofing of MACs or how anyone got in...
But I am still concerned that my network may still be compromised and aside nuking the lot from space I'm not really sure where to start!..
I want to harden my security, ideally I want to put in access restrictions where only permitted devices can gain access, ideally through a method of all requests are notified to me, and I am notified of any new IP or MAC on my network or potential sniffing attacks.. if anyone has any advice.. or ideas they are welcome.. otherwise just enjoy the story!