May have found someone riding on my wifi

[CarLuver]

So i got newer mesh system. the system allows me to see what in hooked on to the mesh . I saw a couple of suspicious thing like an apple device and honda accord showing a couple of days ago. So i thought it might be something old. I deleted them to see if they reappeared . So they reappeared today .

i went into the software and blocked all new hook ups to my wifi. I need to change my passwords , but that would involve resetting all the wifi cameras and other stuff on the wifi. probably do it this weekend .

You guys ever catch someone using your wifi? is there anything else i can do other than changing the password?

 

[ctechbob]

You sure you don't have a 'guest' site that is sitting there open?

 

[LDM]

Never found anyone on mine as I use a random 63 character long password for my regular wifi. Anyone who wants to use my wifi that comes over gets the guest network info, which is segregated from the regular networks and can't access anything other than the internet on it.

I also make sure to assign a static DHCP IP via MAC address for all my devices so it is very easy to see what is connected as anything outside of my regular devices gets an IP that is above 50 (x.x.x.51 is the start of my DHCP scope for guest wifi). The only thing that regularly sees my guest network is my work laptop, but I know the name of that so it is easy to exclude when I look at what is connecting to my network.

When in doubt, change the password. You should also look into setting up a guest network if you don't already have one. That way you never have to give out your regular network password to anyone and it is harder to compromise.

 

[ka9mnx]

Almost daily I check who's logged in on my pfSense router. So far no unusual activity. Yes, be sure to set up a guest network.

 

[Pablo]

Yeah wow. Security check, aisle 9!

 

[ka9mnx]

Yeah wow. Security check, aisle 9!

Also, I check the firewall logs to see who's being bad!

 

[rijndael]

Never found anyone on mine as I use a random 63 character long password for my regular wifi.

If you're using WPA2 then it's easily cracked by means that aren't brute force (trying all possible variations).

Don't use WPA3+WPA2 or WPA3 Transition features.

Most aren't using WPA3 only and are pretty vulnerable.

 

[LDB]

Wouldn't have any clue how to go about checking or knowing. But a password strength site says my password, BR549, thank you Buck and Roy, would take thousands of years to crack.

 

[John105]

If you're using WPA2 then it's easily cracked by means that aren't brute force (trying all possible variations).

Don't use WPA3+WPA2 or WPA3 Transition features.

Most aren't using WPA3 only and are pretty vulnerable.

yes but a strong password is still the next best thing as they take a considerable amount of time to brute force.

We can play a game on how hard it is to carjack someone, starting with a key or fob. At some point they simply back the wrecker up and physically take it. No technology in the world is going to prevent it, so reality sets in. What does anyone really want with a home wifi anyway. Take notice of a strange man crouched down on an outside wall of one's home.

 

[Owen Lucas]

Never found anyone on mine as I use a random 63 character long password for my regular wifi. Anyone who wants to use my wifi that comes over gets the guest network info, which is segregated from the regular networks and can't access anything other than the internet on it.

I also make sure to assign a static DHCP IP via MAC address for all my devices so it is very easy to see what is connected as anything outside of my regular devices gets an IP that is above 50 (x.x.x.51 is the start of my DHCP scope for guest wifi). The only thing that regularly sees my guest network is my work laptop, but I know the name of that so it is easy to exclude when I look at what is connecting to my network.

When in doubt, change the password. You should also look into setting up a guest network if you don't already have one. That way you never have to give out your regular network password to anyone and it is harder to compromise.

Sorry to hijack the post, but it seems you know a lot about this topic. What do you think about using another router to manage IOT devices?

Almost daily I check who's logged in on my pfSense router. So far no unusual activity. Yes, be sure to set up a guest network.

So you are running hardware from pfSense? I looked them up and I see the hardware is about $500 for a home pro model Netgate 2400. Was it difficult to setup? Could there be a cron job to automate new connections?

Do you own a Honda Accord?

Do you have lots of neighbors or see an accord nearby?

I saw a couple of suspicious thing like an apple device and honda accord showing a couple of days ago.

Unless you don't own an Apple device, it is suspicious, but if you do, I understand iPhones at least, change their mac address every once in a while. This can make it appear that there is a new and different device on your network when it's actually your phone.

 

[rijndael]

I understand iPhones at least, change their mac address every once in a while.

You can make the "Private WiFi Address" fixed, so it doesn't rotate the MAC, it's a setting on your phone. It's not needed for a network that you control and it's per SSID, so it would still rotate for other networks that you join.

 

[LDM]

Sorry to hijack the post, but it seems you know a lot about this topic. What do you think about using another router to manage IOT devices?

Certainly not a bad idea, you can segregate that router for the IOT devices and have it manage its own firewall and permissions for the devices. Or if your router supports it you can setup a seperate wifi network just for the IOT devices and do the same thing. On my router I have it setup with 3 different wifi networks, 2 for my use and then the guest network. I have the guest network configured to only allow internet access, no access to any of my local network devices (wired or wireless), and it has a limited number of available addresses it can hand out via DHCP.

 

[BobsArmory]

You sure you don't have a 'guest' site that is sitting there open?

This. Also set up passwords to something like HillaryclintonhasaBIGno3e. I also found that family members (daughters) would give out our WiFi passwords to friends when they came over for a visit. Kids love to share passwords.

 

[rijndael]

I also found that family members (daughters) would give out our WiFi passwords to friends when they came over for a visit. Kids love to share passwords.

I would also note that it can be given out in more than one way, it doesn't need to be just telling them the password.

If Person 1 has Person 2's Apple ID in their contacts, and Person 1 is on your Wifi, they can be prompted to share it electronically.

 

[OVERKILL]

A few things:
1. Make sure you are using WPA3, assuming all of your devices work with it, with a complex passphrase.
2. If all your devices don't support WPA3 and you have to use WPA2, enabling 802.11w (Protected Management Frames) will guard against deauth attacks (the most common type of attack against WPA2, which is used in conjunction with a wordlist to bruce force the password)

Note that not all devices support 802.11w, so you may have compatibility issues with it enabled.

Note that deauth + wordlist requires your password to be in the word list, so if you've used some crazy string, the odds of it being in there begin to approach zero, this makes your network significantly more difficult to crack. B0b4anDP@77yW3nTt0V3g4$1n2014 is an example of a phrase you could probably remember, but wouldn't show up in a word list.

 

[CarLuver]

i don't have a guest wifi as we hardly have anyone coming over these days. i will make one just in case now. Do have apple devices , but i checked the Mac addresses and the one apple did not match anything we have . Don't see any neighbors with accords .

I have been using the same password for years and a weak on at that . i am going to change it to something stronger. its just a pain to reset all the cameras .

 

[Pablo]

Say hello to your new Chinese girlfriend

 

[BHopkins]

If you are going to be changing your password, and since you acknowledge that your current password is weak, may I suggest a method that will give you a very strong password, yet be easy to remember. It won't be anywhere near as strong as what @OVERKILL suggests, but still pretty safe. I guess you could make it as strong as you like. You will see.

Use a line, or lines, from a favorite song, one that you remember the words to, and preferably one that is long enough to give you some good security. Use the first letter from each word in the song as your password. Convert any letter i to a 1, the letter s to a $. You may also convert a few other characters, such as the letter t to a + or the letter a to @, since not all systems allow use of the $ symbol. And capitalize a character or two.

The password will end up appearing as totally random characters. For example, the first two lines of Sounds of Silence, "Hello darkness, my old friend. I've come to talk with you again.", would look like this: Hdm0f1c++wy@

Or Joy to the World by Three Dog Night. "Jeremiah was a bullfrog, was a good friend of mine. I never understood a word he said, but I helped him drink his wine.", could be Jw@bw@gf0m1nu@$wh$b1hhdhw

As required by most all security systems, the password has at least one capital letter, at least one symbol, at least one number, and of course a few lower case letters. You don't even have to remember the password, only the words of the song, and what letters are replaced with which characters.

If you are not a music lover, perhaps you memorize poems? Same thing. Favorite line out of Moby ****? Particular verses from the Bible? They all work.

 

[ka9mnx]

i don't have a guest wifi as we hardly have anyone coming over these days. i will make one just in case now. Do have apple devices , but i checked the Mac addresses and the one apple did not match anything we have . Don't see any neighbors with accords .

I have been using the same password for years and a weak on at that . i am going to change it to something stronger. its just a pain to reset all the cameras .

YES. make a guest network. Then put you IOT things, like your cameras, on the guest network. Then turn off SSID broadcasting on your private network. Then, if you have a smaller RF path, Turn your SSID broadcasting power to "low" or "medium". I have mine set to low. Only put things on your private network you want to keep private. Like you home computers/laptops.

This is, of course, if you router is capable of doing these things. I think most are.

 

[rijndael]

Hiding the SSID is not a security measure.