Is my friend's wifi being leeched on?

Ataxrxes

My friend told me yesterday that he had received a notification from their ISP that they had been going over their 250Gb cap for the last few months and if they continued to do so that they would be charged for the overages. They had no idea that they even had a cap and their usage pattern has not changed recently so the first thing I thought of was that perhaps someone was leeching off them. They have their network password protected but we all know that is easy to circumvent for anybody who knows what they are doing. I tried to log into their router to turn on logging and check for strange ip addresses but the default password had been changed so I couldn't see anything yet (they are going to call the ISP and try to get the password info for the router).
While I suppose that it is technically possible that they could be going over unwittingly, they showed me the email from their ISP and it said that they had already used 201Gb of their 250 and the month is not even half over so that really raised a red flag. Any opinions, and/or advice on dealing with something like this?

Invisible

If they're on comcast, they log on and see what their usage is currently at and what it's been at past months. They could check that see if their usage has actually change significantly. It's pretty hard to hit the 250gb unless you're doing heavy, heavy downloading. I guess if you're streaming netflix 24/7 you could also hit it.

Ataxrxes

I think they have a pretty average usage pattern, netflix, some minimal Xbox gaming, Facebook, Pandora etc. They don't do any downloading at all. I can see how they could hit the cap in a month possibly if they really hit the bandwidth hard but 200+ gigs in two weeks seems really excessive.

Pure Din

Could it be a virus?

bsjezz

usually the default router password will be printed on the bottom of the machine (if not, you should be able to find it online). if it's been changed, the isp won't know - but there's a physical button you can hold down with a pin which resets everything to default. my suggestion would be to do that, set up a new password with WPA/WPA2 encryption and your friend should be safe.

Siska

Run some virus scans on all of their computers. Microsoft Security Essentials and Malwarebytes are good ones.

Great Scott

Yes, someone could easily be leeching. I'm guessing it's WPA2-enabled already?

In any case, I'd change the WiFi password (and possibly the SSID too). Also, most wireless routers support MAC address filtering, add in all the devices that should be using it and turn that feature on.

a5ehren

Great Scott wrote: »

Yes, someone could easily be leeching. I'm guessing it's WPA2-enabled already?

In any case, I'd change the WiFi password (and possibly the SSID too). Also, most wireless routers support MAC address filtering, add in all the devices that should be using it and turn that feature on.

Well if WPA2 is on, the only (realistic) way for a leach to be on there is if they were told the password. But yeah, WPA2 + MAC filtering is the strictest answer to this problem. Assuming the router is reasonably common, they can look up the default admin name/pass online by searching for the model number.

Ataxrxes

Thanks for the suggestions. I'll see if I can find a reset switch on that router. I didn't see one originally and the default username and password was definitely changed by someone and it wasn't my friend so we'll see what's up.

a5ehren

Ataxrxes wrote: »

Thanks for the suggestions. I'll see if I can find a reset switch on that router. I didn't see one originally and the default username and password was definitely changed by someone and it wasn't my friend so we'll see what's up.

It'll probably be a pin-hole on the back or bottom.

Also, once you regain access to the admin interface, change the settings to only have the admin console accessible via wired connections. If wireless is allowed and the default password is on, its trivial for someone to get into it.

DaxterMax

Some routers will list the connected devices too in its administration management control panel.
Have a look there for any devices that are connected that could be suspicious.

Other than that, as mentioned, change WPA2 key and lock it down by MAC addresses

Raif Severance

In addition to the advice from previous posters, I have mine set so that it doesn't broadcast the SSID. You can still connect manually if you know the SSID but it prevents people from knowing your wifi is there in the first place.

DevoutlyApathetic

Raif Severance wrote: »

In addition to the advice from previous posters, I have mine set so that it doesn't broadcast the SSID. You can still connect manually if you know the SSID but it prevents people from knowing your wifi is there in the first place.

Honestly, if this network was already secured and been compromised the only thing that might really work is the MAC address restrictions and that's if the guy hasn't already noted the "honest" MAC's on the network. I suppose if you have the option turning down the transmit power might also annoy him, or at least make it inconvenient enough for him to look elsewhere.

If this is somebody who really knows what they're doing it'll be difficult to them stop yourself. You could try and get the police involved but that sounds like it'd be a nightmare.

kaliyama

DevoutlyApathetic wrote: »

Raif Severance wrote: »

In addition to the advice from previous posters, I have mine set so that it doesn't broadcast the SSID. You can still connect manually if you know the SSID but it prevents people from knowing your wifi is there in the first place.

Honestly, if this network was already secured and been compromised the only thing that might really work is the MAC address restrictions and that's if the guy hasn't already noted the "honest" MAC's on the network. I suppose if you have the option turning down the transmit power might also annoy him, or at least make it inconvenient enough for him to look elsewhere.

If this is somebody who really knows what they're doing it'll be difficult to them stop yourself. You could try and get the police involved but that sounds like it'd be a nightmare.

Getting the police involved could end in some overzealous goober seizing both your router and computer as "evidence."

DevoutlyApathetic

kaliyama wrote: »

DevoutlyApathetic wrote: »

Raif Severance wrote: »

In addition to the advice from previous posters, I have mine set so that it doesn't broadcast the SSID. You can still connect manually if you know the SSID but it prevents people from knowing your wifi is there in the first place.

Honestly, if this network was already secured and been compromised the only thing that might really work is the MAC address restrictions and that's if the guy hasn't already noted the "honest" MAC's on the network. I suppose if you have the option turning down the transmit power might also annoy him, or at least make it inconvenient enough for him to look elsewhere.

If this is somebody who really knows what they're doing it'll be difficult to them stop yourself. You could try and get the police involved but that sounds like it'd be a nightmare.

Getting the police involved could end in some overzealous goober seizing both your router and computer as "evidence."

Yea, that's option b for the nightmare. The other is trying to find somebody, anybody who has a damn clue what you're talking about in the police station and is willing to try and help. I'd be surprised if it ended up being a profitable path to go down but the option is there.

JaysonFour

If you've been using it to connect to the internet and whatnot before you found out it'd been hacked, you might want to do at least a little preventative maintenence- find a secure computer and change passwords, security questions and the like. If this guy did your wireless, that might not be all he did to whatever was on the network. Better safe than sorry.

TetraNitroCubane

a5ehren wrote: »

Great Scott wrote: »

Yes, someone could easily be leeching. I'm guessing it's WPA2-enabled already?

In any case, I'd change the WiFi password (and possibly the SSID too). Also, most wireless routers support MAC address filtering, add in all the devices that should be using it and turn that feature on.

Well if WPA2 is on, the only (realistic) way for a leach to be on there is if they were told the password. But yeah, WPA2 + MAC filtering is the strictest answer to this problem. Assuming the router is reasonably common, they can look up the default admin name/pass online by searching for the model number.

I just want to point out that WPA2 is easily crackable via bruteforce thanks to Reaver, if the router has WPS available/enabled. If possible, I'd shut off WPS entirely - though apparently on some routers this isn't possible on the standard firmware.

Ataxrxes

Thanks for all the ideas. I think they are going to just change providers (their idea) so I am going to make sure that I implement a few of these when they get the new service up and running just in case.

a5ehren

TetraNitroCubane wrote: »

a5ehren wrote: »

Great Scott wrote: »

Yes, someone could easily be leeching. I'm guessing it's WPA2-enabled already?

In any case, I'd change the WiFi password (and possibly the SSID too). Also, most wireless routers support MAC address filtering, add in all the devices that should be using it and turn that feature on.

Well if WPA2 is on, the only (realistic) way for a leach to be on there is if they were told the password. But yeah, WPA2 + MAC filtering is the strictest answer to this problem. Assuming the router is reasonably common, they can look up the default admin name/pass online by searching for the model number.

I just want to point out that WPA2 is easily crackable via bruteforce thanks to Reaver, if the router has WPS available/enabled. If possible, I'd shut off WPS entirely - though apparently on some routers this isn't possible on the standard firmware.

Yeah I forgot about WPS. Turn off WPS!

Ataxrxes wrote: »

Thanks for all the ideas. I think they are going to just change providers (their idea) so I am going to make sure that I implement a few of these when they get the new service up and running just in case.

I don't think that'll fix anything? They just need to secure their network.

ceres

Yeah If the wireless is coming out of their own router and not the one assigned by the company, this will do literally nothing.

If it's coming out of the company's machine, it will get them a new machine and not fix the problem of somebody trying to use their internets in ways they don't understand.

If it's a problem with something they can't find running on their PC, back to doing literally nothing.

Akilae

Not to point out the obvious, but if they've secured their router and filtered their MAC addresses, AND you've checked everything out, then is it not possible that it's an inside job? You're not entirely sure of their usage habits other than what they've told you.

a5ehren

Akilae wrote: »

Not to point out the obvious, but if they've secured their router and filtered their MAC addresses, AND you've checked everything out, then is it not possible that it's an inside job? You're not entirely sure of their usage habits other than what they've told you.

True, but it doesn't sound like they've done any of those things.

Ataxrxes

No, they haven't done any of those things. They might just want to find a provider with a different policy regarding data usage if there is one around here, I have no idea as I have never been hassled about anything like that even though I use the same provider they do and I think my household is probably way more internet intensive than theirs. Either way, I'm going to make sure that they let me do a bunch of network securing for them.

amateurhour

It's going to be hard to find a provider that doesn't cap you at 250 gigs these days. I don't know if UVerse caps, but I know comcast did, and I believe Charter did as well, and dish won't get you the same speed/quality of service.

Step one needs to be locking down the router and putting on a MAC filter if you haven't already.

zerzhul

TWC didn't cap when I had it, Verizon FiOS doesn't cap afaik. I don't think Armstrong caps.

TehSpectre

250GBs per month is huge. Unless you're pirating stuff all day, how would you even hit that cap?

zerzhul

constantly streaming high quality video, streaming high quality music. I've done 4GB in one day from streaming music alone. Combine that with multiple people using the connection, it's not that crazy.

TehSpectre

I mean, going off your example, it implies that the 4gb thing is a rarity for you, but let's say it isn't and both he and his girlfriend burn 4gs each a day.

8gs a day for 31 days is 2gs shy of 250gs and that's when we press it to extremes, because I assume that 4gb day was a weekend.

I'm not arguing this to be a jerk, but it just sounds pretty weird to me that a 250gb cap would make them want to change providers.

I can see a family having possible issues, but not 2 people - the fact that they think switching ISPs will fix this issue is silly, albeit moreso than being mad at the cap.

Especially if the leecher is pirating shit and they land in hot water because of it.

zerzhul

I know what you mean, but when I said 4GB a day, I meant that was *just* from streaming music (and it was for roughly 10 hours of it). Streaming HD video would use a lot more. Also there's just the stigma of a cap in general. If normal people don't hit it ever, why would there be one?

Then again, that's not really the topic of this thread, so I guess I'll drop it hereafter.

Ataxrxes

It may not be the direct topic but it does tie in with it being that the email they received from their ISP stated that they had used 200+ gigabytes in two weeks which did seem extremely high to me and was the thing that made me wonder about a possible leech in the first place. Like you were saying, I can see hitting the cap in a month possibly but in two weeks?

Giggles_Funsworth

Guys hiding the SSID and filtering MAC addresses is a stupid hassle that does nothing. If I know enough to grab a hash out of the air so I can crack the password I also know enough to grab the packets out of the air that will reveal the SSID or clone the MAC address.

Just use a password or passphrase with sufficient entropy as to be hard to crack. Be careful about words that make sense next to each other or commonly substituted characters. The massive password dumps over the past couple years made dictionary attacks smarter. It is all about completely randomly generated passwords of at least 12 characters, or a nonsensical passphrase longer than that.

grouch993

Another thing to figure out is whether someone else is using their WiFi connection or if there is some application on their machine eating bandwidth.

Jebus314

Giggles_Funsworth wrote: »

Guys hiding the SSID and filtering MAC addresses is a stupid hassle that does nothing. If I know enough to grab a hash out of the air so I can crack the password I also know enough to grab the packets out of the air that will reveal the SSID or clone the MAC address.

Just use a password or passphrase with sufficient entropy as to be hard to crack. Be careful about words that make sense next to each other or commonly substituted characters. The massive password dumps over the past couple years made dictionary attacks smarter. It is all about completely randomly generated passwords of at least 12 characters, or a nonsensical passphrase longer than that.

I think your partially wrong here. It's all about obscurity rather than pure defense. Sure, if I know where you live and I want to hack your network, then hiding your SSID isn't really going to stop me. On the other hand if I am just some dude looking for free internet I am not going to try and scope out all of the unbroadcast networks just for kicks. I'm just going to hack the first one I see, probably with an SSID of linksys.

Giggles_Funsworth

Jebus314 wrote: »

Giggles_Funsworth wrote: »

Guys hiding the SSID and filtering MAC addresses is a stupid hassle that does nothing. If I know enough to grab a hash out of the air so I can crack the password I also know enough to grab the packets out of the air that will reveal the SSID or clone the MAC address.

Just use a password or passphrase with sufficient entropy as to be hard to crack. Be careful about words that make sense next to each other or commonly substituted characters. The massive password dumps over the past couple years made dictionary attacks smarter. It is all about completely randomly generated passwords of at least 12 characters, or a nonsensical passphrase longer than that.

I think your partially wrong here. It's all about obscurity rather than pure defense. Sure, if I know where you live and I want to hack your network, then hiding your SSID isn't really going to stop me. On the other hand if I am just some dude looking for free internet I am not going to try and scope out all of the unbroadcast networks just for kicks. I'm just going to hack the first one I see, probably with an SSID of linksys.

I don't disagree, but if I'm already going to the trouble of intercepting wireless packets to get the hash for the password, spending hours cracking it or paying some money for a cluster, grabbing the packets to reveal the SSID or spoof the MAC is no big deal. If I'm just some dude looking for free internet I'm probably not going to know how to do all this.

I think people are confusing WEP with WPA/WPA2, and vastly underestimating the skill needed to hack the latter. If a strong password is in place and WPS is disabled I'm not even aware of a viable attack to break WPA2 currently. I've got a publicly broadcasted SSID with a more than overkill password on my WPA2 network and I would be astounded if somebody with a sizable EC2 cluster was able to get on my network without my permission.

Even as a security researcher and hacker by trade if I'm looking for free internet I'm just going to find somebody with an unprotected network, or somebody with the default SSID because they're probably using the default password too. Attempting to crack WPA2 hashes is a waste of time unless there is something on that network I want that's more important than free internet.