My Wifi has been hacked :(

[Mutley]

So, you're using a MAC address black list. What you want is a MAC address white list, where only your known equipment is allowed to connect. Spoofing isn't going to get them very far then, or at least, you'll notice much quicker.

Then obviously change passwords/keys, etc, and don't use WEP encryption because it's a bad joke.

My thoughts exactly. The OP mention MAC address spoofing, but that doesn't sound like what is happening. OP said that he saw a MAC he didn't recognise, hence he knew somebody else was breaking in. MAC address filtering WOULD work in this case, as you describe, because then you would have to spoof the MAC from the pool allowed addresses.

Also, I don't agree that using MAC address filtering, or hiding your SSID are pointless. Yes, they can be bypassed with just a little knowledge, but they are basic preventative measures that keep the idle, less technical people out who are just looking for an easy WAP to jump on. It helps keep the opportunists away.

[watercooled]

But we're not talking about an idle, less technical person are we? Anyone who knows how to break into a WPA secured access point isn't going to be put off by these measures as I keep saying.

[ik9000]

Also, I don't agree that using MAC address filtering, or hiding your SSID are pointless. Yes, they can be bypassed with just a little knowledge, but they are basic preventative measures that keep the idle, less technical people out who are just looking for an easy WAP to jump on. It helps keep the opportunists away.

agreed, but this isn't the case here - this guy is adjusting his MAC address and seems competent enough to be able to intercept and clone a legitimate whitelisted MAC address. Given the problem limiting connections to a white list can create to legitimate users it's not necessarily the best way for everyone - e.g. if a mate brings their laptop over, it just adds hassle to get them able to connect.

[Mutley]

agreed, but this isn't the case here - this guy is adjusting his MAC address and seems competent enough to be able to intercept and clone a legitimate whitelisted MAC address. Given the problem limiting connections to a white list can create to legitimate users it's not necessarily the best way for everyone - e.g. if a mate brings their laptop over, it just adds hassle to get them able to connect.

Except that camelbitboy, the OP said :

I discovered that an unrecognised mac address was on my network, and I was only getting 2Mb rather than the 10 I should.

I recognised all the other mac addresses so went and made sure they were all turned off (2 phones, 2 other desktops, 2 laptops, Wii, PS3), refreshed the network table and was just my pc and the unknown mac address on the network. Still only 2mb speeds afetr a few minutes of monitoring.

So the intruder wasn't spoofing a known and permitted address...

[Mutley]

But we're not talking about an idle, less technical person are we? Anyone who knows how to break into a WPA secured access point isn't going to be put off by these measures as I keep saying.

Completely agree..in this case. My point is that taking basic precautions to keep out opportunists isn't a waste of time per se. It wouldn't help in this case.

[ik9000]

Ok as expected blocking his mac address just kept him out for a couple of days. Oddly once he had a connection again he didn't go anywhere, just googled a couple of pages, I assume to test connection.

So now I've changed to WPA2-AES with a some rediculous key that was a right pain in the ass to key into PS3 and Wii, and was a right faff with the number of devices I've got that can connect.

On the plus side I know its not the neighbours now as they were away this weekend when the hacker reconnected.

Wait to see how good this hacker is now with a stronger encryption and key. Cheers all for your advice.

Except that camelbitboy, the OP said :

So the intruder wasn't spoofing a known and permitted address...

I'm afraid he was manipulating his MAC address though, and it's reasonable to assume that someone who knows how to do that knows how to find a legitimate MAC address and use that if the owner is using a MAC address whitelist.

[camalbitboy]

Thanks all for the help. I know the neighbours kid and parents were away over the weekend as I was feeding their cats!

I'll keep that link to backtrack and see if I get hacked again. If they do I'll use that to do something absoloutly not malicious

If this has worked I'll leave it. I don't have the knowledge or the spare time to invest in screwing with this guy tbh.

[Zak33]

So, you're using a MAC address black list. What you want is a MAC address white list, where only your known equipment is allowed to connect. Spoofing isn't going to get them very far then, or at least, you'll notice much quicker.

that's router dependant.. but my Drakteks do that, it is a lot easier... the laptop/ps3 etc attempts to connect and I have to allow it in the first place.

Is your SSID hidden?

If not... make it public.. and change it's name to VIRUS_BOIH and see if he still wants a part of your network.

[Fraz]

If not... make it public.. and change it's name to VIRUS_BOIH and see if he still wants a part of your network.

Love it. That's a great idea!

[CAT-THE-FIFTH]

On the plus side I know its not the neighbours now as they were away this weekend when the hacker reconnected.

Most routers have limited range outside so it has to be one of your immediate neighbours?

[billythewiz]

Most routers have limited range outside so it has to be one of your immediate neighbours?

CAT is right. I wouldn't be too quick to rule out your neighbour (and their teenage son). Whoever it was they've got some IT/network skill and so setting up jobs to run overnight or while they're away (using cron for example) would be trivial.

[Kumagoro]

If they are using a directional antenna they could get a lot further

[usxhe190]

Ok as expected blocking his mac address just kept him out for a couple of days. Oddly once he had a connection again he didn't go anywhere, just googled a couple of pages, I assume to test connection.

So now I've changed to WPA2-AES with a some rediculous key that was a right pain in the ass to key into PS3 and Wii, and was a right faff with the number of devices I've got that can connect.

On the plus side I know its not the neighbours now as they were away this weekend when the hacker reconnected.

Wait to see how good this hacker is now with a stronger encryption and key. Cheers all for your advice.

Good work. Is your rediculous key a unique key? This link is a good site to generate unique keys

All the best

https://www.grc.com/passwords.htm

[billythewiz]

If they are using a directional antenna they could get a lot further

That's true, but it seems unlikely that someone would be using sophisticated hardware to occasionally steal 8Mb of download bandwidth.

I'm not saying that it is the neighbour and the fact that the intrusion continued when they were away is evidence in their favour, but I just wanted to point out that it doesn't "prove" that it's not them. Scheduling downloads is trivial compared to hacking wireless, which depending on the encryption isn't that hard. WEP is very easy to break. WPA2 is a lot harder.

The OP said

Hmm and thinking about it prime suspect is teenager next door. His dad is pretty IT clued up and the kid has learnt alot I know. Rest of the neighbours are all in their 80's so doubt its them.

I don't know the neighbour, but my feeling is that the adult is unlikely to steal a neighbour's bandwidth. They might, but it's much more likely that it's the son, who perhaps doesn't have the ability to buy a broadband upgrade. He may also not want to answer the questions about what he wants the bandwidth for. Especially if the answer to that is (incognito) downloads of porn and wares.

I wonder if the OP has considered talking to his neighbour. Something like "My wifi has been hacked, you might want to check your system. I can show you what I've done so far and you know IT so you might have further suggestions."
If it's not the neighbour then their system may well be hacked too. And if it is the son, then the IT savy neighbour may be unhappy about his son's antics.

[TheAnimus]

Someone at Uni tried doing this to a WEP access point, what they didn't realise is it was after someone had being doing something similar to a friend of mine who lived a street over.

I wouldn't recommend it as a legal defence, but I figured anything on my network could be security 'tested'

[Kumagoro]

billy, it was more to do with the immediate neighbours which I took to mean next door etc, and not
about having it do it automatically. I have a directional antenna which I got for £30 and it works
impressively well.

Saying that though getting near 10 Mbit suggests it is very close but then mine is only a 54 Mbit
and I havent tried to see how fast distance wise it can do for years so I don't know.

I think to work out who it is I would use a directional antenna and in passive mode see what
direction his packets are coming from.