Tusitala
asked on
Unauthorized Network Devices Appearing on Home Network
Hi experts
I am looking for some help to identify and resolve some security concerns with our home network where we have recently found a number of unidentified devices appearing on our network and despite knowing the physical MAC address of every device in our home, we cannot seem to pinpoint what these devices are and where they reside.
In response to the above, we have been adding the MAC address of each unidentified device to our router block list but after doing so, these same devices somehow magically reappear with new MAC addresses and it feels like we are just going round and round in circles. I have spent countless hours online researching the MAC addresses of these devices but cannot seem to find any information to help me actually identify and fix the problem once and for all.
To assist , I have enclosed some edited screenshots of the questionable devices with this post. Our home network consists of a number of common end-point devices (i.e. phones, TVs, laptops) connected to the following networking hardware:
1 x Netgear R8000 router with LAN used for all Ethernet capable devices and a separate guest WiFi network for all non-Ethernet capable devices;
1 x Linksys 8 port switch;
1 x TP Link power-line pack consisting of a powerline base and 2 extenders (WiFi is disabled on both extenders);
1 x QNAP home server with 4 x LAN ports.
The security settings of the R8000 are configured according to a myriad of typical hardening guidelines that are available online, some of which include enabling the router firewall, using access control (actively blocking all new connections), disabling UPNP, limiting DCHP addresses etc...
Please help!
sample3.png
sample4.png
sample5.png
sample6.png
sample7.png
I am looking for some help to identify and resolve some security concerns with our home network where we have recently found a number of unidentified devices appearing on our network and despite knowing the physical MAC address of every device in our home, we cannot seem to pinpoint what these devices are and where they reside.
In response to the above, we have been adding the MAC address of each unidentified device to our router block list but after doing so, these same devices somehow magically reappear with new MAC addresses and it feels like we are just going round and round in circles. I have spent countless hours online researching the MAC addresses of these devices but cannot seem to find any information to help me actually identify and fix the problem once and for all.
To assist , I have enclosed some edited screenshots of the questionable devices with this post. Our home network consists of a number of common end-point devices (i.e. phones, TVs, laptops) connected to the following networking hardware:
1 x Netgear R8000 router with LAN used for all Ethernet capable devices and a separate guest WiFi network for all non-Ethernet capable devices;
1 x Linksys 8 port switch;
1 x TP Link power-line pack consisting of a powerline base and 2 extenders (WiFi is disabled on both extenders);
1 x QNAP home server with 4 x LAN ports.
The security settings of the R8000 are configured according to a myriad of typical hardening guidelines that are available online, some of which include enabling the router firewall, using access control (actively blocking all new connections), disabling UPNP, limiting DCHP addresses etc...
Please help!
sample3.png
sample4.png
sample5.png
sample6.png
sample7.png
ASKER
Which network are these MACS showing up on?
Interestingly, these devices do not appear in our router at all until we add them to the block list. If I log into the router right now, I cannot see the device named "Angler" which is currently showing on my Windows machine. How we have discovered these devices has been solely through our Windows computers. The devices appear on our network randomly, not any specific time of day or night, with random names and random MAC addresses.
Our switch is a basic one (Linksys SE4008) with no web interface. We have also tried resetting the router, the extenders, reserving IP addresses etc but nothing seems to work!
Maybe I am missing something here?
Interestingly, these devices do not appear in our router at all until we add them to the block list. If I log into the router right now, I cannot see the device named "Angler" which is currently showing on my Windows machine. How we have discovered these devices has been solely through our Windows computers. The devices appear on our network randomly, not any specific time of day or night, with random names and random MAC addresses.
Our switch is a basic one (Linksys SE4008) with no web interface. We have also tried resetting the router, the extenders, reserving IP addresses etc but nothing seems to work!
Maybe I am missing something here?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
If your router is handing out IP addresses via DHCP, you can check the existing DHCP leases to see what is connected.
Regardless, you need to change your passwords immediately.
Regardless, you need to change your passwords immediately.
ASKER
"Maybe they are using a static IP and connecting that way."
How can I tell? I am pretty tech savvy and happy to share anything that can help identify and fix this problem so please tell me if there is anything I can share that would help you identify something.
"If your router is handing out IP addresses via DHCP, you can check the existing DHCP leases to see what is connected."
I get 6 LAN addresses and 2 WAN addresses. All devices that are connected right now are recognized physical devices. But, as I mentioned, this "Angler" device is still showing on my Windows network.
Passwords have all been changed as well.
Is there any diagnostics I can run on the router or on Windows to help?
How can I tell? I am pretty tech savvy and happy to share anything that can help identify and fix this problem so please tell me if there is anything I can share that would help you identify something.
"If your router is handing out IP addresses via DHCP, you can check the existing DHCP leases to see what is connected."
I get 6 LAN addresses and 2 WAN addresses. All devices that are connected right now are recognized physical devices. But, as I mentioned, this "Angler" device is still showing on my Windows network.
Passwords have all been changed as well.
Is there any diagnostics I can run on the router or on Windows to help?
Disable WEP and WPS (WEP key recovery takes 2GB of data monitored, WPS pin+password recovery takes 20000 packets max, usually half of that)
update firmwares and change password (WPA2 AES only, no TKIP unless you have weird old clients like old android 2.1 etc)
update firmwares and change password (WPA2 AES only, no TKIP unless you have weird old clients like old android 2.1 etc)
You can use Wireshark to capture traffic and look at it that way, assuming your router doesn't isolate devices (most home routers don't). Do a packet capture and then examine the MAC addresses and see if any don't match.
ASKER
Ok so using what has been suggested so far, we have disabled all radios and have been monitoring the network for the past 1.5 hours. Nothing intrusive has appeared "yet" which at this point confirms the intrusion is coming from a wireless device as masnrock suggested.
What I really need to know now is:
How does an intruder appear on a LAN network when the device is actually connecting to our Guest WAN network? On the settings of our router, the option "Allow guest to see local network" is unchecked!
Is it at all possible that a VPN connected wireless device (connected through our Guest network) would cause this?
The password used for our network is a 6 word passphrase generated by the diceware system. How in the world could someone without the tools of the NSA be able to hack such a secure passphrase?
What I really need to know now is:
How does an intruder appear on a LAN network when the device is actually connecting to our Guest WAN network? On the settings of our router, the option "Allow guest to see local network" is unchecked!
Is it at all possible that a VPN connected wireless device (connected through our Guest network) would cause this?
The password used for our network is a 6 word passphrase generated by the diceware system. How in the world could someone without the tools of the NSA be able to hack such a secure passphrase?
Tusitala,
The primary source of threat within any network are the authorized users. Just because your passphrase is really complex doesn't mean someone within your household hasn't given that passphrase to someone else. Also, there are tools out there that specifically attack wireless security.
Having said that, I can understand why that would seem like such a long shot. Regardless, it looks like someone definitely got in.
Your question regarding a VPN - do you have VPN remote access configured on your router?
The primary source of threat within any network are the authorized users. Just because your passphrase is really complex doesn't mean someone within your household hasn't given that passphrase to someone else. Also, there are tools out there that specifically attack wireless security.
Having said that, I can understand why that would seem like such a long shot. Regardless, it looks like someone definitely got in.
Your question regarding a VPN - do you have VPN remote access configured on your router?
ASKER
Okay so I can confirm that all VPN functionality and remote access on the router is completely disabled. However, some of our wireless devices such as mobile phones or iPads connect to subscription based "always on" VPN networks when they are connected to our WAN Guest Network. I will check to see if LAN traffic is enabled on either device but even so, this does still not explain how the intruder(s) actually got through to our LAN network when these devices are connected to a Guest Network anyway. Perhaps I am missing something but isn't the purpose of a Guest Network to restrict people from accessing your main network to begin with?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi masnrock thanks for the advice.
Right now, we have disabled our WiFi until we get to the bottom of this.
As you asked, I can confirm that the router options "Allow guests to see local network" are disabled on all bands and have enclosed a screenshot of this for you.
The router security settings are all set as WPA2-PSK and WPS + pin etc are all disabled.
sample10.png
Right now, we have disabled our WiFi until we get to the bottom of this.
As you asked, I can confirm that the router options "Allow guests to see local network" are disabled on all bands and have enclosed a screenshot of this for you.
The router security settings are all set as WPA2-PSK and WPS + pin etc are all disabled.
sample10.png
Tusitala,
Do you have separate VLANs configured for the guest and internal wireless networks?
Do you have separate VLANs configured for the guest and internal wireless networks?
ASKER
Hi Joseph,
Netgear R8000 with no VLAN's at all.
Netgear R8000 with no VLAN's at all.
ASKER
Will using VLAN help with my situation? I checked out this article http://kb.netgear.com/2991
ASKER
Hi guys,
Given the amount of contribution from the community so far, I believe it is hardly fair for me to expect any further responses regarding my problem. Whilst my issue is not fixed at this point, I believe the feedback we have received so far will enable us to move onto the next steps
by creating a VLAN.
I propose to close this question and split the points 50/50 between Joseph and masnrock.
Please let me know if there any objections.
Thanks very much.
Given the amount of contribution from the community so far, I believe it is hardly fair for me to expect any further responses regarding my problem. Whilst my issue is not fixed at this point, I believe the feedback we have received so far will enable us to move onto the next steps
by creating a VLAN.
I propose to close this question and split the points 50/50 between Joseph and masnrock.
Please let me know if there any objections.
Thanks very much.
No objections here. Let me know if I can help in the future.
If you feel it appropriate, I'm fine with it as well
ASKER
Thanks again guys.
Also, the problem with your current layout is you are going to have to disconnect pieces in order to cut down possibilities. A managed switch would help give you an idea as far as wired goes because you could look at its MAC tables.
Is your guest wireless secured?