Question WiFi blocking detection ?

[momentarylegacy]

Hello, Tom's Hardware community. I am humbly posting in search of some answers or guidance with a situation that has been ongoing with my wireless network for over a week:

• I have a Linksys E8450 that is running OpenWRT. I have configured the device to address a CIDR of /16, and set the limit to IP address assignment at 65534 addresses. I have not changed the number of connected devices on my network in many months, there are 82 devices connected (but I like to use multiple subnets in order to keep things well organized and simple to read) Each of my devices have been set up with static IP address reservation.
• I have 3 Netgear WAX610 access points hooked up to a switch whose uplink is directly wired to my E8450
  • These are indoors, with two APs broadcasting on both 5GHz and 2.4GHz, and the remaining AP is on 2.4GHz only
• I have 1 Netgear WAX610y outdoor access point hooked up to the same switch
  • This is only broadcasting on 2.4GHz
• I have 18 "smarthome" devices such as WiFi led bulbs [lamps] (tasmota and sengled), 4 shelly 1PM "smart" relays, 1 shelly dimmer2, 1 shelly plus one, an aqara home FP2 presence detection sensor, 1 sonoff SNZB06P connected via zigbee to a Sonoff ZBridge-P
  • All of these "smarthome" devices operate in the 2.4GHz spectrum

This week I have experienced what I believe to be a Denial of Service attack in which many, or all of my devices connectivity are interrupted. This includes devices on both 5GHz and 2.4GHz. At the same time as my connectivity is interrupted, I am receiving a password prompt on my laptop to re-authenticate with my network. This has never happened before until this began just over a week ago.

• My laptop is a dell g15 5578 with an intel AX210 card, and it is running Linux Mint 21.3 Cinnamon edition
• None of the hardware in my network has changed at any point coincident to the issue

When the interruption happens, most, if not all of my "smarthome" devices are disconnected along with my laptop and I assume other devices on my network are experiencing disconnects as well. I am unable to reconnect these without power cycling them. I believe that someone is operating a wifi pineapple or similar "evil twin wifi" device, and attempting to get the password to my network. Tonight, while looking in my router to forward a port to my wireguard server that I set up, I noticed a device on my activity list that did not have a static IP assigned. I looked up the MAC address and found that the database returned no results for a manufacturer claiming this MAC address. I double checked to ensure that 802.11W was enabled on all of my routers/APs. I adjusted the DHCP server settings to disable dynamic addressing, and to force the DHCP server even if another DHCP server is connected, and rebooted the router, along with all of my APs. I notified everyone who is a part of my network of what has been going on, and asked them not to enter the password if a disconnect prompts them to re-enter credentials. I have also informed them that this device is unknown, but if it is something legitimate that is no longer able to connect, to please let me know of the issue so that I can properly add a static IP reservation for the unknown device. No one has reported any issues of being unable to get connected apart from the temporary interruptions described above, so I believe this device was not from within my household.

I noticed that sometimes when this happens, my 5GHz APs jump to a different channel. I do not believe this is due to RADAR due to the fact that my network setup has been the same for multiple years without similar happenstance, and the fact remains that this would not interrupt any of my 2.4GHz only devices such as the "smart" bulbs, etc.

I am writing with the hopes that someone here may be able to assist me with detecting whether there are deauth packets being sent somehow that are able to circumvent the 802.11W mitigation, and seeking guidance on detecting an evil twin wifi attack, or perhaps some type of jammer is being used that is causing my devices to get knocked off. I am willing to spend some money in order to find a resolution to this, but I am not sure of the best way, or even where to begin, but I do have some technical ability. I own a flipper zero, if that can aid in detecting a wifi evil twin. I have done some scans to look for any additonal APs that have the same name as mine, but haven't had much success due to the intermittent nature of the disconnects. I have noticed, however, that there is a network that seems to be close to me called "Home Swee Pineapple" which I wonder if this could be a reference to the WiFi pineapple. I humbly ask if you have knowledge that can help me investigate this, that you please give me some assistance with detecting this type of attack, as I'm a bit out of my depth here. I have filed a complaint with the FCC, but I am not sure if they will take it seriously, or if they will have the ability to expend the necessary resources to detect such an attack here when the nature of the (alleged) attack is intermittent. I believe that if I am able to provide more information or if I can find the source of the interference, that I can provide this information to the FCC in the hopes of a swift resolution. If you read all of this, I thank you for your patience and your time, and invite you to chime in with any suggestions or information that you can share that might be helpful in resolving this.


Blessings,
-momentarylegacy

 

[BFG-9000]

I also have a Linksys E8450 on OpenWRT. It's one of the very few AX devices with 3rd party firmware.

Deauth packets aren't always sent to get clients to connect to an evil twin or to try to hack your password. Sometimes it is just a bad neighbor who really doesn't like you, or is trying to clear out people from a channel. The FCC fined Marriott hotels $600,000 for using them to block tethered personal hotspots, to force their guests to buy Wifi from them. Presumably someone could use it to make security cameras they feel are pointed at them malfunction--I mean modern burglars already carry jammers for this and deauthing every MAC address in range is kind of the same thing (I don't know why more people don't use wired POE cameras). It's kind of the modern equivalent of setting Beacon Interval=1ms to ruin Wifi for everybody around.

Given the MAC addresses are spoofed, you pretty much have to walk around while looking at RSSI of your MAC addresses in Wireshark (wlan.fc.type == 0) && (wlan.fc.type_subtype == 0x0c). I mean you know where your devices are, but if something down the street is sending out deauth packets with your MAC addresses... You'd be much more likely to get results from the FCC or FBI (DoS is listed as an "other cyber crime") if you can give them an address, because all they'd have to do is park their truck in front of it to verify your claim.

You could use a Deauth Detector to determine a good time to go walking around the neighborhood.

 

[momentarylegacy]

Thanks BFG-9000! Those doom games are awesome!!

 

[bill001g]

It is likely just interference. There is a massive amount of wifi being used. You yourself are likely attempting to use all the possible radio bandwidth on all the radio bands. Unless you live on some very large farm you likely have many neighbors trying to use the same bandwidth. Even your own equipment likely interfere with each other to some extent.

Your problem might just be someone does not like the fact that you are using so much radio bandwidth and interfering with them so they retaliate.

First try to set everything up on fixed radio channels so you know where everything is. This will mean you can't use the channels that are not actually public. Most device the only way to use those is to set the router/ap to auto but this also means if the AP for whatever reason thinks there might be other licensed traffic (like weather radar) it might switch or reduce the radio power. It is the risk you take to attempt to borrow bandwidth not allocated to public use.

I doubt someone has compromised the new encrypted management packets BUT you need to be sure your devices are actually using it. Although not really new; many devices targeting the home market do not support it yet. This like your fancy light bulbs are even more a risk to someone actually hacking into your network. Most those device can only be configured via WPS which was cracked almost before it was implemented. Some router manufacture partially mitigated this but it only slows the attack down the neighborhood kid can just leave his cell phone run all night and get in. You really need to completely disable WPS but then many of the stupid/smart device will not work.

Most deauthntation attacks are harassment more than hacking. I am somewhat surprised it took them as long as they did to try to fix it. I remember this being discussed in cisco wifi certification training I had more than 20 yrs ago. Partially why commercial networks do not use pre shared keys.

Since you have multiple networks I would take your network of garbage things you can not actually secure and put them on their own subnet. Firewall that from everything else and strictly control what can go in and out. This does not though stop someone who want to harass you from turning your smart lights on and off if they really wanted to. WPS is a massive security hole.

For your other stuff you might consider using enterprise mode. This is old enough that almost all devices support it. Someone could still deauthticate but you can not use that method to actually hack the network.

You could also look at using WPA3. I am not sure if the encrypted management frames are different but the key exchange has been changed so that you can not attack it. I know WPA3 support is required on wifi6e. What I don't know is if it requires it only for the 6ghz radio band or what. Most device support it on all three bands. BUT you now have to have new devices and all those smart devices will never support it because WPS does not work with WPA3.

The police/government ignore much worse crimes even when they is say video proof. You are going to have to be a hacker yourself before the FCC is even going to think to do something. Get a wifi capture devices yourself and set it capture any deauthtication frames. You still are going to have a massive issue finding the actual device doing it. Kids a few years back took $10 raspberry pi devices and hid a bunch of them on a college campus. Most were never found until well after the batteries died.

 

[momentarylegacy]

It is likely just interference. There is a massive amount of wifi being used. You yourself are likely attempting to use all the possible radio bandwidth on all the radio bands. Unless you live on some very large farm you likely have many neighbors trying to use the same bandwidth. Even your own equipment likely interfere with each other to some extent.

Hi Bill! Thank you for your reply, I believe you may be correct about generating some interference. I'm not sure that - While the 2.4GHz band is awfully cluttered, I do not have any issues with that under normal cirumstances. I've lived here for multiple years and have had smooth sailing here. Additionally, the channels that I am using in 5.4GHz are ones that I have determined no one else is using - CH52, CH100, CH116, CH132 are all clear and have no neighbors.

Your problem might just be someone does not like the fact that you are using so much radio bandwidth and interfering with them so they retaliate.

This may be the issue, or at least part of it.

First try to set everything up on fixed radio channels so you know where everything is. This will mean you can't use the channels that are not actually public. Most device the only way to use those is to set the router/ap to auto but this also means if the AP for whatever reason thinks there might be other licensed traffic (like weather radar) it might switch or reduce the radio power. It is the risk you take to attempt to borrow bandwidth not allocated to public use.

That is a great suggestion! I used to have everything on auto, but I had set this up so that I am using static channels shortly after moving in due to the interference on 36 and 149. I understand that RADAR is an issue with 5GHz, but I thought that my 2.4GHz channels wouldn't be taken down by this as well. As many of my devices are on 2.4GHz, their disconnection lends to my thinking that there is something else going on. I also believe that it's unlikely that RADAR is an issue or a factor as I've limited my APs radio power such that the 5GHz signal does not reach outdoors, and that has worked well for me up until this point - there have been zero issues with 5GHz until now.

I doubt someone has compromised the new encrypted management packets BUT you need to be sure your devices are actually using it. Although not really new; many devices targeting the home market do not support it yet. This like your fancy light bulbs are even more a risk to someone actually hacking into your network. Most those device can only be configured via WPS which was cracked almost before it was implemented. Some router manufacture partially mitigated this but it only slows the attack down the neighborhood kid can just leave his cell phone run all night and get in. You really need to completely disable WPS but then many of the stupid/smart device will not work.

I appreciate that suggestion, we do not use WPS here, and I am in the process of switching over to Tasmota powered stuff here for better local control. Maybe there is something that I can do with the firmwares to help secure things more.

Most deauthntation attacks are harassment more than hacking. I am somewhat surprised it took them as long as they did to try to fix it. I remember this being discussed in cisco wifi certification training I had more than 20 yrs ago. Partially why commercial networks do not use pre shared keys.

I totally agree, I feel that this is probably more of a nuisance than it is a threat as 99% of my network traffic is encrypted anyway.

Since you have multiple networks I would take your network of garbage things you can not actually secure and put them on their own subnet. Firewall that from everything else and strictly control what can go in and out. This does not though stop someone who want to harass you from turning your smart lights on and off if they really wanted to. WPS is a massive security hole.

I would like to do this, but I am a bit dumb when it comes to VLANs and such. I would really like to understand better how to use them.

For your other stuff you might consider using enterprise mode. This is old enough that almost all devices support it. Someone could still deauthticate but you can not use that method to actually hack the network.

Interesting. Is this in the key authentication method, or something like RADIUS?

You could also look at using WPA3. I am not sure if the encrypted management frames are different but the key exchange has been changed so that you can not attack it. I know WPA3 support is required on wifi6e. What I don't know is if it requires it only for the 6ghz radio band or what. Most device support it on all three bands. BUT you now have to have new devices and all those smart devices will never support it because WPS does not work with WPA3.

I wish that I could use WPA3, but in my usage of it in the past, I was unable to connect some of my devices.

The police/government ignore much worse crimes even when they is say video proof. You are going to have to be a hacker yourself before the FCC is even going to think to do something. Get a wifi capture devices yourself and set it capture any deauthtication frames. You still are going to have a massive issue finding the actual device doing it. Kids a few years back took $10 raspberry pi devices and hid a bunch of them on a college campus. Most were never found until well after the batteries died.

Yeah, I agree with you here also, it's rather sad. My local courthouse just released someone on their own recognizance after stabbing someone. I had a fleeting moment of wanting to run for the judge's seat. Anyway, I really appreciate your suggestions and replies, and will attempt to do some of what you have suggested here. I have also taken BFG-9000's device and ordered myself a deauth detector, but maybe a capture device would be a good idea as well.

Blessings,
-momentarylegacy

 

[bill001g]

I am somewhat surprised you can set those channels. Every channel you list is in the restricted range(on the 5g). Most routers will not allow manual setting due to fcc rules. The only ones that are not restricted are 32-48 and 149-165. This is why you see most people using these. Many end devices do not support the restricted channels.

In addition you have to be very careful when you look what channels the scanners software things is in use. Many times there is no way to tell is a router is using a 20mhz channel or a 160mhz channel....or running both at the same time.

Since wifi 6 came out and started using 160mhz radio bands it has made the 5ghz band even more over crowded.

Interference on 2.4 is even more of a issue. Using the common 40mhz of radio bandwidth it is impossible to fit 2 signals into the 60mhz total available. Also 2.4g has many other thing that you will not see with a wifi scanner because they are not running wifi but using the same radio bands. A old one used to be cordless phones but you have propritary secury camera, baby monitors, home weather stations and even some drone control systems. Everyone is stomping on each other.

enterprise mode is basically that a radius server. I am pretty sure even a raspberry pi can radius.

I have no idea what a that device you talk about that detect deauth. Likely is just some overpriced version of a wireless sniffer.

I have not done wireless capture in years. All the actual traffic is encrypted and it is using extremely complex data encoding like mimo that it does not really pay to even try. The beacon and other management frames though are easy to capture because they are simple and were not encrypted until recently.

This first thing you needed was a wifi chipset that you could put in promiscuous mode. Then you needed a non microsoft OS. Microsoft blocked that command to chipset even if it supported it. ....like a real hacker is going to windows as their platform.
After that it is pretty easy. You run wireshark and type in a capture filter to get the packets you want like deauthentication packets with mac addresses that match your router mac. The part that would be tricky is if you wanted wire shark to capture a actual data exchange and you already have the session keys (this is what they were trying to get with the fake deauthication attack). You could then key in the session key and wireshark would decode the traffic.

You would first have to dig around to see which wifi chipsets can be used for capture but then any old machine running linux would likely work. I know you can also do it on some raspberry pi but I don't know which ones and if you have to do special stuff.

 

[momentarylegacy]

Whoever it was must have gotten tired and stopped doing it. It coincided with the neighborhood kids going back to school after spring break, so I'm suspicious that it was one of them.