I turned on my TV last night and went to watch something off my DLNA server. And funnily enough, I see this strange new media server show up… Something called ChrisXXXX-PC (where XXXX is the last name of one of my neighbours, and their first name just so happens to be Chris….).
Righteo then.
I then checked out the DHCP leases on my router, and sure enough there a new entry… ChrisXXXX-PC on xxx.xxx.xxx.119 with their mac address. I then ping my broadcast address and use arp -a and find out that he is on the network although not directly responding to pings.
I suspect he has used reaver to break through my wifi extender's security (and I did have wps turned on for some silly reason) as my main router has it disabled. But as we know, WPS security is not always securely implemented and can respond even when disabled depending on the router model.
So I have set up a routing rule to drop all traffic from xxx.xxx.xxx.119, and have also set his mac address to a reserved address (with a rule to drop all traffic again). Ideally this will prevent him from using my internet, even if he is on wifi. I have changed my router & extender admin passwords and disabled WPS on the extender. I have not changed the WPA2 password as I want to test how the network responds to a reaver attack with WPS disabled (and I will do that tonight) as it's ineffective to change the WPS2 PSK until I know that he can't discover it through a WPS crack again. If the network doesn't respond to WPS hacks, then I will changed the WPA2 PSK and that's it. Otherwise I will have to replace equipment.
I have also changed my SSID to "HiChrisXXXX" as a deterrent (and will tell him to bugger off when I see him next).
To be honest, I think the guy just thought he was awesome and downloaded a GUI reaver front-end and got it to work and is simply being opportunistic. I mean seriously, he is using a PC with the default Windows hostname generated during the setup process… I bet his user ID is ChrisXXXX and he has no password.
Although I have unlimited bandwidth, principle is at stake here. I was slightly taken back at how easy it is to get into as I am normally security conscious. And what if someone (chris or otherwise) decides to use my internet to download kiddy porn? Or honeypot torrents?
Question is: from those more IT security capable than myself, is this a reasonably suitable remediation plan?
And also what have other people done in this situation?
Couldn't you just revoke him to kick him out of your network temporarily, then change the WPA2 PSK so as to stop him from reconnect, THEN add his MAC address to the deny list in your router network?
Once he is in the deny list, he shouldn't be able to access your router even if he knows the password, that is, until he figures out a way to clone your mac address.