|
[INTERNET] Stealing bandwidth?Last year, my girlfriend got charged quite a lot for going over her bandwidth limit. It seemed strange to me since she is a very light Internet user (only web browsing and occasional standard definition Netflix watching). Yet, her usage charts on Cogeco's site showed downloads in excess of 20GB per day on certain days.
We figured that someone must have cracked her wifi password and was leeching off of her. After straightening things out with Cogeco, I set her password to something more secure, changed the SSID for her network, turned off SSID broadcasting on the router and kept an eye on it. Things seemed pretty good for a while, but then usage started creeping up again. This time I chose a very complex password with mixed case, letters and numbers and special characters.
I checked today and her usage is still through the roof. The strangest thing is, she's not even home! She's been out of town for the last couple of days on a business trip. Yet, her account shows 14GB on one of the days when she wasn't there. There are other days that show up to 44GB of downloading in a single day. I know for sure she doesn't know how to download that much stuff. You'd have to be downloading a lot of movies and tv shows to get to that kind of number.
With the hidden SSID and complex WPA2 password, I'm not sure how much more secure I can make her wifi network short of disabling it entirely.
My question is, other than compromised wifi, is there any other way someone could be stealing bandwidth? Could there be some kind of mixup at Cogeco that could be attributing someone else's traffic to her account?
Any help would be appreciated. |
|
|
Does WPS is off ? If it's not disabled any complex 63 keys wpa2 password can be crack by someone with a little bit of knowledge in maybe 6 hours or less
Mac filtering could be a great idea , but if if the hacker is already stealing your bandwidth, he will bypass your mac filtering in seconds
Maybe it's also a cloned mac address ? (it commonly happens) . Cogeco reps will ask you to pm them your mac address and they will verify if their's something wrong with it .
Also if you have a bandwidth meter on your router , turn it on .. Maybe it's only cogeco meter that is wrong |
|
|
|
Thanks for these suggestions. WPS might be on. I'll turn it off.
My brute force test will be to go to her house right now and turn off her router and modem entirely. She won't be home for a couple of days so I can see if Cogeco reports any usage during this time. |
|
|
CrackyPete to Beaugrand
Anon
2013-Oct-18 8:23 pm
to Beaugrand
said by Beaugrand:Does WPS is off ? If it's not disabled any complex 63 keys wpa2 password can be crack by someone with a little bit of knowledge in maybe 6 hours or less Nah...now a days it can be cracked in minutes. The hard part is capturing the initial handshake with WPA2, but even that's not too hard. I would convert to turning off your WIFI for the sake of trouble shooting and only use a wired connection for a week or so and see if the extra traffic continues. If not, you know it's a wifi problem. If it still happens you know it's her computer. |
|
|
Alright. I turned off her router for now. When she gets home I'll make sure wifi is off for a few days and we'll see if any traffic is registered on Cogeco's meter. Thanks! |
|
|
to superkev
What router does she have with what firmware version? (have you updated it?)
Knowing the specifics we can probably get to the bottom of it. |
|
|
to superkev
It could be someone cracked the wifi, but hard to say. If I were you, I would get a nice router that supports DD-WRT (no WPS vulnerability), or at least enable mac address authentication on the current router. This way you can make a whitelist for all the devices allowed to connect to the access point. The problem with "disabling" WPS, is that some router manufactures have bad firmware that doesn't actually disable WPS. So you might be getting a false sense of security thinking it's disabled when it actually isn't. |
|
|
to urbanriot
It's a Dlink DIR-825 updated to the latest firmware. |
|
superkev |
to Warez_Zealot
said by Warez_Zealot:If I were you, I would get a nice router that supports DD-WRT Not a bad idea. Her router supports DD-WRT so I might give it a shot when I have some time to fool around with it. |
|
FarchordLost somewhere. join:2004-08-28 Shawinigan, QC |
Might not be a bad idea either to restrict the Wi-fi by mac address... |
|
|
said by Farchord:Might not be a bad idea either to restrict the Wi-fi by mac address... Yes, possibly, but it is so inconvenient for adding new devices, etc. By cloning MAC addresses, it's also pretty easy to circumvent... at least someone who is able to crack WPA2 can probably just as easily clone a MAC address. But, if I have to do it, I will. The DIR-825 router doesn't make it really easy to restrict by MAC address. I would probably try with DD-WRT instead. |
|
|
urbanriot
Premium Member
2013-Oct-20 11:58 am
You may be attributing too much skill to neighbours. I have a strong feeling your issue is something else entirely, like on the laptop, or you haven't disabled WPS. said by superkev:But, if I have to do it, I will. The DIR-825 router doesn't make it really easy to restrict by MAC address. I would probably try with DD-WRT instead. - I disagree with the custom firmware idea, the stock firmware would work just fine or potentially better in some areas and it very easily supports MAC filtering so I'm not sure why you suggest it's not easy - » support.dlink.com/emulat ··· ter.html- WPS (Wi-Fi Protected Setup) must be disabled as that's hugely exploitable. - Make sure Guest Zone is disabled. - Use a long WPA2 passphrase with symbols. - If you don't have devices that need WPA, switch to WPA2 only. - On the logging page, click everything on and don't use the wireless with any of your devices and see what you see in there. - On the firewall settings page enable SPI, Address Restricted for UDP and Port And Address Restricted for TCP and check off Enable anti-spoof checking. - Use a very small subnet for your network, one that specifically allows ports only for the amount of devices you have and use DHCP reservations. So if you have only one laptop, go with 10.20.30.1/30 (that's subnet mask 255.255.255.252 if you didn't know) and reserve 10.20.30.2 for the one laptop. If someone's stealing wireless then you're definitely know since you will have an IP conflict which will be reported to you and only one of you will have internet access. Problem solved. Please give those suggestions a try and report back as you'll definitely find out if someone's stealing your internet if you implement all of the above. |
|
|
Thanks for these detailed suggestions. I remember giving the MAC address filtering a try a few months ago and found that it wasn't working as easily as the interface suggests. For some reason it didn't accept the formatting of MAC addresses as it puts them in itself (I think it puts them in with dashes between the octets but you have to edit them to put in colons or nothing... can't remember exactly). Anyway, my reason for not implementing it is that if we had to add other devices, we'd have to log in to the router to do it. I'm going to try it again later so that all the bases are covered.
I checked and the router is set to WPA2 AES only and WPS is off. There's no guest zone. The passphrase was quite long already and included multiple special characters but I changed it to an even longer one with even more special characters.
I will try all of your other suggestions too because we're at a point now where we have to figure it out. Some stranger leeching 44GB per day of bandwidth is definitely not acceptable. |
|
|
while i Sympathize with you I highly Doubt some stranger is leeching It is Much more Likely Cogeco's meter is entirely wrong, Very nice of you to look within but cogeco is known for this type of issue. |
|
|
said by morisato:It is Much more Likely Cogeco's meter is entirely wrong Sure, but I want to prove it on my end before I can call them and tell them that. |
|
FarchordLost somewhere. join:2004-08-28 Shawinigan, QC |
to superkev
Isn't that DIR-825 in the list of routers in which the firewall has a glaring security issue recently discovered? *googles* Oh nevermind, nope. It doesn't seem to be. » www.infoworld.com/d/secu ··· e-228725 |
|
|
urbanriot
Premium Member
2013-Oct-22 11:11 pm
said by Farchord:Isn't that DIR-825 in the list of routers in which the firewall has a glaring security issue recently discovered? As you said, it's not on the list but even for those on the list would make abuse evident if my above suggestions were followed. The exploit you're referring to allows bypassing the router login so you'd need to have access to the wireless network prior to getting access to the login. |
|
dillyhammerSTART me up Premium Member join:2010-01-09 Scarborough, ON |
to morisato
said by morisato:while i Sympathize with you I highly Doubt some stranger is leeching It is Much more Likely Cogeco's meter is entirely wrong, Very nice of you to look within but cogeco is known for this type of issue. Cogeco is notorious for this type of issue. I say that because they are well aware of the problems and either refuse to or are incapable of doing anything about it. Hell of a profit center though, tell you what. OP should get the hell off Cogeco forthwith. Mike |
|
|
mk1_416
Anon
2013-Oct-25 10:25 am
Disable or enabled, if WPS is present on a router the WPS pin can be hacked to reveal the WPA2 (etc). Not saying how but the information is widely available and its something the most novice script kiddies can do. |
|
|
An update on this issue:
I've had wifi totally disabled for a couple of weeks now and everything seemed normal. But then we went away for a few days and there was an unusually high amount of usage reported for those days. It should have been nearly zero because everything was powered off. I called Cogeco. They did some tests and found that they were not able to properly communicate with the modem and have arranged for me to swap her old one for a new one. We'll see if this finally sorts out the problem. |
|
|
So, was the usage reset, or are you still on the paying end for their fuckups? |
|
|
It was never in danger of going over her limit, so I never bothered to ask for that. I just wanted to get to the bottom of whether or not someone was hacking the wifi. That's a much more serious problem to me. |
|
dmas1er join:2006-10-11 Peterborough, ON |
Sounds like someone had cloned your modem's MAC.
It would be nice if cable co's had a different way of authenticating legit subscribers on their network..... ;-/ or do they? |
|
zed173 join:2010-07-17 Mississauga, ON |
zed173
Member
2013-Nov-11 7:56 am
said by dmas1er:Sounds like someone had cloned your modem's MAC.
It would be nice if cable co's had a different way of authenticating legit subscribers on their network..... ;-/ or do they? They do (BPI, etc.), most just don't bother. |
|
|
to dmas1er
said by dmas1er:Sounds like someone had cloned your modem's MAC. After all of this troubleshooting, I'm feeling more and more convinced this is what happened. Now that we've switched out the modem, her reported usage has plummeted to where we expect it to be. The poor sucker who was using the cloned MAC is now hopefully cut off. May he go out and pay for Internet access like the rest of us! |
|
|
anoncoward
Anon
2013-Nov-25 10:45 pm
said by superkev:said by dmas1er:Sounds like someone had cloned your modem's MAC. After all of this troubleshooting, I'm feeling more and more convinced this is what happened. Now that we've switched out the modem, her reported usage has plummeted to where we expect it to be. The poor sucker who was using the cloned MAC is now hopefully cut off. May he go out and pay for Internet access like the rest of us! Has someone from cogeco ever officially responded to these claims of "cloning"? I saw someone describe their method on an old forum post, so it sure seems it is or was being done by people. |
|
|
anonhero
Anon
2013-Nov-25 11:28 pm
said by anoncoward :Has someone from cogeco ever officially responded to these claims of "cloning"? I saw someone describe their method on an old forum post, so it sure seems it is or was being done by people. What do you want? Them to lie to you and say it's not possible so you can sleep better at night? Or them to confirm that it is possible and get you all paranoid and open up the door to lawsuits about inaccurate usage stats. Best to shut up about it and hope it goes away. |
|
|
to anoncoward
said by anoncoward :I saw someone describe their method on an old forum post, so it sure seems it is or was being done by people. "old" being the key word, the days of Cogeco techs providing friends with working off-the-truck modems have been finished for at least 5 years now, probably more. |
|
|
anoncoward
Anon
2013-Nov-26 12:31 am
said by urbanriot:said by anoncoward :I saw someone describe their method on an old forum post, so it sure seems it is or was being done by people. "old" being the key word, the days of Cogeco techs providing friends with working off-the-truck modems have been finished for at least 5 years now, probably more. The post was someone collecting macs with a sb5100. |
|
JackoramaI Am Woman Premium Member join:2008-05-23 Kingston, ON |
Check the new online account. They added an old mac address from a modem that was having problems charging it's battery. It was swapped out about 2 weeks after I got it. Now the mac address is linked to my account as active with the mac address of the modem I actually have and use. I hope it has not been refurbished and someone is using it. I got a ticket in and will be fixed in 24 to 48 hours. |
|