I am seeking assistance in understanding and responding to what I believe to be a security breach in my home wireless LAN. While I am an experienced end-user, my networking experience has been largely limited to small LANs and web servers.
To preface the symptoms I will describe, it may be relevant to state that there is a certain individual who is relatively tech-savvy (although no hacker), who has motive to access personal information of mine.
So, here's my layman's description of what has happened: Beginning approximately two weeks ago, I suddenly and inexplicably starting having difficulty with wireless connections to my FiOS network in my home. Specifically, clients would establish connections to the network, but were unable to access the internet and other network devices. I also noted a significant decrease in signal strength, and encountered frequent disconnects that I had not before.
Assuming there was an error or misconfiguration with my hardware, I have spent hours on end resetting all of my network devices to default and rebuilding the LAN, with no improvement in performance. I have FiOS service in my home, so my primary gateway is the Verizon-provided piece-of-crap Actiontec modem/router. It has a static IP provided by Verizon, and is set to dish out IP addresses within the range of 192.168.1.100-192.168.1.200. Because the Actiontec wireless signal is laughable, I installed an Apple AirPort Extreme dual-band N in front of the FiOS router. I set up the AirPort to broadcast the wireless connection to the network, and disabled its DHCP server so that the FiOS router was the only device leasing IP's. I statically assigned the Airport the address 192.168.1.2 (the FiOS router is set to the factory-default 192.168.1.1).
My LAN consists of a Windows 7 Professional desktop that is always powered on, two Windows notebooks (Win7Pro & WinXP Pro), two Linux Notebooks (Ubuntu 10.04 LTS), a NAS (WD MyBook World), 6 iOS devices (3 iPod touch, 2 iPhone, 1 iPad2), and three AirPort Express units. Obviously, my 3 Verizon FiOS set-top boxes also connect as LAN clients. The Win7 Desktop, FiOS STP's, and the NAS are connected to the FiOS router via ethernet/coax; all other devices access the network wirelessly. The only port configuration that was altered was a forward on Port22 to my NAS for remote SFTP connections.
Of all things, it was an iOS game that my daughter was playing that brought the issue to my attention. I had agreed to let her purchase the app, but had great difficulty connecting to the iTunes store on her iPod touch (a very common issue for all of our iOS devices in the past 2 weeks). After rebooting the iPod several times, I opened the WiFi properties and noticed that her connection to my network was suspicious. The device had been assigned an IP address beginning with 169.254…, and was using a different subnet (255.255.0.0, whereas my DHCP assigns 255.255.255.0). Additionally, there were no DNS servers assigned, and obviously, she was not able to connect to the internet at all.
After this discovery, I took a closer look at all clients on the network, and found that half of them had these bizarre IP assignments.
In response, I reconfigured my AirPort Extreme with new WLAN settings, including a new SSID and password. I also disabled broadcasting of the SSID. I changed the settings on all of the clients and reset / reconfigured the AirPort Express units. Immediately after making these changes, all connectivity problems vanished! All clients connected to the WLAN immediately, with very strong signals and no disconnects. Internet access is fast and consistent all around.
Now, for the suspicious part… After reconfiguring the WLAN, I noticed that a network with the same SSID I had been previously using is still broadcasting! I have scoured my home from top-to-bottom, and can not imagine ANY device that should be broadcasting this network. My theory (and I have NO idea how plausible this is) is that someone within range of my home is broadcasting their own WLAN using the same SSID I had been using, essentially "mocking" my AP. As my connectivity problems indicate, I think clients would occasionally connect to the rouge WLAN instead of the legitimate one, and at times "bounce" between the two, causing the inconsistent connections and internet loss. I should note that the SSID I had been using was very unique, so I am convinced that if someone else is broadcasting the same, it is NOT coincidental.
As of 07:00 today (3/30/12), the "rogue" WLAN is still broadcasting, and I have the following questions that I am hoping someone in this forum may be able to help me answer:
1. Since my former SSID was broadcast, I see how someone could obtain and replicate it, however the password used was very strong, unique to the WLAN, and not shared (not even my wife or kids knew it, as I set up their iOS devices for them). If someone did set up a "phishing" WLAN, would it possible to assign IPs to my devices even though they all had passwords set? Could / would the fake WLAN accept client connections without having matching passwords?
2. What is the most reliable method of locating the device(s) that are still broadcasting the fake WLAN? If this truly is a malicious attack, I assume it won't be long before the attacker realizes he/she no longer has wireless clients.
3. What, if any, personal information could have been compromised on my home LAN? I'm really not concerned about packet captures on the wireless clients, since they are primarily used for casual browsing / email, etc., however I do use my work (WinXP) and personal (Ubuntu) notebooks for confidential communication and banking. Neither of these notebooks are powered on when not in use. The "always-on" windows desktop is only used for homework, itunes, facebook, etc.
4. Keeping in mind that I am NO hacker, is there an easy way for me to learn anything about the fake WLAN and it's owner's intentions? I considered connecting to it with one of my notebooks and running AirCrack or Wireshark, but in all honestly, I wouldn't know the first thing about what to look at in the captured data.
Okay, so now I'm "that guy" who submits a novel for his first post in the forum - lol, but I'm really hoping someone can share some insight on this for me, and as I mentioned, I doubt the broadcast will continue once the admin realizes there are no more connections to it.
Thank you in advance for any advice you can offer, and for enduring my verbose description!!!