One month ago I noticed an unknown device connected to my WiFi and tried to block it. I ended up having to also restore the router to factory settings (I have AT&T Uverse), and change my password and my SSID, all per the AT&T rep’s instructions. Then I went into the options menu within the router control screen and filtered out the device by its MAC address.
This worked for about a month and then today the same device was again connected to my WiFi (same MAC address as before).
I am perplexed by this. I called AT&T again and this time they had me change my SSID, disable SSID broadcasting and change my password again. The “blocked” device is still in the blocked list and so far hasn’t reconnected.
I don’t understand how the device could still connect to my WiFI after what I did a month ago and would like to know what else I could do to block it should it come back again. Is it possible I am getting false positives here?
I have no idea what the device is as I can’t determine that through my router control screen or the third-party software “Who is on my WiFi” which I downloaded last month.
Disabling SSID actually creates an extremely nasty security hole than can trivially allow man in the middle attack.
WPA2 is critical, anything less is subject to breaking in a matter of minutes.
If the device is not being blocked successfully when it is in the MAC blacklist, you might assume some sort of bug in the router. Or the router has been totally pwned, which is possible with some models.
However there are a couple of things you can do. First up you can often get some idea what it is that has connected from the MAC address. For instance Wireshark’s site will do this. MAC addresses can be spoofed, so it isn’t fully secure, but on the basis that it is more likely that you have a false positive than anything else, this can help work out what is going on.
Here’s something I don’t know. If a device is connected to a wireless bridge and then the bridge connects to the router, will the router then block the device that is connected to the bridge? Or can the router only block the bridge itself (if the bridge’s MAC address is on the blocking list)?
The Android app Fing will scan your network and give you the IP and MAC of everything on it. Very easy, and no digging through the router settings pages looking for the DHCP client table.
MAC address filtering (blocking or enabling) is a standard function of the wireless protocol, unless the router has some weird additional functionality to do it for all devices. So you block or enable the MAC address of the bridge, and whatever is attached to is blocked or enabled accordingly.
This should on a separate network as far as the home user is concerned. And not under their direct control either. (You can supposedly opt out of this.)
Routers are incredibly prone to security problems. And many manufacturers provide firmware updates for a short time if at all. This is especially troubling since these are supposed to be the first line of defense against attack and quite commonly today are becoming the primary target and source of attacks instead. (There are malware networks out there spewing crap on the Internet via hundreds of thousands of infected routers.)
The OP might want to see what the current state of security issues for their router, check the current firmware version and see if can be updated to a newer version.
Maybe AT&T won’t allow a firmware upgrade, which is Yet Another Good Reason to get your own router if the ISP allows it.
That appears to be a chip from Liteon, which looks to be a generic chip manufacturer.
Unsure why it would show up again after being blocked unless something went wrong with the blocking somehow.
If I had to make a random guess with that chipset manufacturer, I’d guess some sort of appliance ahead of a laptop or phone, but I freely admit I don’t keep up with chipsets all that much.
If it does show up again, I might start with shutting down/unplugging things like smart TVs, Blu-Ray players, etc one at a time to try and find it that way, it might be something that you set up for the network at one point for updates or something and never thought of again.
So if I understand you correctly, then one reason this particular device is still getting on his system despite having its MAC address blocked is that the device is actually coming through a bridge, router, access point, or extender that is on his network but not blocked.
So, OP, do you have another bridge, router, access point, or range extender somewhere in your network? Can your phone (for example) function as a hot spot?
Since the MAC address is sheeted home to a Liteon chip - it is a WiFi device. Very unlikey to be a phone, but the chip is used in things like PS3.
An extender is an interesting question, and does present a possible hole in blocking. The WDS protocol preserves the MAC address over the link - I assume it effectively tunnels the packets back. Thus the MAC address re-appears inside the base station after the packet has been unwrapped by the WDS protocol. Thus a poor implementation of blocking might only be preventing initial protocol negotiation via MAC address blocking, and not noticing them appearing via the extender. The response would be that it is the responsibility of the extender to also have blocking enabled and configured.
Liteon Technology Corporation Contract manufacturer, so the device probably doesn’t say “Lite-on”. In fact, when I google, the first search results are “what is the Liteon device on my network?”
Anybody could be making up a fake MAC (but if they do that, there is no reason to use the same one), There could be a standard hack that uses the Liteon MAC (but I haven’t heard about it) or it could be a device you own but haven’t identificed yet.
Althuugh yoy say that you’ve blocked the MAC, often routers block Internet Access, not DHCP. So the MAC still appears on the DHCP or Connection list even though internet access is blocket. You may be qble to block DHCP by giving that MAC a static IP address that is NOT part of your network (or your router may not permit you to do that).
I think that is more likely than the other two options (someone using the same MAC has broken or borrowed your password), or (the MAC is attached to the wired part of your network, and you’ve blocked in on the Wireless part).