SSID with very similar name, is this an attempt of hacking?

Question

I noticed that another SSID pops up in my WiFi with the same name as mine (quite personal so could've only been intentionally copied) but a couple of the letters are capitalized. Their version has no security. Mine has WPA-PSK2. I tested it to be sure by unplugging my router and while mine disappeared after a while, theirs remained.

Is this a ploy at hacking? Are they trying to use this to infiltrate my network - since I closed mine only to approved MAC addresses - thinking I will slip up and join their network?

Example:

• My SSID: bestfriend
• Their SSID: BestFriend (with capital B & F)

Answer 1

Yes, it is most likely some kind of hacking ploy, although it's a guess as to why.

I do point out that locking your router down to specific MAC addresses might provide a tiny bit of security, but not much.

It's also unlikely that their actions are designed to hack your network - they are more likely to try and capture your traffic.

If it were me, I would take advantage of them - I'd get a cheap VPN and some dedicated hardware (low spec PC, large hard drive), connect it up to the VPN and their network and leach hard. Because you are using a VPN they won't be able to intercept your traffic but you can consume all their bandwidth until they wake up. (And you have plausible deniability "Hey, I thought I was connected to my AP - I used the SSID of my device)

Couple of other things to mull over - It's conceivable that both of these APs are actually yours - one in the 2.4 gig band, one in the 5 gig band, and the 5 gig band is simply not encrypted. Check your router configuration to rule this out and/or some kind of Wifi Analyser (There are a few available from the Play store for Android) to help you work out where the signals are coming from by looking at signal strength.

Watch out for de-auth packets. If they are trying to hack your systems it would not surprise me if they are trying to send de-auth packets to interfere with your connections to increase the chance that someone on your network tries to connect to them.

Answer 2

It sounds to me that this is something called "Evil Twin".

Basically the attacker creates a network that mimics yours so you (or your machine all by itself) connect to that instead. He achieves that by, as davidgo said, sending de-auth packets to your router so you have to reconnect. By changing the MAC-Address of his own router to the one of yours, your computer automatically connects to the attackers network instead (given that its signal is stronger). This allows the attacker to further harm you by Man-In-The-Middle Attacks or a fake DNS that redirects common websites to phishing sites.

Now you could do some science here and try to prove that this is indeed an attacker with bad intentions and report it, or simply take advantage of "free traffic" but since there might be some DNS shenanigans going on you could risk giving away sensitive information when not being careful while filling out forms.

Answer 3

I ran into a similar "issue" earlier this year while debugging wireless connectivity issues.

My suggestion is a question: do you own a chromecast?

The connectivity issues ended up being entirely the service provider's fault, but I was really stuck on this red herring SSID. By using a wifi signal strength analyzer app on my phone I tracked it down to the chromecast (which was an alternate capitalization of my wifi SSID), and there was much relief.

EDIT:. It is important to note that the Chromecast only needs power (not "internet") to host its own wifi, it will both connect to a wifi as well as hosting its own. You can connect to this but it doesn't do anything unless you are configuring it via the app

Answer 4

Well - you seem to be taking security quite seriously. It is possible someone is trying to trick people joining the other network. Best way to start looking at this would be to change your SSID to something different - and also quite specific, for example a word with some digits substituting for letters and see if that SSID changes to similar to yours - perhaps your will be st0pthis and theirs StopThis. If you do record their SSID MAC address beforehand to see if the other SSID changed you can be even more suspicious.

A good way on linux to see MAC addresses is iwlist YourInterfaceName scanning | egrep 'Cell |Encryption|Quality|Last beacon|ESSID' And of course you can and indeed should monitor your network for changes and suspicious activity as well keep your machines updated.

Answer 5

Yes, this is exactly what you think it is: someone is trying to trick you to join their network by mistake. Don't connect to it. If you realize you just did, run an antivirus scan and remove whatever data you have been downloading as it cannot be trusted. If you happened to also send sensitive data like a password over this rogue connection, change it right away.

If this access point won't go away after a while, I suggest you take a reasonable effort to make it stop (like asking your neighbors to stop that or tell their kids to stop). A device capable of showing the WiFi signal strength, like a cellphone, should allow you to track down the location of this access point precisely enough.

Answer 6

A simple trick change your SSID and hide it see what happens. If they copy your SSID again then you know you’re in trouble.

Extreme mode

Change your local DHCP network range to something that isn’t used on the open network

Configure a static IP if possible so your PC can't use the open WiFi

Configure your WiFi settings on your PC not to use open WiFi hotspots

Change your WiFi password to something like this:

HSAEz2ukki3ke2gu12WNuSDdDRxR3e

Change your admin password on your router just to make sure. And finally use a VPN client on all your devices (also phones)

You use MAC filtering and that’s a good low level security feature.

Finally, use third party firewall and AV software and set the settings to annoyingly secure so you have to approve almost every action which has to do something with internet or network activity.

Once you get used to these things it will get easier to maintain and your firewall will relax because it learns from your actions.

Answer 7

A lot of times people with security concerns are just being paranoid. In this case, you have a very legitimate cause for concern.

Don't conclude maliciousness 100%, it could be an IT savvy neighbor trying to prank you, let's say by redirecting website requests to a joke site. Or someone who tried to set up their own network and just happened to imitate yours (but I am inclined to doubt that, any router nowadays will have a password requirement by default). But basically, the person would be able to see a lot of your traffic, which websites you visit, what you send and receive, apart from what's encrypted (and much is not encrypted). That could be for blackmail, espionage, stalking. On the other hand, it's not super sophisticated and quite easy to discover, so who knows.

More importantly, this isn't some generic mass global attack by foreign hackers, it means a physical access point is located near or in your house. If I was you, I would not alert them, but try to find it. If you have a fuse box, switch off power one course at a time, and wait five minutes and see if the access point disappears. That will tell you if it's something in your house. Otherwise you can use triangulation, a signal strength with GPS logger on your phone and take a walk through the neighborhood, or a Pringles can to find out roughly where it is. You might find an old ex with a knife, a buried box, or a neighbor's nerdy kids. If they care enough to do this, they might also have an audio bug. First track down generally where it is, and if it's inside someone's house, then you might want to call a bodyguard from work and go knocking on doors.

Answer 8

The other answers so far give you enough to do about this concrete situation.

However it should be noted that you have noticed a situation that may be an attempt to invade your private data. There are other situations when this kind of attack is less detectable. E.g. if your neighbour knows your Wifi-Password, which you could have told them when they kindly asked, because they were new in the house and there own uplink was not ready yet. But worst of all: If you are on an unencrypted Wifi (or one where the password is commonly known) such has Hotel or Airport Wifi, these attacks will be very hard to detect, because the attacker can set up the wifi with EXACTLY the same settings (same password and same SSID) and your devices will automatically connect to the strongest signal and never tell you that it made a choice.

The only option to actually stay safe is to encrypt ALL your traffic. Never enter your password, emailaddress, credit card number or any other information on a website that is not SSL/TLS encrypted. Consider downloads from unencrypted websites as compromised (malware could have been injected). Before entering/downloading data on an encrypted website, check that you are on the right domain (google.com, not giigle.com. SSL will not help if you are on a domain you do not want to talk to). Install HTTPS-Everywhere or the like Also remember that there are other services than your webbrowser that might transmit data, such as an IMAP email client. Make sure it also only operates on encrypted connections. Nowadays, there is hardly any reason not encrypt all your traffic, nevertheless some developers are just to lazy etc. If you need to use some application that does not support SSL or a similar security measure, then use a VPN. Note that the VPN provider will then still be able to read all your traffic which is not encrypted in addition to the encryption that the VPN provides.

Answer 9

If it is a hacking attempt, it is being enacted by someone who is ignorant. Each SSID can be protected by a password of some kind and with some kind of cryptographic strength.

Simply having another access point configured with the same name as a near by access point is the same thing as this:

My name is Steve Smith and I've just moved into a house. And as it happens to be true, my next door neighbor's name is Steve Smith. But just because my neighbor and I have the same name, does not mean the key to my front door will work on his front door. Nor does it mean that my door key will magically re-key itself so that it also works on his door.

And that is how silly it really is in terms of looking at this from a possible hacking scenario.

Your answers:

1. Is this a ploy at hacking?

   • Maybe, but it won't work.

2. Are they trying to use this to infiltrate my network — since I closed mine only to approved MAC addresses — thinking I will slip up and join their network?

   • They might be, but it doesn't matter, since it won't work.

Answer 10

The answer is fairly simple,
IF it isn't yours, which you can check by disabling the chromecast and your router (also make sure other AP's are disabled).

If it still persist, it's most likely an attempt to monitor your traffic, in most cases it can't cause any harm, except if you use a lot of unencrypted sites (HTTP) instead off encrypted ones (HTTPS).

If you use HTTP, anything you send will be send as plain text, meaning that if your password is "123abc" they'd be able to see "123abc" as well.

A program which is able to undermine your traffic is for example WireShark.

Answer 11

If it was a hacking ploy, the network SSID would be exactly the same as yours and open - so that you would connect to it automatically (if they had stronger signal) and you wouldn't notice.

I often do this to my neighbours at weekends when they are playing youtube on their laptop or phone after 1am - basically clone their network (only one unique SSID allowed) and put a password - it stops them as they go out of signal and come back in and they've not ever figured it out. They just think the WiFi is broken again.

If I left it open, no password - they would connect and I would be able to perform a DNS reroute or man in the middle attack and monitor their net activity or other things that might be considered illegal - sure they might tap in my router IP and see connected devices - but it doesn't happen.

As a security analyst, I would consider that a network ID such as "bestfriend" has simply made a new "BestFriend".

If it was a real hacking ploy - it would be the exact same SSID and open network and you likely wouldn't notice as you reconnected to WiFi, as likley there is autoconnect to name.

It's a very old trick - take a laptop into a coffeeshop and DNS reroute from a wireless dongle to their login site - get people's traffic.

One reason why card readers often work off the WiFi and are hard-lined to the bank - it's too easy to MiM a Starbuck's network and another few seconds to watch the image cache of every device - hotels too, that use repeaters for extended WiFi.

Esp. in USA, where some hotels do not even have a password and are very tall. Sniff that in a few seconds and even access the main desk machines or backoffice from a telephone, sometimes.

(I've had network names such as "I've seen you naked" and someone's changed theirs to "me too" and "I don't want to see you naked". Or sent messages - eg, "working shifts", so neighbours know that it's ok to party all night, but please don't wake me by knocking my door for a chat because I'll be asleep at 0800).