Writing

Software, technology, sysadmin war stories, and more. Feed
Sunday, September 2, 2012

How would you know if someone cracked your wireless password?

I sometimes wonder about wireless networks and the static authenticators which are used for them, particularly in a home environment. Let's say you set up your shiny new Linksys box or Airport device and give it a WPA password as you know you should. Then you just leave it there for years and years. Everything just works.

Let's say you also live in an area with a bunch of people who know a thing or two about technology and might find it interesting to try to crack into a local network just for giggles. Maybe they've tried brute-forcing your password, or they've discovered some kind of weakness which allows them access to your network. Now they're riding around on your bandwidth and/or probing your internal systems.

How would you even know this has happened? If someone got on your network and managed to start using it without being noticed by doing something blatantly obvious, then you might not know for weeks or months. It could just sit there effectively wide open to anyone who was told the secret by the original attacker.

I assume most people don't check in with their DHCP servers to see what the lease table looks like all that often, or, well, ever. They might not even be able to see one depending on what kind of device they have. Whoever or whatever is on your network is effectively hidden away.

Personally, I want to know if something new manages to associate with my access point. Then, if it's not something I expected to find there, I can pull a Madagascar, shut everything down, and retool my security procedures. Basically, you can pretend that it will never happen and live a life of ignorance, or you can accept that it could happen and give yourself a chance of detecting it.

I could probably do this just by monitoring the network for DHCPDISCOVER messages and keeping track of who's been seen. Granted, this means having some kind of device which is always on and listening, but that's not a problem for me. It would be a bit harder for ordinary folks who only turn their computers on when they actually need to do something.

I actually wouldn't mind having something which would automatically shut off my wireless network if something unusual happened. Sure, it would be a small inconvenience until I could get in and figure it out, but it would mean fewer chances of being taken for a ride. Most of the events would probably be false alarms when a legitimate device which hasn't been "blessed" shows up on the network, but it would be easy enough to say "always allow this client".

The fun would only begin when something showed up for which I had no explanation. Then I'd be very happy this sort of feature existed.

Call it the DHCP panic alarm, maybe. That's tonight's half-baked idea.