Who Is Connected to Your Network?
Do you currently know who is connected to your corporate wireless network? Most people cannot even answer this question for their home networks.
You expect people with different devices to be connected to a network at any given moment. Users connect laptops, tablets, smartphones, game consoles, smart TVs, Wi-Fi printers, among other devices, to a network.
Signs Your Network Has Many Users Connected
Unquestionably, your wireless network is vulnerable to malicious actors and outsiders who simply want to use your internet access for free. Either way, it is unwanted and unlawful. It helps to be aware of certain warning signs that indicate the presence of devices and users connecting to your network without permission.
Slower Internet Speed
The first common sign involves noticing your internet moving a little slower than usual. Naturally, every connection to the network takes up some bandwidth. Consequently, if outsiders connect and start using your Wi-Fi without permission, then your traffic will slow down.
They Appear on Your Wireless Network Web Interface
The easiest way to determine if outsiders are joining your network without permission is to login to your wireless network’s web interface and review all the devices currently connected. The challenge with this is to know what devices shouldn’t be connected you first need to know what devices should be connected. Unfortunately most companies can’t answer this question either.
Importance of Identifying People and Devices in a Network
What’s the big deal with someone connecting to your network? Understanding what devices, and more importantly, people, connecting to the network is the first step in identifying an attacker.
It Opens Doors for Attackers
If attackers connect to your network, the attack surface grows exponentially. If an attacker is able to pivot to other segments of the corporate network, it is possible to install malware that could steal your passwords and other proprietary information. Even worse, it would be possible to encrypt all data the attacker has access to and hold your company hostage with ransomware. In effect, it is essential to ensure that all users and devices connected to your network are trustworthy.
Guest Networks Are Not a Fix-All Solution
More frequently, companies try to circumvent the risk by setting up a guest and a corporate network. Typically, most routers on the market today offer guest access to wireless networks straightforwardly. However, if it is possible to join the corporate network from the guest one, or join both networks with the same device, then the company is vulnerable to wireless attacks. In some cases, the guest network is enabled in access points by default.
How To Identify Devices Connected to Your Network
An Easy Way to Identify Connected Devices
A low-tech way of identifying devices connected to your network involves shutting all your smartphones and computers so that none of them are turned on. Ensure you switch off smart TVs and any other smart appliance connected to the Wi-Fi. Next, you can check the activity lights on your wireless router or AP. If regular activity still shows on the router’s signal light, then that’s a sign that someone is using the Wi-Fi without permission.
Check Your Router's Management Page
In the case of a business with multiple connected devices, shutting off all of them to check the activity lights might be infeasible. You can open your router’s management page by typing its IP address in your browser’s address bar in such a situation. If you are lucky, you will recognize all the items on the attached devices or client list page on the router’s management page. However, not all routers offer enough information. For instance, you can have a list with a couple of devices that list no name or manufacturer.
Detecting Connected Devices with Sonar
View Physical Device Characteristics
You can leverage Sonar, included in Pulsar Cyber Shield, to generate a list of all devices currently connected, or attempting to connect, to your wireless network so that you can identify the ones you trust. Although you get some of this information when a device joins the network through the authenticated device’s MAC address and assigned IP address, Sonar takes it a step further and provides physical device characteristics helping to confirm the device connecting is legitimate and not one with a spoofed MAC address. The only way to properly confirm the device is legitimate is to tie the physical device to the MAC and IP address.
View Devices With Common Open Networks in Their Preferred Network Lists
Sonar service detects client devices connecting to your network, including those with common open networks in their preferred network lists. If a client device that has been seen connecting to your network, or is currently connected, has also been seen connecting to common open networks, such as ‘Starbucks,’ this device is vulnerable to de-authentication attacks that take advantage of automatic reconnection to common open networks.
Detect Clients That Match Signatures of Wireless Hacking Devices
Besides that, Sonar detects clients that match the signatures of wireless hacking devices. Attackers use such devices to perform several malicious actions, such as de-authenticating devices, capturing packets necessary for network password retrieval, setting up fake access points, and viewing or manipulating network traffic.
Monitor Devices for Malicious Activities
The solution also discovers devices whose MAC addresses are not resolvable to a vendor and are not locally administered by the organization. Sonar subsequently monitors such devices for malicious activities. Naturally, devices with wireless connectivity should be resolvable to a vendor or a locally administered address. Therefore, an unresolvable device is considered potentially malicious and may indicate an attacker’s presence in the wireless network with a spoofed MAC address.
Beefing Up Your Wireless Network Security to Prevent Illegal Connections
After identifying outsiders in your wireless network, your can simply kick them off by enhancing the router’s or access point’s security. These best practices can enhance your wireless network security and prevent outsiders from connecting.
- Set strong passwords: Most significantly, you should change the password to a strong WPA2 passcode that is difficult to crack.
- Turn off the WPS feature: After changing the password, it is vital to turn off the WPS feature that otherwise makes it easy for hackers to access the wireless network
- Disable default guest network: Security-conscious users need to restrict outside entities from accessing their networks. In this case, they should disable the guest network that is enabled by default. If you decide to allow guest access, ensure you change the guest password regularly. Some routers feature other levels of guest access security, such as limiting the number of hours or time of the day the guest network is active for connections
- Network prioritization: Ensure faster internet speeds for services and applications that are more important to you. Many routers now offer the ability to configure specific user devices and applications for optimized networking performance. That way, you can choose to prioritize the performance of desktop devices while not optimizing connectivity from smartphones and other unknown devices
- Upgrade the router firmware: Upgrading the router firmware allows you to benefit from any security patches and fixes from vendors. If possible, you can allow automatic updates on your AP, otherwise check regularly for new updates.
Corey Belanger
Corey is a Security Consultant and leads QA of product development, using his expertise in these dual roles to more effectively test and secure applications, whether while building enterprise applications or while performing penetration tests and vulnerability assessments for customers. An Army veteran with a tour of duty in Afghanistan, Corey has built a post-military career in security while earning Network+, Security+, GIAC Certified Incident Handler, GIAC Python Coder, GIAC Web App Penetration Testing, and GIAC Penetration Tester certifications. Corey is also a BsidesNH organizer and founding member of TechRamp, avenues which he uses to help others build their skills for careers in security and technology. Fun Fact: When not manning a terminal or watching the Bruins, Corey can often be found snowboarding or riding his motorcycle.