Unusually High Usage

I am a software engineer. (Not a broadband/Router expert). I have a connection with a small local charity expecting to have very low usage. They are with BT.and when the charity was closed for the summer (schools work based) , no staff in, their usage was through the roof (75GB in one month I think), very high bills . They finally got to talk to BT who said it was genuine. So they changed the wifi password on Thurs 3 November and passed this to just the immediate staff. At that point for November usage was 3GB. By today they have consumed 42GB and were closed Saturday, Sunday. They mostly bring in laptops and phones and take them home again.

Does anyone have any suggestions

1) How to monitor the LAN to see if their really IS someone using this much and who it might be? I know a bit about limiting the DHCP server, maybe mapping MAC addresses to fixed IP addresses, etc, but this would restrict if visitors cam for meetings (none since 3 Nov BTW).
2) Best way to challenge BT that their figures may somehow be in error.

Any advice and suggestions would be really welcome.

Thank You.

Edited by deleted (Mon 07-Nov-16 16:14:05)

It could be that their modem has WPS enabled, which would make it much easier to hack into wirelessly (WPS is only an 8 digit number which can be brute forced pretty easily).

Tell them to go into the modem router settings and make sure WPS is disabled, sadly this can't be done on every modem but fingers crossed it can on theirs.

It doesn't matter how long or complicated their WiFi password is if they have WPS enabled.

So step 1 disable WPS, step 2 create new WiFi password, ideally 16 characters long using letters numbers and symbols.

If you really wanted to go extreme you could setup the modem to only allow specific devices to connect to it and no other, but it shouldn't really come to that.

That should hopefully do it

Edited by deleted (Mon 07-Nov-16 16:44:58)

To clarify. WPS is a pairing feature rght? So the person would have press a physical button on the router and then connect their device within a given time period. Is that how it works? If a person had just once connected via WPS could they then stay permanently connected even after a WiFi change. It is a BT Hub (aprox 1 year old), might it have WPS.

There is a coffee shop connected to the charity office.

Edited by deleted (Mon 07-Nov-16 16:56:27)

Hardya

If you log into the router you should be able to see all the devices that are and have been connected.

These will show under Home network -Devices or the equivelent.

Also if you have access control turned on you will have a list of devices to block or restrict. You do not have to enable ones that will be the default.

It is likely that they are offering free wiFi at the coffee shop and some people will be taking advantage of this. You will be shocked at how much a mobile phone can use to load apps and updates and you could have 50-100 doing this over the weekend!

In reply to a post by hardya:

To clarify. WPS is a pairing feature rght? So the person would have press a physical button on the router and then connect their device within a given time period.

Not necessarily. Here's one youtube video: http://youtu.be/e1QOn17Fzgs
But still, I'd want to be sure if it's real traffic passing through the router, or it is an error on BT's side counting someone else's data - a similar topic appeared here a week or so ago.
I assume you have access to the BT online account since you're able to see live traffic consumption. Does it show you a detailed usage, e.g. day-to-day, does the high usage happen on weekends only (would be an indication of "neighbor abuse" or is it on the same level every day?
To rule out the neighbors (or confirm them), you could log in to the router and see into the DHCP section. See if you can recognize all the computer names listed. You can also set DHCP lease time to 2 days or more, so that these names stay on the list for longer. If it's the same staff using the internet connection with the same computers, you could also enable MAC filter to stop strangers connecting.

OK, some things to say.

BT can/will not provide detailed usage. You have to look then look again and surmise. No other detail. August when no one was working at the charity, it was 75gb I believe.

As said in post unless typo, Thursday 3 Nov afternoon wi-fi password was changed. Usage for November then was 3gb. Cafe open Fri sat, n nothing open Sunday. Monday morning usage was 42gb.

The coffee shop has its own wi-fi. Given its nature and what I know about it it's unlikely to have anything like that footfall in one Saturday. Also you are surely making the assumption that the cafe users have ALL broken through the locked office door and used the wps button, or hacked the wps pin or something. The office wi-fi password had been changed. And for such users to exist and then to use 39gb seems very unlikely. I think the regular cafe users is surely a red herring, no?

If anything at all to do with a bad user I am thinking this relates to someone who at sometime was previously connected to the office network when the cafe was still being set up.

Question: after the wi-fi password is changed can a person previous ly connected using wps very easily stay connected or get reconnected?

From what your are saying am I right in saying that after I turn off wps and reset wi-fi and router passwords, I can see all Mac addresses that have been given an IP address either recently or ever. We could match these to known staff devices and block any others while also maybe seeing that there were on fact others, though hard to identify who, unless the person involved in setting up the cafe.

How might they desk with visitors for meetings who need wi-fi? Use cafe wi-fi maybe?

Is there any way to stick a monitor between an additional wi-fi access point and the router on an Ethernet segment? To monitor usage per service.

Finally does anyone have a view on 2) in the original post? I find it hard to believe that after the wi-fi password change the router would have took 39gb in 2 days. Can anyone suggest a specific real world scenario (like an example detail hypothesis) which takes into account all the circumstances described and then suggest how likely that is compared to how likely it is bt have some errors in their monitoring.

This is a small church charity with a few staff who only using laptops and phones which they take home every night.

I don't know if this is applicable, but if someone got legitimate access, perhaps with a laptop, on the Friday or Saturday after the wifi password was changed, that same person could then connect on the Sunday from outside in a car or whatever and download an awful lot.

For any individual machine connecting, WPS or password entry only needs to happen once. The connection details are then stored on the connecting machine and automatically used when within range. (Edit - changing the password on the router would normally kill that).

There are two ways to stop such usage. The one that needs a bit of techie action is to disable wireless on the router when not required and re-enable it when needed. The easy way is simply turn the router off on days it is not required, such as at close of business Saturday in the case you just gave us. Turn it on again first thing on the Monday morning.

If high unexpected usage happens during the week, similar action at nights.

Edited by RobertoS (Mon 07-Nov-16 19:14:13)

Log into the router and see what it is showing the usage at. If it hasn't been turned off or reset you will see something like


Connection time: 8 days, 15:56:52
Data transmitted/received (GB): 1.299 / 30.894

This should align with the same period on the BT stats.

IF this shows the high usage it is something to do at the premises.

Someone streaming video can easily use 39Gb in 2 days. Leaving a pc switched on connected to you-tube listening to a music video on loop will do it easily as well.

You need to see who has been connected see my first reply.

Roberto

Good idea to power down at night but people often forget.

Hardya
Some BT routers have a power save mode that you can set to activate between set times this will have the same effect as turning off but will not need physical access to do each night/morning.

The Exploit / Vulnerability is in the WPS itself which sends the hacker your password once hacked.

There are a set of tools online that uses the exploit / vulnerability to get the internal 8 digit code, the WPS button doesn't need to be pressed to be hacked and just changing your password wouldn't stop them.

Do a search for Reaver it should tell you in more detail.

So its best to just disable the WPS option and change your Wi-Fi password as soon as.

Your probably not using the WPS feature anyway, so just disable it.

Most modem / routers have it on by default, I know several homes near me had it enabled until I told them their password and how it was got, they then disabled WPS and changed their passwords.

They could of also done an offline brute force password hack which can take a while depending on the length and complexity of the password used.

This offline attack only requires them to scan your Wi-Fi network traffic for a few mins, force one or two of your Wi-Fi devices to disconnect and record the traffic when the re-connect and they take that data home with them and brute force it to decrypt the data to get the required information to allow them to connect to your Wi-Fi.

Sadly noting can stop the offline attack, but you can slow them down with long complex passwords like a mixed case and numbers password, some also allow symbols in the password.

Paul