Airport Hi-Jack
 

After disconnecting from the net via internet connect, then closing down the airport connection to my Snow base station and turning off my computer you would think that all is well. Next day I find the lights on the base station flashing like crazy like their is heavy network activity. If I boot my computer and try to access the internet I can't.

The only current solution is to unplug the base station from the power for some time, then after reconnecting to the power I use Airport Utility to restart the base station, then all is well.

This is happening a lot recently - any ideas what is going on?

Wow. That's pretty odd, but it /does/ indicate someone's screwing with you. Idiot script kiddies, no doubt, if it's true.

I believe you can restrict access to Base Stations via MAC addresses . . . Anyone have some info here?

Snow base station Hi JAck
 

Today it was easy to regain control - just disconnect the power, then after powering up again and reconnecting using airport utility, then reboot the base station.

Sometime I have to disconnect from the power for a hour or so before the airport utility will connect to the base station - in these cases airport utility can't connect to the base station at all initially.

I can understand the modem having an attack but why the base station, as the computer is turned off, I can't imagine how it is used by hackers?

During the night it is unlikely that anyone nearby is using the base station connection?

Do you have the latest base station software installed on your base station?

I remember having to have to disconnect the power from the base station periodically to be able to connect to it.

You should set your access password at the very least on the base station.

There are things you can do to make your base station more secure. Here are two easy ones that can be done with the Airport Admin Utility:

- Change the base station password. I believe the default is public.

- Turn on WEP encoding so you will need a network name and password to log on.

It doesn't take any special knowledge or programs to hijack an Airport base station fresh out of the box. A neighbor's ABS is visible from my computer. It's wide open, and I can log on and run the Airport Admin utility whenever I want.

By running the Admin utility I found out his email address and IP address. With the IP address I can run Airport Admin Utility from any computer on the Internet! I don't know who this person is is, but sent them an email suggesting they have a security problem. No reply so far.

I thought about sending a couple of screen shots of the Airport Admin Utility running on my computer, but then they'd probably call the cops or something.

Moral of the story: change the base station password and enable WEP encryption just to keep the honest people honest.

Can I assume the following is correct:

1. You have a high speed internet connection (DSL or Cable)
2. Your AirPort Base station is directly connected to the internet modem
3. You never changed the default settings - just plugged it in and it worked.

Right all three times? What you have done is set up a free internet hot spot for anyone within range of your base station, and someone is taking advantage of it.

Here's what needs to be done:

1. change the default user name and password for the base station. Be creative.

2. enable WEP encryption

3. as was mentioned by Mikey-San, set up access restrictions by MAC* address - yours and yours alone. Deny all others.

4. Also change your internet, local user and email passwords. Chances are they've been compromised.

If you want to be really mean you could look at the logs, figure out where your attacks are coming from, and try to access their machines. If you succeed, upload lots of photos and movies of questionable legal status then call the Feds.


* Media Access Control - the unchangeable hardware number of your ethernet adapter and an unfortunate coincidence

do you live in an apartment, or a dorm room? I can't imagine a base station having enough range to reach a neighbors house where i live, but hey, you might be real close to your neighbor.

Well - thank you to everyone but need to clear up some points that should have been in my original post, mostly in reply to ACME assumptions;

1. The connection is DSL.
2. The AirPort Base station is directly connected to the internet modem
3. The default settings were changed;

2 out of 3 not bad!!

1. The default user name and password for the base station were change on installation.

2. WEP encryption encryption is already enabled.

3. (as was mentioned by Mikey-San, set up access restrictions by MAC* address - yours and yours alone. Deny all others.) is this to do with the authentication and Radius setting? Any info. welcome on how to set access restrictions. Or is this the setting under Access were the specific computers are set?

By the way ACME I am interested how to check the logs you mentioned, where can I get them (the ISP?).

Mclbruce & Java-Guy: the firmware is 4.0.8 which is the latest for the Snow base station as far as I can find out.

Interested also in why it is so difficult to get the control of the base station when it is being accessed. Mostly this happens overnight and very early morning - seems very strange.

If you do think its nearby people, try adjusting the base station range to very low for a few days

airport adimin utility --> show all settings --> wireless options... --> transmittance power

airport base station range
 

HMhockey: What kind of numbers would you recommend for range within a 2 story house?

log files
 

root around in the setup pages for your base station - I have no direct experience with AirPort, but other wireless routers keep recent access logs. (Maybe someone else can help here?)
Your ISP will have detailed logs of accessed pages, but talk to security instead of the helpdesk drones. Tell them you have had an unauthourized access and they should be fairly helpful.

If there is a definite timespan, have your own machine on and run a packet sniffer like ettercap to find out what is happening on your network. Before you get too involved in Hacker Hunting, go down to the local library (anybody remember these places? big building, books, stern-looking ladies with beehive hairdos scowling at you?) and read 'The Cuckoo's Egg" by Cliff Stoll. Don't let the neighbour's kids take over your life.

Regarding the power - turn it down to minimum, take your laptop to the most remote place in the house and turn it up one notch at a time until it works.

You haven't seen an unmarked van parked near your place in the wee hours?

Finally, no cracker has ever found a way to defeat the power switch.

Thats true you can use MAC filtering, but unless the person using your WAP is a drooling gumball it shouldnt take more than 5 minutes to bybass. WEP encryption is another option, but again it is fairly trivial to crack with some persistence. My guess is that your "Hacker" is just a dumb neighbor who doesnt even know he's using your connection, he probably turns on his computer and hops on the internet thinking hes on his own connection and goes-a-surfin'. You should be less worried about your internet connection being shared and more worried about your airport enabled computer being hi-jacked along with the rest of the computers on the network. My advice is to run a firewall on your computers, lock everything down with passwords that can be locked down (including your keychain) encrypt everything that you dont want the world to see. Then turn off all services that you do not have to have open on your computers. Once this is done buy a good fairly secure router, I recommend a D-Link DI 614+, turn off beaconing, and only use wireless when you have no other option, otherwise use a hard connection, run the highest level of WEP your card and base station will agree on, use MAC filtering. This will be everything you can do to ensure that no one is "hi-jacking" your internet connection or accessing your computers without permission. An important thing to remember is that the words "wireless" and "security" do not belong in the same universe because it is just not possible.

Unfortunately, AirPort doesn't do squat in terms of logging. It's the one thing I really dislike about it.

Still, I find the combination of WEP, MAC address filtering, closing the network, and setting decent passwords to prevent all but an organized attack on an access point. There's enough wide open ones out there it's not generally worth the effort.

No it doesn't, nor dos it do much else regarding security, it is really a poor excuse for a router. I am a mac user but I will not use an airport base station.

I like them. To each their own. :)

Re: airport base station range
 

well to narrow down the problem i would place the computer as close as possible to the base station and put it on like 10%-20% transmittance. leave it like that for a few days and see if you notice what you have been noticing.

Most of the people responding in this thread are thinking about wireless access to the ABS. But the original poster mentioned only that the lights were blinking, not which lights. sreadhead: it would be good to note exactly which lights are flashing and in what pattern. I believe the meaning of the lights is in the ABS manual.

While it is possible to break WEP encryption, it is not at all easy with the current version of the WEP software (some earlier problems were corrected).

It seems to me that it is more likely that the ac tivity is via the DSL modem.
sreadhead: Do you have the ABS configured to allow admin access from the WAN ?

yeah that would make more sense than some kid that hacked his WEP encryption while being close enough to the airport base station simply to use his internet connection

Flashing light ABS
 

Hayne: Well there are only three lights, so I assume you mean what sequence. The two side ones flash, either independantly or insequence - identical to when I am accessing the net. Usually I find this condition early morning and thought someone had forgot to disconnect internet connect, we also always turn off the computers when not in use for long periods - especially overnight.

Regarding the ABS manual, I am not in an English speaking country, so the manual is unreadable for me. Whenever I try to find information on the Net it is about Aiport Extreme and not the Snow base station that I use.

Admin access via the WAN is via a passowrd - is there anyother way to access the ABS? Any details welcome.

How would the DSL modem access the ABS - could this be some connection from or via the IPS. My basic suspicion was that my connect was being used for some unknown purpose. Any information on how/why the modem would be talking to the ABS would be useful.

The left light indicates wireless activity. The right light indicates Ethernet activity.
The WAN means the network connected to the WAN port on the ABS - which in your case is the Internet since your WAN port (the one with a circle of dots) is connected to your DSL modem. You should disable access via the LAN (via the Airport Admin utility). You can administer the ABS either by connecting a computer to it with an Ethernet cable in the LAN port (the one with a double-ended arrow) or (easier) over your existing Airport wireless connection. No need for WAN access.

Your ABS is connected to Internet via the DSL modem and hence anyone on the Internet can send packets to your ABS. If you have WAN administration enabled and someone is able to guess your password, they can get full control over your ABS, including the ability to change the WEP password (which would prevent you using the ABS).

Small saving grace here in Japan - the ISP's are really fond of routers - I'll bet he doesn't have an accessable global IP. But if you live in a gaijin house or the standard high-density dwelling the neighbours are plenty close enough :)

I fully sympathise with the language issue - I spent the afternoon beating a router into submission that I bought on vacation just to get english firmware.

Base station blues
 

Hi Acme: accessable global IP, does that relate to the base station being difficult to access from the net. I guess I can just get the ISP to confirm that - is it an advantage if that is the set up?

My main concern was not so much people near by accessing the Snow base station and connection, but more external overseas access as a relay for some hackers - which would be more malicious.

The lights on the base station are flashing like a Christmas tree, usually early morning - e.g. around 6 am. This is after disconecting and all computers being turned off the night before. The left light blinks at about double the speed of the right light. This occurs at random and not everyday, so I assumed it is intentional intrusion?

The Snow, bought at Big Camera in Tokyo, accepted the updates I downloaded from Apples so the set up is in English, but the manual is in Japanese - all the information on Apple.com seems to be pushing Airport Extreme.

Thanks also Hyne, I have unchecked the two boxes in the WAN set up. Can a Hacker use my connection to mask some activity using access via my modem - just guessing that the answer could be yes is what is giving me a hard time.

I also checked the 'enable interference robustness' check box, assuming this would cut any other interference that could effect the system.

The main point is when the Snow airport is doing its Christmas tree impersonation I can't access the net, I need to unplug the base station for some time, then reconnecti the power, then try to access the Snow base station using the airport utility and restart it - then all is OK. If I unplug the Snow base station only for a short time then I can't access the Snow with the airport utility as it can't find/access the unit.

Thank you for all the ideas - sure that the situation is improving as the information builds up

Snow ABS Issues
 

Hi Acme: accessable global IP, does that relate to the base station being difficult to access from the net. I guess I can just get the ISP to confirm that - is it an advantage if that is the set up?

My main concern was not so much people near by accessing the Snow base station and connection, but more external overseas access as a relay for some hackers - which would be more malicious.

The lights on the base station are flashing like a Christmas tree, usually early morning - e.g. around 6 am. This is after disconecting and all computers being turned off the night before. The left light blinks at about double the speed of the right light. This occurs at random and not everyday, so I assumed it is intentional intrusion?

The Snow, bought at Big Camera in Tokyo, accepted the updates I downloaded from Apples so the set up is in English, but the manual is in Japanese - all the information on Apple.com seems to be pushing Airport Extreme.

Thanks also Hyne, I have unchecked the two boxes in the WAN set up. Can a Hacker use my connection to mask some activity using access via my modem - just guessing that the answer could be yes is what is giving me a hard time.

I also checked the 'enable interference robustness' check box, assuming this would cut any other interference that could effect the system.

The main point is when the Snow airport is doing its Christmas tree impersonation I can't access the net, I need to unplug the base station for some time, then reconnecti the power, then try to access the Snow base station using the airport utility and restart it - then all is OK. If I unplug the Snow base station only for a short time then I can't access the Snow with the airport utility as it can't find/access the unit.

Thank you for all the ideas - sure that the situation is improving as the information builds up

There's 2 kinds of IP addresses - private and global. If you have a router (which I suspect you do - who is your isp? ODN, Itscom, gol?) then your modem/router will separate you (private) from the rest of the world (global). It will translate the addresses on the fly so the process is transparent to the user. They're usually as bulletproof as you can get.

Maybe it's not another user - I'm in western Tokyo and I have problems with electrical interference - it's always setting the phone off. Unlikely, but could be a contributing cause.

Why don't you just turn it off at night?