Rogue WiFi Device

Sparx

Sparx

Sparx

Soldato
Joined
30 Jul 2007
Posts
5,258
Location
Lincolnshire
Hey guys, my OCD needs some help please. :D

So I'm making the transition to Ubiquiti UniFi gear for my network at home. Started off with an AC-Lite AP which I installed yesterday. Also have a USG and PoE switch coming today I got from the MM.

My problem is, I went through my OCD of labelling all WiFi devices yesterday on the controller. But my OCD is now going nuts, as I have a rogue device and I've no idea what it is... I've gone through everything in the whole house. The UniFi Controller doesn't pull any device data on it, the MAC address I can't find on any MAC lookup website (I tried about 5-6 all say unknown).

I've put together below a montage of data from the UniFi controller and a quick (green section) extract from my BT Hub whilst it was connected to it, not sure on the timeframe possibly over the last 12 months odd? I blocked it last night and between then and this morning, I had over 20k+ association failure notices on the controller (but didn't notice any devices *not* working). So my OCD is still going nuts, I need to know what it is... :p

Is there anything I can do to try figure it out? I wonder if when the USG comes today, I can use DPI to maybe figure it out by the traffic data possibly?

I've already covered in my house thephones, iPads, smart watches, Apple TV, the TVs, Echo Dots, Sonos, Sky boxes, Smart LED strip, consoles, smart plugs, laptops, etc...

Thanks in advance for any ideas.

8cAQaJf.png
 
It's probably a device that's set to use a random MAC address. My girlfriend's cruddy Android work phone used to do it.

Can you ping it? If you can, run a continual ping then go around turning off all your wifi devices. If you stop getting a response when a device is powered off then you've found your culprit.
 
Have anything Sky/BT on the network?
Quick Google of the first few characters of the MAC address, brings up a handful of results of Sky and BT router/devices.

Can always block the device, you'll quickly find out what it is. And you can change the password if you want to be ultra cautious.

Edit - Money is on a Sky/Virgin/STB box considering the download usage.
 
How long have those metrics been capturing? That's a very high amount of upload/download. Most of my IoT devices/idle devices may pull a few Mb a day. For it to have pulled hundreds of GBs would mean it's likely doing some streaming or something.
 
@the-evaluator just tried & doesn't respond to pings

@visibleman yes we have a Sky Q and Q Mini box. The only BT device is the BT Hub (router) itself. The download usage does make me think it has to be a Sky Q box streaming or the BT Hub somehow.

@Semple not sure probably about a year the BT hub... The UniFi stuff was only a few hours at most last night before I blocked it.

I think if I wait til the USG and switch comes today, get it hooked up I'll know if it was the BT Hub if it disappears (as wont need hub connected anymore). If it's still there pulling data, then I'll switch the Sky boxes off and see if it drops off or not.
 
Figured it out! After you guys mentioned a Sky/BT device, I just streamed a catch up episode on the main Sky Q box... and watched my download rate jump to 40-50Mb being pulled from this ‘unknown device’...

Why would this be the case?! The Sky’s system info shows a different 2.4 and 5Ghz MAC entirely... the 2.4 MAC on the Sky box says it’s 78:3e:53:cf:84:de as opposed to the one transmitting on the network is 7a:9f:29:e7:84:da...
 
Sparx said:
Figured it out! After you guys mentioned a Sky/BT device, I just streamed a catch up episode on the main Sky Q box... and watched my download rate jump to 40-50Mb being pulled from this ‘unknown device’...

Why would this be the case?! The Sky’s system info shows a different 2.4 and 5Ghz MAC entirely... the 2.4 MAC on the Sky box says it’s 78:3e:53:cf:84:de as opposed to the one transmitting on the network is 7a:9f:29:e7:84:da...
Click to expand...

The only reason i can think of it showing a different MAC for 2.4 and 5 is for separate adaptors. Unless you've got it wired in somehow? - so one MAC for the WiFi connection, and the other MAC for physical ethernet.
 
@Semple Nah it’s not wired at all, completely wireless on WiFi. The Sky box shows its Ethernet MAC and it’s not that either. The MAC transmitting is not shown on the Sky box system info at all...

Edit: OK so just streamed on the Q Mini box and it's transmitting through the same MAC address as the main Q Box! It's like they are meshing through a different MAC address entirely as to what the boxes themselves say they are...

This now leaves me confused with 0e:7c:e0:08:57:02 as a rogue device not listed on any of my devices... Hmmm
 
Last edited:
IIRC, Sky Q does use a mesh network between it's own devices to aid with streaming between them; that's probably why you're seeing multiple MAC addresses for Sky devices.

Not entirely sure about the other MAC address but a quick Google might suggest it's BT discs or similar consumer WiFi mesh setup.
As mentioned before, block the address and see what device is affected.
 
You must log in or register to reply here.
Back
Top Bottom