…that turned out to be a TV.
I’m rushing to work, fighting Los Angeles traffic. Someone has just told me they see a suspicious SSID in the office. One that looks like someone is trying to trick our employees into joining it. It’s got our company name in the title. I’m annoyed. Why doesn’t my car have lights and sirens?
Waze breaks into the vintage Weezer I’m listening to (in an attempt to calm my nerves a bit). “Watch out! Police reported ahead!”. I yell back, “Police ahead?! I AM THE LAW!!!*”.
*In all fairness, I think the Network Detective session that Denise Fishburn (https://www.networkingwithfish.com/) had taught at CIscoLive had rubbed off on me.
When i finally get into the office, I pull up the rouge access point view on the Cisco WLC, and pull up the site map on Cisco Prime. There it is. A 2.4ghz, 802.11n radio broadcasting an SSID with our company’s name and an employee group. Let’s just pretend it said “ACME Inc. Human Resources.e000”. It had a MAC address that started with fa:8f:ca. Worst yet, it had no security on it at all. Fortunately, there was no indication of any clients connected to this rouge AP.
Was this thing plugged into the network? Not likely. I wont go into how I knew that (certain things shouldn’t be made public), but I was 99% sure this wasn’t a back door into our network. Sure looked like a possible man-in-the-middle or Evil Twin attack.
Given the strong signals two of my access points were getting, I was able to use Prime’s map to quickly figure out this thing was in a small area of the office (in the red box):
Now I’m cursing that we haven’t bought a spectrum analyzer yet, but it’s a small area. I’m sure I can find it.
After letting my bosses know what was going on, I walked into the general area. It’s crude, but I was able to use WiFi Analyzer for Android on my phone to locate the signal to within a couple of cubicles. Once the signal meter said I was at -37dbm, I knew I was right on top of the thing. The problem was, I couldn’t see anything. No access points, no cell phones, no IoT devices… or so I thought.
I even tried joining the network with a burner laptop:
I got an IP on a /29, but there didn’t appear to be Internet access or anything.
A quick Google search of the MAC address sent me to a couple of forums where people were complaining about Google Chromecast devices. Ahhh. Ok. So someone had slipped a Chromecast onto one of the TVs hanging from the ceiling. Right?
To me, a Chromecast is an HDMI stick or a hockey puck looking thing. Likely powered by the USB port on the TV. But I checked the TVs. Nothing.
Finally, I held my phone right up to the TVs. One of them gave me a signal of -29dbm. Bingo.
It was Vizio brand TV, and it turns out these things have a feature in them called Vizio SmartCast – which is just re-branded Google Chromecast. Someone had set this thing up and given it a name that seemed logical to them. It was an ACME Inc. TV, near the Human Resources people (not really, but just pretend).
Then came 20 minutes of trying to turn the feature off. In the end, I had to do a factory reset, then decline to set up VizioCast during the setup wizard.
Was my time wasted on this hunt? Not really. Sure, it wasn’t much of a threat, but it sure smelled like one.