My SSID is broadcast twice (as secured and unscecured)

[Superannuated]

Several years ago I set up a Netgear WGR16V10 wireless router (i.e., old hardware) that is connected to a Motorola SURFboard SB6141 that gets its cable signal via Time-Warner. The network is secured by WPA2-PSK [AES] and a long (18 character) non-dictionary mixed password. Never had any problems with it.

Up until recently, if a smart phone, iPad, or computer with a wireless adapter searches for a connection only one SSID shows up for my wireless network. Let's call it "BOZO". A lock icon was always displayed next to BOZO indicating WPA2 (or other) protection. Clicking on information (say, with an iPhone) would display the IP Address. Now two "BOZO" networks show up. The newcomer is unsecured (no password required) and clicking on information doesn't show any.

I am concerned that someone is trying to steal passwords, etc by tricking our devices, or someone else's devices, to log onto the unsecured BOZO. That said, maybe something I've done recently to the home desktop computers has created the problem. If it is just a glitch in the system, then how do I get rid of the glitch?

Here are some things I've found out that worry me about ID theft.
1. Selecting the unsecured BOZO results in a working network connection.
2. When I log onto Netgear via routerlogin.net I only see one network. When clicking on Attached Devices several MAC addresses show up and one of them doesn't below to me.
3. When I turn off the cable modem and the wireless router the secured BOZO disappears from the list of available networks, but the unsecured BOZO remains.
4. I renamed BOZO to, let's say, "Krusty" and saved a new network connection password as well as a new login password for routerlogin.net.
5. Krusty only shows up if the modem and router are turned on. Unsecured BOZO is always there.
6. When I changed the SSID to Krusty and gave it a new password the unknown MAC address of attached devices disappeared.
7. After changing the name, I walked around our apartment complex with an iPhone. The complex is really a street with 4-plex buildings. The BOZO signal is strongest when I am near my unit, although I am also equally near seven other units (between two 4-plexes).

Here are the changes I've made to my desktop computers that could potentially have caused problems.
A. Installed Linux Mint 17.2 Xfce, used it for several weeks, updated it, recently installed Wine, more recently got rid of Wine. Computer died, moved the HDD to a second desktop.
B. Played around with Windows 7 on the second hard drive of the second computer.
Note: Each of these two computers were (or are) connected by wire to the wireless router.
C. Installed Linux LXLE to a third computer that is connected by wireless to the router. Used LXLE and updated it over several weeks.
Note: I never (knowingly) touched any wireless settings except to enter the connection password on the LXLE computer.

Disclaimer: This question is from your typical ignorant non-expert. Perhaps should be in Newbie section, but it is specific to the wireless category so here it is. If you answer this post please use small words (but not too many abbreviations).

[Superannuated]

I did a lookup for the MAC address that doesn't belong to me (at least not to my knowledge). It came up:

001EE5 Cisco-Link # Cisco-Linksys, LLC

[Kenn]

Interesting indeed! Based on what you've presented, I'd be suspecting that someone nearby has named their SSID the same as yours, either by accident or with intentions to attempt to get your devices to connect to their router for nefarious purposes. It sounds like you've mostly covered this, but just a few thoughts:

I see your router has one radio, 2.4ghz, and I presume you don't have a guest network enabled?

Knowing that you're online through your router, see what IP address your ISP is giving you. whatsmyip.org is a good tool for this. Then connect to this mystery AP and check the IP address there. If they're the same, then it's probably one of your devices. If it's different, something may be up.

You're certain you don't have a cell phone, tablet, etc acting as a WiFi hotspot?

You could also double-check by powering off everything wi-fi equipped. Computers, phones, tablets, video games, smoke alarms, modem, router, Smart TV's, Internet enabled coffee makers, etc. Just to make sure something isn't configured to be acting as an Access Point. Some Chromecast devices do this in error. Then fire up a notebook and see what's there.

Note that WiFi routers have three MAC addresses in them as they have three network interfaces. 1. WiFi 2. WAN connection to modem 3. Wired LAN switch. Four if it's dual-band router. But you already checked the mac addy for the mystery router, and 001EE5 is indeed cisco-linksys, not Netgear.

Or you could just rename your router SSID and monitor to see if it happens again.

Let us know what you find.


-K

[Superannuated]

Thanks for the reply.
* Yes, my guest network is off and has been for at least the last two years.
* I did rename my router SSID and gave it a new password. (I also changed all my banking passwords, etc.)
* A couple of weeks ago I tried to set up my iPhone as a hotspot, but my cell service provider doesn't allow that unless you call in and ask them to turn on that function. I did not call them so it was never activated.
* The mystery MAC address I mentioned in my original post was from the Attached Devices list provided by Netgear routerlogin.net. Is that necessarily the MAC address of the mystery AP, or could that be a separate device, i.e., someone logged in via the unsecured mystery AP before I changed the name of my SSID? At any rate, that MAC address disappeared from the attached devices list when I changed my router SSID name.
* I turned off all my devices capable of generating a network signal, although not all at the same time. The mystery AP still shows up on a network scan.
* I got my IP address from whatsmyip.org. However, now I cannot connect to the mystery AP. Perhaps that changed when I renamed my SSID. I previously didn't try to connect after I changed my router SSID because I was afraid of cyber theft not exactly knowing how that happens. The mystery AP still shows up as an unsecured network when my iPhone or MacBook searches for available networks, but after clicking on it I am not connected to the internet. Is there anyway of finding out the IP address of the mystery AP if it won't connect?

In summary, it is still a mystery to me.

[zman58]

In light of what you seem to be experiencing, I would investigate disabling the SSID broadcast from your router. You should be able to do this in the router configuration. Then also you should be able to manually insert the SSID when setting up clients. It will work on the clients just as well, but you will have to specify the SSID since it is no longer broadcast. That way, anyone who is snooping about won't know what your SSID on the router is set to.
So change your SSID but do not broadcast it.

[Kenn]

* The mystery MAC address I mentioned in my original post was from the Attached Devices list provided by Netgear routerlogin.net. Is that necessarily the MAC address of the mystery AP, or could that be a separate device, i.e., someone logged in via the unsecured mystery AP before I changed the name of my SSID? At any rate, that MAC address disappeared from the attached devices list when I changed my router SSID name.

Are you using a wireless bridge by chance?

Zenmap is a usefull tool for auditing your own network to help identify connected devices and what sevices they might be running. It's available via the Synaptic Package Manager. Zenmap is the GUI front end for nmap, the actual application, so let it install both.

Say your router uses 192.168.1.x. In the 'Target' box enter 192.168.1.1/24 to scan all 256 IP addresses in that range. Under Profile start with a 'Quick Scan Plus'. The others won't break anything so try them if you like. Some will finish in a few seconds, others will take much longer and output more info as their names imply.

Compare the results with what you see in the Attached Devices list on your Netgear. I like to keep an inventory of devices and their mac addresses.

I too like to disable SSID broadcast (aka hidden network), just know that the savvy can still see it using the appropriate tools.

Also, it couldn't hurt to update your router's firmware and of course always be sure you're using 'https' when logging in to your bank, etc.

-K

[Fred Barclay]

How close do you live to other people? Apartment complex in the middle of a city? Rural woods?

[Superannuated]

Thanks for the suggestions, folks.

I live in a city, so it is fairly dense with humans, but there are no large apartment or high rise complexes nearby. It is a neighborhood of 4-plex buildings (like town houses). There are 11 living units within a 25-30 meter radius of my unit. I don't think any of these units are occupied by tenants knowledgeable about networks.

I don't know what I am doing with ZenMap, but when I scan it shows two hosts, the wireless router and the computer that is connected by Ethernet cable. Our 3 devices that are connected by wireless don't show up. The 3 devices do show up with Netgear Genie. ZenMap is undoubtedly a good tool, but my immediate concern is whether the mystery extra AP was created by a human villain or arose from a software glitch. I'm starting to think that it is a software glitch, but I don't understand how the mystery SSID is broadcast when I turn off the wireless router, especially since it is now inoperative. Oh, well. At least I learned a little and I feel safer with the password changes.