How to find out who's using your Wi-Fi: from simple analysis to protection

Have you noticed strange activity on your router's indicator lights when all your devices are asleep? Or has your internet connection become noticeably slower during off-peak hours? These signs often indicate that an unauthorized user has connected to your wireless network. Unauthorized access Not only does it steal your traffic, but it also puts personal data stored on connected devices at risk.

Modern methods for detecting "freeloaders" range from viewing the client list in the router's web interface to using specialized software for deep packet analysis. In this article, we'll discuss how to identify intruders, which tools are best suited for this task, and how to immediately block access to uninvited guests. Home network security — this is not an option, but a necessity in the era of smart homes and digital payments.

Before panicking and changing passwords, it's important to ensure that the slow network is actually caused by Wi-Fi theft, not by provider issues or overheating equipment. Users often confuse background operating system updates or 4K streaming with malicious activity. However, if your balance is depleted or your speed has dropped to critical levels, checking your list of connected devices becomes a must.

Symptoms and signs of unauthorized access

The first warning sign for a router owner is usually an unstable connection speed. If you're paying for a 100 Mbps plan, but your download speed barely reaches 5 Mbps, you should be wary. This is especially suspicious if it occurs at night or when everyone is out of the house. Traffic consumption The impact on a third-party device can be enormous if someone is using your network for torrents or watching high-definition movies.

Another clear sign is unusual behavior of the wireless indicators on the router. The Wi-Fi light, which should be steady or blinking slowly when idle, begins to flicker frantically. This indicates a constant exchange of data packets, which is unusual for a dormant network. Also, pay attention to access to network printers or NAS storage devices: if devices suddenly become unavailable or malfunction, someone may be trying to scan your local network.

⚠️ Warning: Some modern viruses can turn infected computers into parts of botnets by generating background traffic that appears to be activity from an unauthorized user.

Don't ignore direct notifications from your antivirus software or firewall about intrusion attempts from your local network. If the security system reports a port scan from an unknown IP address within your subnet, it almost certainly indicates an intruder's presence. In such cases, it's essential to immediately conduct a full audit of your connected clients.

Checking via the router's web interface

The most reliable and accurate way to find out who's using your Wi-Fi is to check your router's admin panel. This displays complete information about all active connections in real time. First, you need to find out the IP address of your default gateway. On Windows, you can do this via the command line by entering the command ipconfig and find the line "Default gateway." This is usually an address like 192.168.0.1 or 192.168.1.1.

By entering the address in your browser, you'll be taken to the login page. If you haven't changed the default settings, your login and password are often found on a sticker on the bottom of the device (standard pairs are admin/admin or admin/password). After logging in, look for a section that may be called "Status," "Condition," "Wireless Statistics," "Client List," or "DHCP Server." This is where you'll find a list of all your connections. MAC addresses connected devices.

📊 How often do you change your Wi-Fi password?
Once a month
Once a year
Never changed
Only when purchasing a router

In the list, you'll see combinations of numbers and letters—these are MAC addresses. To identify which ones are which, compare them to the addresses of your devices. You can find the MAC address of your phone or laptop in the network settings (About phone -> Information or in the adapter properties). If there's a device in the list that you can't identify, it's the intruder.

Modern routers from TP-Link, Asus or Keenetic They often have a graphical representation of the network, where devices may have names (for example, "iPhone-Ivan" or "Samsung-TV"). This significantly simplifies the task. However, if the device name appears as a string of characters or the generic "Android," further verification is required. In complex cases, you can temporarily disable devices in your home one by one and monitor which ones disappear from the list in the router admin panel.

Using specialized programs and applications

If you find tweaking your router settings too complicated, specialized network scanning utilities can help. They automatically detect all devices on your subnet and present information about them in a convenient format. One of the most popular tools is Wireless Network Watcher from NirSoft. It's lightweight, requires no installation, and displays the IP address, MAC address, network card manufacturer, and device name.

For smartphone users, there are mobile applications such as Fing or Network ScannerSimply connect your phone to Wi-Fi and run a scan. The app will display a complete network map, including hidden devices, open ports, and even potential vulnerabilities. This is a great way to quickly check the situation from your couch, for example, without having to turn on your laptop.

How secure are third-party scanners?

Most popular scanners (Fing, Wireless Network Watcher) are safe and use standard ARP request protocols. However, download them only from the developers' official websites to avoid modified versions containing malware.

More advanced users can use the utility Advanced IP ScannerIt allows you not only to see devices but also to access shared folders (if they're open) or remotely control computers. The list of devices often displays the network card chip manufacturer, which helps identify the device: for example, a MAC address starting with the "Apple" prefix clearly belongs to a product from the Cupertino company.

MAC address analysis and device identification

The key element in identifying a "freeloader" is the MAC (Media Access Control) address. This is a unique identifier assigned to the network interface during manufacturing. It consists of 12 hexadecimal digits. The first six digits (OUI - Organizationally Unique Identifier) ​​identify the device manufacturer. Knowing the manufacturer can help narrow down the search.

For example, if you see a device with a MAC address starting with 00:1A:2B, and a search of the OUI database shows that it is Huawei Technologies, and you don't have appliances of this brand in your home, this is cause for concern. Below is a table with examples of popular manufacturer prefixes:

MAC Prefix (OUI) Manufacturer Probable device
00:1E:C2 Apple, Inc. iPhone, iPad, Mac
3C:5A:B4 Google, Inc. Android, Chromecast
00:26:F2 Intel Corporate Laptop, PC with Intel Wi-Fi
B8:27:EB Raspberry Pi Foundation Smart electronics, servers

This means the phone may present itself to the router as a random address each time it connects to a new network. However, if you see multiple unknown devices from different manufacturers appearing and disappearing, this is a clear sign of unauthorized scanning or connection.

⚠️ Warning: MAC addresses can be spoofed. An experienced user can disguise their device as your printer or TV to remain undetected.

Methods for blocking uninvited guests

Once you've identified the intruder, you need to immediately block their access. The simplest, but not the most effective, method is to change the Wi-Fi password. This will disconnect all users, and you'll have to reconnect all your devices. It's a drastic measure, but it's guaranteed to eliminate all the "freeloaders."

A more flexible method is to use Blacklist (blacklist) or Whitelist (whitelist) in the router settings. In Blacklist mode, you add the intruder's MAC address to the blacklist, and the router blocks their access while other devices operate normally. Whitelist mode (MAC filtering) is even stricter: only devices whose addresses are explicitly listed are allowed to access the network. This is the most reliable protection method, although it requires manual configuration of each new device.

☑️ Action plan if a hack is detected

Completed: 0 / 4

It's also worth checking if WPS (Wi-Fi Protected Setup) is enabled. While it allows you to connect with the push of a button, it's often vulnerable to attacks that allow someone to brute-force the PIN and gain access to the network in minutes. Disabling WPS in your router's settings is a mandatory step for increased security.

Strengthening wireless network security

To prevent a repeat incident, you need to ensure reliable security for your network perimeter. First and foremost, use a modern encryption standard. WPA3 Or at least WPA2-AES. Older WEP and WPA-TKIP protocols can be cracked in a couple of minutes, even by novices using smartphones. Make sure AES is selected in your wireless network settings.

Your passphrase should be complex: at least 12 characters, including uppercase and lowercase letters, numbers, and special characters. Avoid using names, birthdates, or simple sequences like "12345678." It's a good practice to change your password regularly, at least every six months.

Don't forget to update your router's firmware. Manufacturers regularly release security patches that close holes that allow hackers to access the device. Many modern models can update automatically, but it's best to check for a new version manually in the "Fixed" section. System Tools -> Software Update.

Frequently Asked Questions (FAQ)

Can my neighbor steal my Wi-Fi if I changed the password?

If you've changed your password to a strong one and upgraded the encryption protocol to WPA2/WPA3, it's impossible to steal your Wi-Fi connection. However, if you have WPS enabled or the password was written down on a piece of paper that a neighbor got hold of, access is possible. The password could also have been saved on a device used by someone else.

Does the Wi-Fi owner see what websites I visit?

The router owner (administrator) can technically see the DNS request history, meaning the domain names of websites visited online. They won't be able to see the content of pages (passwords, messages) transmitted over the secure HTTPS protocol, but they will know that the website was visited.

Why is my phone listed as "Unknown" in the device list?

This is normal for many mobile devices. They don't always broadcast their commercial name to the network. They can be identified by their MAC address (manufacturer) or by a process of elimination, disabling Wi-Fi on known devices and watching for "Unknown" to disappear from the list.

Is it dangerous if a stranger connects to Wi-Fi?

Yes, it's dangerous. An attacker on your network could attempt to attack your devices (laptops, cameras, smart plugs), intercept unencrypted traffic, or use your connection for illegal activities, which could lead to questions from law enforcement regarding you as the provider owner.

In conclusion, maintaining control over connected devices is a basic digital hygiene skill. Regularly check your router's client list, monitor for unusual activity, and don't neglect security settings. Your network is your digital fortress, and it's up to you to decide who has the keys to it.