Who's stealing my bandwidth?
June 30, 2018 7:01 AM   Subscribe

Someone is siphoning away between 10GB and 30GB of my residential bandwidth every day. What are my best steps for tracking this down?

Going to try to include everything here that may be relevant.

Provider is Videotron in Montreal. Package includes 130GB download monthly. On various days recently I've seen as much as 30GB downloaded in a day. Wednesday and Thursday it was 10GB. These were days when I've done a little news browsing in the morning and evening but have been out all day at work.

I only realized shenanigans were going on when I got an automated warning I'd used up half my bandwidth at about six days into the cycle. Bumped it up to unlimited for one month while I try to figure out the leak.

I have a recent "modem" from Videotron and an oldish Linksys WRT54GL wireless router set to WPA2 Personal. The Linksys is running the latest firmware version for that model, which is a couple of years old now: Firmware Version: v4.30.16.

I've since changed the name of my wifi network and the password, but while the thefts seem to have declined from 30GB daily to 10GB they have not stopped.

Looking at the DHCP Active IP Table I can see my own devices: two computers, ipod, iphone and ipad. Nothing else. The main computer name always shows up twice but that's because it's connected both by wifi and ethernet.

I've never given wifi access to anyone else.

Videotron's tech was not much use and said he couldn't look to see what kind of stuff had been downloaded.

Colleague at work listened to this explanation and suggested a new router. That's a possibility but I'm inclined to do a little more detective work first. I also mean to hassle Videotron a bit more about this soon.

I live in a multi-residential building in the city and can see at least a dozen other networks around me. Is local wifi theft the only possibility, or are there other ways people can steal bandwidth?
posted by zadcat to Computers & Internet (27 answers total) 6 users marked this as a favorite
Can you see reporting of what bandwidth your devices are using? Honestly, these numbers sound like background software updates. You don't say what your computers are, but Windows 10 is very aggressive about downloading and installing updates. iOS also does App updates quietly and in the background.
posted by tomierna at 7:04 AM on June 30, 2018 [5 favorites]

Do you watch much YouTube? Netflix? 1080p 60fps video from YouTube alone consumes hundreds of GB at home for me a month and is something you might not think about.
posted by floam at 7:07 AM on June 30, 2018 [1 favorite]

Response by poster: I am running only Apple devices. Nothing is set to update automatically.

I do not have Netflix or similar services. Now and then I watch a couple of Youtube videos but not every day.

I should also have added: the thefts have been happening when I leave the wifi up but the devices sleeping. It doesn't happen if I simply unplug the "modem" when I'm out all day.

(Note to mods: I know you frown on thread-sitting but in this case I think clarifying the technical situation justifies some.)
posted by zadcat at 7:17 AM on June 30, 2018

Could one of your devices have been compromised?
posted by eirias at 8:07 AM on June 30, 2018 [3 favorites]

Check whether a web browser is pointed at YouTube, and autoplay is turned on.
posted by at at 8:11 AM on June 30, 2018

Try actually disconnecting your devices from WiFi/enternet instead of just sleeping them. A utility running in the background on your Mac seems like the most likely culprit.
posted by supercres at 8:14 AM on June 30, 2018 [9 favorites]

10GB a day is more than normal background updates. Either one of your devices is compromised, is doing something strange, or your router itself is hacked.

The easiest way to verify this is to have the router report bandwidth usage on a per-device basis. I don't think the stock WRT54GL firmware will do that, but it's still possible to flash custom firmware on it like Tomato-by-Shibby or OpenWRT. They will give you a nice table of bandwidth per device. But honestly that WRT54GL is an ancient router. It's worth upgrading to a new router for lots of reasons, particularly for 802.11n and 802.11ac Wi-Fi. Wirecutter currently recommends a $160 Netgear router; the $70 TP-Link is probably just fine too.

I'd say it's 50/50 that if you upgrade the router's firmware or the router itself, this problem will go away. That would suggest your router was hacked.

Other ways to figure out the source.. You could actually power off devices for the day; sleep isn't enough, they can wake themselves up. Or dive into the bandwidth monitoring tools on each device. In Windows 10 and MacOS this is pretty easy, I think iOS requires third party apps to monitor bandwidth usage on WiFi.
posted by Nelson at 8:17 AM on June 30, 2018 [4 favorites]

Have you toggled off UPnP?
posted by glibhamdreck at 8:24 AM on June 30, 2018 [1 favorite]

The stock firmware includes very basic traffic logs, so at least you can see which devices are connecting from inside your network. The local network addresses of your devices should change much (if at all), so if you see anything in the log from a different internal address, that may be the culprit.

I don't know if it's still effective, but the old way of limiting this was only allowing certain known devices to connect based on their hardware (MAC) address. This is probably laughably futile these days.

I admire your tenacity for even trying Videotron tech support at all.
posted by scruss at 8:30 AM on June 30, 2018 [2 favorites]

Is local wifi theft the only possibility, or are there other ways people can steal bandwidth?

I'm assuming this is a cable connection that comes into your apartment and plugs into the cable modem there? If so, it's extremely unlikely that anyone else could be using it. If it terminates in the basement and comes up into your apartment as Ethernet, then there's some slim possibility someone could be gaining access like that.

It's within the relm of possibility that their bandwidth monitoring software is buggy, especially if it's skewing in their favor.

I'd agree that reflashing the router is the next step to try. If you put DD-WRT on it, you can get ongoing updates and it allows you to monitor bandwidth by device.

I'm unaware of malware that would work on your router that's known to be used in a way that would target someone like you, but it's possible that it's time to just upgrade to something new and supported.
posted by Candleman at 8:36 AM on June 30, 2018

This happened to me. Well, it turned out to be uploading instead of downloading, but still…

Here, TLDR, there's a bug in Apple's iCloud Drive for Windows which caused it to upload ~~4 Gb in 20 minutes or so. I'm not suggesting that it's the same bug, necessarily, but definitely try running GlassWire on one of your machines and watching the network traffic for a while.
posted by Alensin at 8:46 AM on June 30, 2018 [4 favorites]

Oops. Obviously, my usage was from *downloads*, not uploads. I misremembered. THat's an identical symptom, then.
posted by Alensin at 9:00 AM on June 30, 2018

We didn't think to check our usage, but just replaced our old router and our internet speeds - which had slowed dramatically over the last two years - increased by a factor of 10. Hacked seems plausible.
posted by Lady Li at 9:26 AM on June 30, 2018

Could a device be hacked and running a bitcoin miner or other malware?
posted by theora55 at 9:40 AM on June 30, 2018

I would turn of the WiFi, and Bluetooth if they have it, on the computers to see if it has an effect. Especially the computer that is also connected by Ethernet.
posted by SemiSalt at 9:42 AM on June 30, 2018

Best answer: I've had cloud syncing services stuck in a retry loop on my Windows PC. Problems syncing a set of folders would cause timeouts, which would subsequently restart automatically at a later time. On my Android phone I had an update that kept failing to install and got stuck in a download-install-fail-retry loop. In both cases it chewed through my bandwidth in a hurry.

Given that you're seeing mystery downloads on a daily basis, you could try disabling network communications on each of your devices for a day. You might be able to identify an offending device that way.
posted by gox3r at 9:49 AM on June 30, 2018 [3 favorites]

If you only have Apple devices, ie your computers are Macs, I really like TripMode for monitoring (and shutting off as needed) apps from using data. I was surprised to learn that just keeping Chrome open all day, with a bazillion tabs open, uses multiple 100s of MBs a day -- even though i'm not even home and my laptop should be sleeping. *shakes fist at google*
posted by cgg at 9:51 AM on June 30, 2018 [1 favorite]

Also, you've reset your router by now I assume?
posted by cgg at 9:52 AM on June 30, 2018

It doesn't happen if I simply unplug the "modem" when I'm out all day.

Do the Videotron modems broadcast an open hotspot, the same way Comcast-provided modems do? Or, are any of your i-devices broadcasting a mobile hotspot?
posted by Thorzdad at 10:54 AM on June 30, 2018

On your Macs, you can open up Activity Monitor in /Applications/Utilities, and switch to the Network tab. You can see how many MB each and every process on your system has sent/received (since after you started it) in the list and it has a little graph. It'll also show you how much your system has downloaded/uploaded since you logged in on the bottom. If it's a big number like it is on my system, you know you've probably at least found the right device. Keep the tool open for a few hours and you'll be able to see see which application it was.
posted by floam at 12:04 PM on June 30, 2018 [2 favorites]

People seem to be missing this in their suggestions:

"I should also have added: the thefts have been happening when I leave the wifi up but the devices sleeping. It doesn't happen if I simply unplug the "modem" when I'm out all day."

I think you're going to have to do some additional testing. The first step is to determine whether this happens on the router or modem. You mentioned that it stops when you unplug the modem, but does it continue when the router is unplugged? If the router is unplugged, and it continues, it's not the router.

If it stops when the router is unplugged, then it's the router. The next step is to turn Wifi off on the router and see if it continues. If it stops, you've narrowed it to Wifi and it's probably time to buy a different router or flash new firmware.

If it continues with the router off, I'm with Thorzdad in that the modem might have an open Wifi network on it, or a network configured with a simple default password. Also, if you're plugged into building Ethernet wiring, it could be being tapped that way.
posted by cnc at 2:00 PM on June 30, 2018 [1 favorite]

I was also going to recommend using Glasswire to see what's eating your bandwith, but it looks like it's not available on Mac yet. Radio silence is a mac alternative recommended on reddit, though I haven't used it myself.
posted by gennessee at 2:38 PM on June 30, 2018

check your router for latest firmware, then after it is updated, leave it unplugged from power for 10 minutes and plug it back in. if you are being hacked this should cause some of the connections to time out at least.
posted by evilmonk at 4:06 PM on June 30, 2018 [1 favorite]

cnc, "devices sleeping" doesn't necessarily mean they are not doing anything. He's got Macs, which have a feature called Power Nap which has the system periodically wake up with the display still off or closed for registered processes while it appears asleep. So that things can download. It's why when you wake up a MacBook it already has your newest email, notifications, system updates downloaded. The system can also be woken up while asleep by WiFi. I wouldn't rule out any machine that isn't truly turned off.
posted by floam at 5:03 PM on June 30, 2018 [3 favorites]

130GB is just not very much these days, and modern software does NOT even remotely attempt to conserve bandwidth at all. Like mentioned above, even just Chrome will constantly refresh tabs and pre-cache all the links you haven't even clicked yet just by leaving a browser open. I would guess iCloud or updates or something running in the background before something being compromised. 10GB a day is not a lot. Even if you're just reading the news, seems like a lot of news sites these days auto-play videos everywhere.

If someone else in your building were accessing the wifi you would see their device show up in the connection logs on your router, there's no way to hide that. It's possible your machines are compromised but it sounds like you are a light user on Macs... I think that's unlikely unless you are running ancient versions of OS X.

I would install Little Snitch (a firewall) on all your Macs and then approve every connection manually. If something is running updates constantly in the background, that is one way to find out. Your router is definitely pretty old, I would flash DD-WRT on it to eliminate the possibility of out-dated security.
posted by bradbane at 1:10 AM on July 1, 2018

@floatsam Thanks for the additional info. I think narrowing it to the router and then to Wifi makes sense as the first couple of steps. Then start disconnecting devices until it stops once you've determined it's not external. Once you have the guilty device, then dive in to see what's actually happening. OP could also do this in reverse, by disconnecting devices one a time, if they suspect that the culprit is internal.
posted by cnc at 3:59 PM on July 1, 2018

Response by poster: My network downloaded 60GB yesterday, although I was only doing a little light browsing. So I read all the responses here and started with floam's advice about checking the network tab in Activity Monitor.

The numbers on my main mac were about what I'd have expected. But the Macbook was crazy. This is an old machine parked in my kitchen to play audiobooks and the occasional radio newscast – no streaming, no torrenting, hardly even any browsing – and it had racked up 150GB in downloads.

I updated its OS and today my usage is down below 1GB again. I know it's not necessarily fixed so next I'll be running Disk Inventory on the drive and some other things to see if anything is lurking. But I suspect it got stuck in some refresh loop or the like.

Thanks to everyone who responded. All the comments have been useful in helping me think this thing through.
posted by zadcat at 4:34 PM on July 1, 2018 [4 favorites]

« Older Need a good email client for Windows 10   |   Making snacks to stave off boredom Newer »
This thread is closed to new comments.