Running through the hostapd and dhcpd logs recently gave me an interesting puzzle to have fun with – amongst various MAC addresses in my syslog I noticed a pattern that was repeating: an ID of an Android device (a Samsung phone) had been registering itself with two different IDs. A phone would offer the ID in a DHCPREQUEST, but the strange thing to me – at the moment I saw it – was that the dhcp server would give different IPs to different MACs, but both of those using the same ID of the device.
I started looking for the MACs of the devices I use, trying to eliminate various MACs from the log, and at first it made no sense at all – it was either a break into my WLAN, or my phone indeed had more than one MAC. To confuse me even more, turning on the bluetooth of the phone would spawn one more MAC in “Settings >> About device >> Status >> Wi-Fi MAC address”, and I couldn’t figure out what it had to do with the above-described situation found in logs, nor find any proofs. Could there be more MACs, activated and/or assigned under similar conditions, like using HDSPA, 4G?
Then I made an educated guess that it had to do something with my WiFi range extender, TP-Link’s TL-WA850RE, that I use to cover some of the less accessible parts of the apartment. I made an experiment, and proved to myself that the guess was a good one – walking away of the main WiFi AP and approaching the extender would have the phone quickly disassociate and then associate again, borrowing a MAC from the extender, but keeping the ID!
There, if you notice the same in the logs – strangely leased IPs to a same ID of a device that suddenly appears to have a ghost MAC – there is a slim chance that you have not been hacked. Yet… 😛