Who can spy on my wifi usage and websites I visit?

  • I'm using a WPA/WPA2 encrypted WiFi.

    Who can view what I'm doing? Also how? Can the person that pays for the WiFi look up exactly what I am doing (e.g. look up exact messages I've sent on Facebook)?

  • Contrary to a common misconception, the network key is not the encryption key. The WiFi communication is encrypted on its own using a key exchange protocol.

    This makes it impossible for anyone without abnormally huge processing power to decrypt anything that goes through.

    That said, if the person controls the router, that changes things as the router can see everything that goes to the Internet which is not encrypted.

    The router can see..

    • everything you send and receive that is not encrypted including documents, pictures, URLs, emails
    • most hosts that you visit even if using HTTPS because of its DNS server which allows the hacker to match the IPs with the hostname even if the HTTPS protocol can hide it
    • the type of things you do based on certain factors like the port number, bandwidth used in both directions, and session duration

    Some would tell you that you might want to use a VPN to hide most stuff from the wifi router's owner, but you would then put it in the hands of a total stranger which is not better.

    Real solutions include (and may combine):

    • Using secured connections for everything you prefer to keep private.
    • Getting your own Internet connection, therefore being free from the undesirable watchdog.

    So, based on all that, Wifi peers are of very limited risk of knowing more than the bandwidth patterns which may be spied on. The only people who really have access to spy on what you do are upwards in the network, starting with the Wifi router's owner which could see everything that I mentioned can be visible.

    Any other equipment on the network path followed by each of your connection can see the same kind of things in their context which is typically limited to one (or very few) connections you do. The closer they are to you, the more they can see, which means that your ISP would see almost everything that your Wifi router's owner would.

    Didn't my answer make it clear that the wireless communication is quite secure and that the only ones who can see what you do are higher in the network starting with the router's owner?

    No it doesn't make it clear. I wish it was, that's why I commented. And the question does not express any misconception, so already the first paragraph of this answer instead of answering anything, causes reader to wonder what the common misconceptions are. Not so directly, but somewhat similar to a dialogue: "ok, so who can decrypt my messages?" - "no, you are wrong!".

    I added two paragraphs to more specifically answer you.

    Specifically answer me?! Can you quote the part of my comments in which I asked for something more specific than what OP asked in the original question?

    Not sure why you're mad but I put the clarification requested based on your conclusion that my answer lacked a precise answer to the question. I thought that someone capable of reaching this site would be able to come to the logical conclusion themselves but I tried to make it pretty clear as requested.

    First you wrote: "more specifically answer you". The only communication channel we have is through these comments, so I asked which words are you specifically answering (because I don't think you can read my mind and answer something that's not written above). To that you reply implying that *I am mad*. Would you kindly please stop talking about me and refer to what you have/know? I don't know you, I don't know what you are feeling and thus I don't comment on you, your emotional state, or anything I have no idea about. Try doing the same.

  • Who can view what you are doing?

    You, anyone that uses the same router (assuming you're not in Access Point isolation mode), anyone that has access to the router's access logs, possibly including the person that set up the router, and the Internet Service Provider. WPA prevents other people without access to the router from viewing your data casually from simply capturing the radio signals and logging the encoded data.

    Also how?

    This varies by brand and firmware. Some routers let you set up a log server, others have internal logs that can be viewed from the admin panel. Some routers don't offer any logging, but can be upgraded to a custom firmware that allows either of the previously mentioned methods. Some research would need to be done to determine what the router's capabilities are or if custom firmware is available (usually some form of portable Linux).

    Can the person that pays for the wifi look up exactly what you are doing?

    Possibly. If the sites you're using do not force HTTPS and do not use HSTS (basically, client instructions to always connect securely), then it's as easy as logging the data as it comes across the router. If the router is using custom software, it might be able to intercept secure requests at the cost of raising a red flag (either a security certificate error, or the pages won't be in HTTPS in the browser, indicated by a padlock icon). Either way, unless you also configure your own DNS servers or use a VPN, the router normally serves DNS requests, which means it knows every website you attempt to visit.

    I.e. Exact messages sent on Facebook?

    If the "person paying for the wifi" doesn't want to raise fairly obvious red flags, the best they can do is know that you're using Facebook, and for how long you've used it. They can't read the messages you've sent, or even know what your username and password is. In other words, they can see the sites you visit, but they don't know what you're doing while you're on those sites. On the other hand, your question posted here on Information Security could have been logged, and they would know you were here (and, by extension, they can click on your username to see everything else you've asked).

    Note that Incognito/Private mode does not protect against this level of logging. When you use the Internet, you should always assume that anyone between you and the server you're talking to knows that you're talking to a specific server. More importantly, you should realize that even secure sites may be logging your activity, which could be used against you if requested by law enforcement. The same is also true for your Facebook messages. The person paying for the Internet connection might not be able to read your messages, but law enforcement can certainly request a log directly from Facebook.

    To be clear: it's control of the AP and net access that matters, not payment as such. In the modern world, you often control things because you pay for them, but not always.

  • Yes, it is possible. Hacking the WiFi is the hard part and would most likely not be the method used. Unless you have a real easy to guess password like a name, place, commonly used words.

    Most likely way would be from your computer, if you have a back door or virus on your PC, then someone could monitor everything. Who else has access to your PC, another possible way to compromise your PC. Have you configured you browser properly, I highly recommend Firefox. Do you use anti-virus? How do you know its safe? What software have you downloaded and did you check its MD5 to make sure it was the original and not injected with a virus.

    It matters who is in control of the WiFi network, anyone may be able to monitor you if they have something setup on the network to monitor it. Then they could intercept your traffic. Learn Wireshark and you will understand what I mean. Also learn how IDS (Intrusion Detection Systems) and Anti-virus software work and how they are bypassed. Only then will you understand how to be as safe as possible. It is impossible to be 100% secure. You are only trying to minimize the potential as much as possible.

    The only way to be safe is trust nothing, and test everything yourself and research as much as you can. The more you know, the more power you have over what you can control.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM