28

Provided that the hacker knows the WiFi password if any (WEP or WPA), is he capable of sniffing network data of other hosts connected to the same access point?

lisa17
  • 1,958
  • 7
  • 21
  • 43
  • Depends on a couple variables, but generally yes. – Doug Mar 11 '12 at 13:25
  • In the sense that the hacker can just connect to the AP, then yes - once you're 'in the loop' as it were, WiFi is no different to a switched LAN. – lynks Dec 07 '12 at 12:09
  • See also: [Are WPA2 connections with a shared key secure?](https://security.stackexchange.com/q/8591/29865) – Ajedi32 Oct 02 '17 at 16:21

3 Answers3

23

If an attacker has the password, then they could, for example, use Wireshark to decrypt the frames.

(Note, however, there's no need to have a WEP password since it is a completely broken security algorithm. WEP keys can be extracted from the encrypted traffic by merely capturing enough packets. This usually only takes a few minutes.

Also, keep in mind that not all APs are built the same. Some can direct the RF beam in a much more focused way. Therefore, although you may be connected to the same AP, you may not be able to see all of the other traffic.)

logicalscope
  • 6,344
  • 3
  • 25
  • 38
6

There's a question very similar to this already, but not quite an exact duplicate.

Is it possible to get all the data I send through wifi?

That said, the answer I've given there applies fairly well here. So, I'll just cut-and-paste:


On any Wi-Fi network - encrypted or not, given today's Wi-Fi encryption protocols - any sufficiently skilled and equipped user of the network (and especially the network administrator) could easily access any data you transmit or receive via cleartext protocols. This includes usernames and passwords as well as web pages, documents, and other data sent or obtained via http, ftp, telnet, etc.

For open networks, gathering cleartext data is as easy as sniffing the traffic in the air. WEP security adds a slight barrier, but is still easily decipherable by even unauthenticated users.

WPA and WPA2 require a good bit more computational power for outsiders to crack, and much more time. For these, an attacker would most likely monitor traffic for awhile and then take the data home for offline cracking. As with just about any cryptography, brute force will always win if given enough time. With WPA and WPA2, that just means a lot of time.

There are side-channel attacks to WPA and WPA2 though. Currently, the Wi-Fi Protected Setup (or similar) features in most SOHO routers has a weakness that will allow an attacker to gain access to your network in fairly short time. Once they've cracked your key through this method, they can join the network like any other user (provided you don't have other protections - most of which are trivially bypassable - in place).

For WPA and WPA2, there are known weaknesses that allow authenticated users (or attackers who have broken into the network) to sniff traffic as if it were unprotected. At this point, the only defense you have is encryption at higher levels of the network stack (i.e.: HTTPS). Even then, many of these higher-level protocols can be subjected to man-in-the-middle (MitM) attacks if the victim is less than vigilant in verifying their SSL certificates (or the attacker has a certificate from a compromised CA).

The only real additional threat that a malicious network administrator would pose, is that they have access to the wired side of the network also. On the wire, traffic is not protected by the same encryption (WEP/WPA/WPA2) that applies to the wireless connection. Anyone on the wire could then sniff your traffic as if it had been sent across an open (unprotected) network on the air.

Iszi
  • 26,997
  • 18
  • 98
  • 163
  • Could someone please provide details on the WPA2 weaknesses? Are cleartext protocols secure on WPA2-secured wifi or not? (I know that I should rely on HTTPS, I just want to know) – M. Volf Feb 07 '21 at 18:45
3

Sniffing wireless traffic is shockingly simple if you use anything less than WPA2 to secure your network. It basically involves a client associated with your access point in promiscuous mode. This allows programs like Wireshark to see all packets broadcast on the network - he must of course have your wifi decryption keys but WEP is practically insecure to someone with very basic tools.

To make such an attack more efficient, the attacker would usually issue an APR (ARP Poison Routing) attack on the network. This involves the attacker announcing that he is your router and any data you have bound for the gateway then goes via the attacker. This makes him much more likely to see your data.

Once the attacker has created this foundation it is a matter of waiting and watching. A script on his machine can check the packets coming through until you do something over HTTP, the unencrypted transfer protocol which will enable sniffing of your cookies and passwords. Hence he may either be logged in as you in your e-mail account (I can confirm Yahoo Mail is vulnerable to this) or simply use that one password you used for, say, Neopets, to login to your PayPal and drain your bank account.

deed02392
  • 4,038
  • 1
  • 18
  • 20