Wi-fi Certificate Permission and Access to phone/data

Question

There are several questions addressing similar questions, but not quite the same (others ask about MITM Attacks). They also state conflicting and opposing answers/responses, so I ask here 3 specific questions regarding accepting a company’s Wi-fi Certificate when connecting to their network, which is controlled with corporate account credentials to access, on a personal device.

Basically, authentication occurs via company account (email) credentials when selecting the secure network. Once verified, it asks to accept, “Trust” a Certificate as such: .

Looking through the details, I add this to help answer my questions:

1. Does accepting this certificate give the company the right to access my phone? I.e.) does it give some sort of root access or anything like it that allows them to view/access data on my phone. This means accessing both information on the actual device (photos, emails, etc) and data/information being transmitted via the network. I don’t mean monitoring, but being able to access my phone.
2. If they can only see/access the data being transmitted through the network (monitoring basically), is this generic like base destination URLs or would it be specific addresses and actual content?
3. How would all this be affected by using an independent VPN service? (Someone recommended using it in other questions)

I basically want to know how much right/privacy I would be giving up by accepting to trust this certificate.

For all I can tell is that it may only be for authentication, but is it really only that, and what I’m a further accepting to by authenticating? For all I know, I could be accepting to the company accessing data on my phone.

Thanks in advance!

Answer 1

1. No, you're simply installing a certificate that serves to bolster the legitimacy of the RADIUS server you're authenticating with (and encrypt LAN connections).

2. If you're talking about SSL decryption, of the kind done in your average corporate network, no. By accepting their certificate, you're not accepting a certificate authority-- you're simply accepting that the certificate will be used to encrypt connections between you and the router. Unless you're using a VPN service or encrypted DNS, they would be able to see the hostnames you're visiting, but nothing more.

3. The security of a VPN service shouldn't be impacted by this at all. Again, you're not accepting any sort of certificate authority. That certificate can't be used for anything other than encrypting the connection between you and the router. OpenVPN profiles and such come with their own certificates, anwyay, if I recall correctly (tell me if I'm wrong here).

Answer 2

Does accepting this certificate give the company the right to access my phone? I.e.) does it give some sort of root access or anything like it that allows them to view/access data on my phone. This means accessing both information on the actual device (photos, emails, etc) and data/information being transmitted via the network. I don’t mean monitoring, but being able to access my phone.

No. At this point, you have given your credentials to your device to connect to wireless network. Depending on the actual device and how it is configured, the EAP supplicant has passed a username to the authentication server, but not the password. The reason a username is required at this point is that it may be used to proxy your authentication request to a different RADIUS server.

Your password (and actual or inner username if your device uses a different outer username) have not been sent to the authentication server at this time. Instead your EAP supplicant is now attempting to establish a TLS tunnel to securely pass this information to the server. Since your device is not able to connect to any network resources at this time to validate if the authentication server is correct or the certificate is valid, it is asking you to provide this validation.

Check my answer here if you want a more in depth answer on this process.

If they can only see/access the data being transmitted through the network (monitoring basically), is this generic like base destination URLs or would it be specific addresses and actual content?

They will be able to see source/destination IP addresses, TCP/UDP ports, and unencrypted data. Although this is as a result of you using their network, not because you accepted the certificate for authentication. This will be the result no matter how you access their network.

If you are using HTTPS, they should not be able to see any part of the URL in the request, although they may have a solution in place that can make (sometimes very intelligent) guesses as to the type of request you have made. Of course, if the site you are accessing through HTTPS is using older weak/broken cipher suites, then this may not be providing the protection you expect. You can always check to see if the HTTPS site is using weak SSL with a resource like Qualys SSL Labs.

How would all this be affected by using an independent VPN service? (Someone recommended using it in other questions)

They would again be able to see source/destination and TCP/UDP ports. Other information passed through the VPN tunnel would not be able be usable to them. They will also not have much context for any solution they are using to determine what you are doing in the tunnel, other than VPN.

Depending on your configuration, you may still leak information. For example, your DNS queries may use their local servers rather than a resource through the VPN tunnel to resolve hostnames/domains to IP addresses. This would allow them to at least know what you are accessing.