1

It seems that every question I've researched on this topic makes the general statement "on my home wifi network" which doesn't specifically address my question.

I'm about to start a new job working remotely at home using a laptop and phone provided by my new employer. I do not want my employer's equipment to be able to snoop on any wireless or wired network activity that is done by any of my personal devices.

I understand that anything I do on their equipment has no expectation of privacy. I am only interested in what an employer can technically do to invade my personal privacy, not what an employer might do or should/shouldn't do per U.S. law.

I have 4 networks set up in my router, each with its own password. My router has its own unique password. Each network is WPA2/PSK-protected.

The questions I have are:

  1. If I dedicate one of my wifi networks to my employer's equipment, is the wireless traffic on any of the other 3 networks vulnerable to packet sniffing by my employer's equipment/software?

  2. If I did the above, would my employer's equipment/software be able to snoop on any network traffic history that was done on that network (i.e., the one now dedicated to my employer's equipment)? If so, does clearing the router log suffice to protect my privacy?

  3. Is getting a second line into my house and dedicating it to solely work-related activity a safer approach? Would any traffic on the other (i.e., original) line be vulnerable to snooping by equipment on the new second line?

Thanks for any advice.

Scott
  • 13
  • 2
  • With respect to item #3, each line would have its own cable modem and router. (And, each router would have a non-factory, unique password.) – Scott May 30 '22 at 02:32

2 Answers2

1

  1. If the WPA2 PSKs are not provided to the work computer, it should not be able to sniff traffic from other VLANs as it will be encrypted.

  2. Unless your router is compromised and/or broadcasting its logs, getting access to them is unlikely.

  3. Getting another router would probably be a better trade-off (security vs convenience/cost) than getting another line altogether, as they both accomplish the goal of creating a separate LAN.

belkarx
  • 1,207
  • 2
  • 18
  • Although, this might be a good use case for VLAN (Virtual LAN), nowhere does the OP talk about VLAN. – Marcel May 30 '22 at 06:04
  • I'm not very network savvy, so I don't know what a VLAN is. Maybe it is the same as each network I can create via my router's software or maybe it isn't. If possible, I'd like to solve this problem without over-complicating things, which is why I asked the questions the way I did. I'm looking for answers, if possible, in terms of what I laid out in my questions. – Scott May 30 '22 at 06:38
  • @Marcel OP said there are 4 separate networks on one router. Presumably configured using the router's web interface, and that *should* create them as VLANs (depending on the hardware). – belkarx May 30 '22 at 19:04
  • @Belkarx That clarifies the relationship between VLAN and what I was referring to as "networks created in my router." Thanks. And, yes, they were indeed created via the router's web user interface. – Scott May 31 '22 at 09:33
0

Since, from your perspective, the equipment from the company is essentially a black box, the answer is yes, they can.

See Is promiscuous mode sufficient to sniff packets in a wifi network? about how sniffing works. It does not even need to connect to your private WiFi network, passive listening is sufficient. There are tools like the aircrack-ng to do that, they could hide one in their boxes.

With this approach the company might detect metadata like:

  • The presence of any active WiFi Equipment
  • With the MAC address, get make and model
  • Estimate traffic bandwidth used by each device

When they crack the WiFi password (which is practical e.g. via this WPS vulnerability) they could also get the content of the packets, exposing the communication content, if it's not further protected.

Marcel
  • 3,494
  • 1
  • 18
  • 35
  • Thanks for link. That thread refers to "...to receive all wireless frames on the current channel." "Current channel" is ambiguous to me. Does it mean "only on that network" (e.g., the one I dedicate to the work box)? Or, all networks? Also, what if I have two cable lines? Can the work box access wireless frames of any network on the other line? – Scott May 30 '22 at 16:14
  • Per @belkarx's suggestion, would packets of the networks on the 2nd router be safe from inspection by the work box on the 1st router (or, vice-versa)? – Scott May 30 '22 at 16:53
  • 1
    >When they crack the WiFi password (which is not so hard) WPA2 is certainly not easy to crack if the password isn't in one of the common brute-force lists. As long as the password is secure, even if the company is sniffing data, it will remain encrypted. – belkarx May 30 '22 at 19:42
  • Re "channels": It would likely be scanning one (or all in a loop) of these: https://en.wikipedia.org/wiki/List_of_WLAN_channels, regardless of any actual set up WiFi network. – Marcel May 30 '22 at 21:53
  • @belkarx I added a link to a practical WiFi password attack notice by the CISA. – Marcel May 30 '22 at 22:03
  • 1
    @Marcel this attack is on WPS. OP stated he used WPA2 which mitigates such attacks. – belkarx May 31 '22 at 02:16
  • @belkarx Thank you for explaining that WPA2-protected packets are safe from employer snooping, as long as the password is strong enough. This is the kind of assurance I've been looking for. – Scott May 31 '22 at 09:24
  • @Marcel Thank you for the link about channels. Now I know where the term "channel bonding" originates, as well as how they relate to the higher-level term "network". – Scott May 31 '22 at 09:26