0

I just told my friend my Wi-Fi password, will he know what I am doing even though he does not connect to my home internet?

Scott Helme
  • 3,178
  • 3
  • 21
  • 32
Anon
  • 11
  • 1
  • 1

2 Answers2

3

The answer is yes, he can see what you're doing on the internet when he is connected to your WiFi network.

The encryption protocol used is pretty much irrelevant. Whilst WPA2 will generate a unique session key for each client association, if the attacker captures this he can still decrypt your traffic. Even if the attacker doesn't capture it, he can forge a disassociation and capture the session key when you reconnect, revealing all of your subsequent traffic.

Once someone has your WiFi password, consider it to be the same as them having a LAN cable plugged directly into the router. The WiFi password offers no additional security beyond limiting access to the network itself.

Scott Helme
  • 3,178
  • 3
  • 21
  • 32
-2

Short answer: WEP? Yes. WPA? Maybe. WPA2? No.

WEP is broken and you shouldn't be using it for a multitude of reasons so we'll skip that. Some WPA networks can be exploited by attackers who do not know the password. http://www.aircrack-ng.org/doku.php?id=tkiptun-ng

WPA2 is what you should be using. In this scheme each client connected to the access point encrypts his traffic with a different key so other clients (both on or off the network) cannot decrypt or read the traffic.

There is such an attack called ARP spoofing, in which the attacker will trick the victim computer into thinking the attacker is the router. The attacker can then decrypt the traffic and send it on the the real router. This requires that the attacker is connected to the network at the time of the attack, which is not difficult to do if he knows the password.

user2675345
  • 1,651
  • 9
  • 10
  • You should say "Short answer: yes" as you explain in your text why WPA and WPA2 are not secure like this (ARP spoofing). – paj28 Apr 01 '14 at 09:57
  • I disagree. If the attacker captures the session key he can still decrypt all of your traffic. If he doesn't capture it he can force a disassociation and capture it when you reconnect. – Scott Helme Apr 01 '14 at 10:28
  • @paj28 ARP spoofing requires the attacker to be connected to the network but the question states that "even though he does not connect to my home internet". – user2675345 Apr 01 '14 at 10:42
  • @ScottHelme This is not an attack I have heard of. Can you provide a source explaining how it works? – user2675345 Apr 01 '14 at 10:43
  • I'm pretty sure that for WPA2 Personal an attacker can simply decrypt everything as long as the sniffed the handshake even without impersonating the router. I found no mention of an ephemeral key exchange in the protocol, it seems to derive the key from the shared secret (which we assume the attacker knows) and public nonces. – CodesInChaos Apr 01 '14 at 10:49
  • 2
    How about keeping comments civil guys! Cleaning up... – Rory Alsop Apr 01 '14 at 22:48