19

I log on to my works wifi throughout the the day whilst at work, I use apps like WhatsApp and iMessages to communicate when I need to, can my employer see the content of those messages (actually read what I'm sending and receiving) or can they just see that I have been logged into WhatsApp and iMessages over the wifi signal?

techraf
  • 9,149
  • 11
  • 44
  • 62
Caroline
  • 199
  • 1
  • 1
  • 4
  • 6
    They can see all traffic. Most just log the site you're on but technically speaking they could easily use packet sniffers to see what the traffic actually is. As to whether they're allowed to do that, that's a different issue but technically speaking it's not so hard. Perhaps don't use they're network???... – Sebastian Zeki May 27 '15 at 05:28
  • Thank you Sebastian, we work in an area that the 3G service is shocking so can't really do anything without being logged on to wifi, but now I know they can trace everything I will stop using the wifi, whether legal or not I'm sure my employer would do anything to see what we are doing. – Caroline May 27 '15 at 05:40
  • 1
    @SebastianZeki Why your employer will do anything to see what you are doing? – Ubaidah May 27 '15 at 05:59
  • 9
    Wait a second. Both iMessage and whatsapp encrypt data between your phone and their servers so the content of your messages is secure. They can tell that you're using the apps but no more – Neil Smithline May 27 '15 at 06:09
  • 1
    Guess it depends on whether you trust the encryption. Mind you would have to be a pretty intense employer to need to decrypt your messages.... Unless you're a spy or something...? – Sebastian Zeki May 27 '15 at 06:36
  • 1
    @SebastianZeki they use TLS. That's pretty strong if you use it right (don't install their CA certificate, etc). –  May 27 '15 at 13:41

8 Answers8

28

According to Whatsapp, all message traffic between the server and your phone are encrypted. The same applies for iMessage. The initial contact for iMessage is initiated via normal SMS, and does not travel through the wifi network.

Therefore, it will not be possible (barring homebrew crypto security flaws) for your employer to read messages that pass through its wifi network, he will only be able to see that you are using those applications.

Jens Erat
  • 23,816
  • 12
  • 75
  • 96
March Ho
  • 1,685
  • 1
  • 13
  • 15
  • 8
    Useful summary of Whatsapp encryption over time: http://www.makeuseof.com/tag/whatsapp-encryption-now-secure-instant-messenger/ - net result: not decryptable by the casual observer, but some metadata / activity may be visible – abligh May 27 '15 at 12:34
  • 10
    I bet he might be able to log how much time you spend on whatsapp. – borjab May 27 '15 at 15:06
  • @abligh Visible with a rooted device; in this sense, I'm not sure that there's anything that can be done, considering that if the device is rooted, one could write software (as the Dutch student did) to record data being sent out by other applications. I suppose the only real solution is to ensure that the metadata that's being sent unencrypted is only being used to decrypt the message. One would think that, in the worst case, the metadata would not reveal information that was detrimental to a user's privacy. Personally, I don't care if anyone knows how many minutes I've spent in the app. – Chris Cirefice May 27 '15 at 15:08
  • See this: http://security.stackexchange.com/questions/81118/how-is-https-ssl-able-to-hide-destination-website-that-one-is-connecting-to – borjab May 27 '15 at 15:10
  • @borjab Good link; that's the kind of metadata (and a few other things, surely) that WhatsApp is sending out. While a typical person won't be able to see this because it's protected by the kernel, a rooted device would be able to collect that information. Nothing to be afraid of, unless WhatsApp is sending your messages or your phone number in the meta-data (it's not). – Chris Cirefice May 27 '15 at 15:16
  • Unless the employeer knows the IP of the webservices associated with Candy Crush, Tinder or Grinder. – borjab May 27 '15 at 15:42
  • @abligh [Apparently](https://theintercept.com/2016/05/02/whatsapp-used-by-100-million-brazilians-was-shut-down-nationwide-today-by-a-single-judge/), Brazilian authorities were not able to decipher any messages either. Not quite sure how strong a case this makes for WhatsApp's security but the amount of resistance it's offering against our government is way more than I've ever seen from _any_ VPN provider. – Matheus Moreira Jul 27 '16 at 01:50
6

You could try using a proxy or vpn somewhere to tunnel your traffic through a secure pipe before 'going out to the web'. Many newer routers have vpn built in so you could set something up at home... that way the traffic between your device -> work wifi -> home would be encrypted, then from home -> web would be the only 'open' traffic.

brian
  • 169
  • 3
6

If a site is not using SSL, then assume anyone, from you to the destination, can read your messages. If the site uses SSL, then you may or may not be safe.

If your employer is using a content filtering proxy, such as BlueCoat or Websense, then they may use an SSL certificate to decrypt and read your messages. This is often done to ensure that confidential company data remains confidential.

Content filtering proxies are internal company devices and as such, do not require certificates from official certificate authorities (CA). As such, these types of certificates are issued by a local certificate authority created by the company. If your phone was issued by the company, they may have installed the certificate on the phone. If it is your personal phone, you would be have been prompted to accept the certificate before being allowed to continue browsing.

You can verify in your settings on an iphone or android for any user installed certificates.

IPhone: Settings->General->Profiles

Android: Settings->Security->Trusted Credentials

A good rule of thumb is to perform incriminating activities outside a company network.

pr-
  • 782
  • 1
  • 4
  • 21
  • 1
    A good rule of thumb is to **NEVER** do incrimination activities. and only do pen testing with **PERMISSION** of the owners of question (network and machines) – LvB May 27 '15 at 19:08
2

As a network admin I can tell you that it is VERY easy to see what you're doing. Programs like Wireshark now make it incredibly easy to sort through all the traffic based on source or destination. I could plug my laptop into a mirroring port on one of the routers and collect every packet you send. I've had to do this before to help diagnose what was flooding our network with bad traffic.

As other posters have noted, a lot of the content may be encrypted. I might not be able to see the actual text of your messages. I CAN, however, see how often you use that app, etc. Most employers really won't care enough to try to decrypt your packets, but remember they have everything they need to do so. At the very least, the employer can see what you're spending time on.

Don't ever do ANYthing at work that you wouldn't want your boss to stand there and watch you do. It's just too easy for the network admin to capture everything, not to mention putting key logging or other monitoring programs on your computer.

Rick Chatham
  • 234
  • 1
  • 13
1

Can an employer see what I'm doing on my iPhone whilst logged onto wifi

Yes, but much of this depends on the apps themselves.

I use apps like whatsapp and iMessages to communicate when I need to, can my employer see the content of those messages (actually read what I'm sending and receiving) or can they just see that I have been logged into whatsapp and iMessages over the wifi signal?

Speaking of those two apps specifically, they can perform a man-in-the-middle security certificate attack and read your messages. You'd be able to detect this, though, and if the apps have been designed well they could detect this type of attack.

As long as your employer hasn't gone to extreme lengths to read your messages, though, they may be able to tell that you're using the apps, but not the content or destination.

Other apps may be more or less well protected. Simple facebook game apps, for instance, might not bother with encryption. If you're just browsing, your employer can tell where you're going, and if it's not HTTPS what content you're downloading and submitting to websites.

Adam Davis
  • 1,071
  • 7
  • 11
1

Any network owner can see where your packets are headed, and scrape their metadata for nefarious purposes. And on a company network you can't count on a proxy to keep your communications secure.

Your only option if you want privacy from the system admins at work is a VPN, preferably one natively supported by iOS and not done through an app using an API (more prone to leak). Good news is VPNs are really cheap these days, under $5 per month.

ED: I say not to use a proxy because that covers ONLY http/https data (mostly your browser), and not whatever custom socket programming apps might use. A VPN with a VPN-side network gateway is far more comprehensive, and provides 100% encryption coverage for the device. Of course, your employer might start to wonder why your phone is only dealing in encrypted data ...

I know the H/W firewalls here have an option (disabled) to log devices suspected of using VPNs to hide traffic (probably because these firewalls also have a content filtering module).

Arthur Kay
  • 131
  • 1
  • 6
1

The answer depends on the environment and how your employer manages both BYOD (Bring Your Own Device) and the wireless network. From a theoretical perspective, the answer is yes, potentially they can, especially if they have some form of mobile device management infrastructure in place. The extent to which they can read what you are doing really depends on the amount of effort they want to put in. For example, they could setup a type of man-in-the-middle system by requiring you as part of the agreement to use the wifi, accept a certificate. Even if they cannot read the actual data in your packets, they can track what you are doing i.e. where you connect to, send packets of data to etc and this can tell them a lot about what you are doing.

However, the reality is that this is rarer than many think. It is one things to collect data and completely another to have the resources to actually analyse it and do something with it. Multiply that effort by the number of employees and you soon end up with a lot of data needing a lot of resources. In most cases, there will not be active monitoring, but rather a passive monitoring - data will be collected and then only looked at when some other event occurs, such as being investigated for misconduct. However, in general, very few employers are going to be at all interested in your text messages, tweets or whatsapp posts.

It probably is the meta data which will more often be the biggest issue rather than the actual content of what you send. Getting the content and being able to process it into something meaningful is too resource intensive for most employers. Having a summary which shows that while at work, during an average day, you visit facebook 1000 times, read your gmail mail 50 times, sent 400 text messages etc is a much easier metric to collect and usually sufficient for most employers to ask for you to exlain why you have so much time to do all of this, especially if there are questions about your work performance.

Tim X
  • 3,252
  • 14
  • 13
0

You can't easily know.

iMessage and WhatsApp may encrypt the communications using SSL (TSL) but your employer can be using an internal proxy with crafted certificates to intercept and decrypt the traffic.

You can know if this is happening, if you open a browser in your phone on an https site and it sends you an alert about insecure site even if it is a reputable site (google, facebook, etc)

The best thing you can do to prevent this, is to use a trusted VPN

  • not exactly true about whatsapp: https://whispersystems.org/blog/whatsapp/ and not true for iMessage: http://techcrunch.com/2014/02/27/apple-explains-exactly-how-secure-imessage-really-is/ – schroeder May 27 '15 at 17:05