Open wifi is a security risk since all the data can potentially be sniffed by anyone. What I want to ask is even on a secured wifi (which requires some kind of password for authentication), the data still travels from a device to the router; can't that data be sniffed using tools?
Even if the above were not possible, let's say I were an authenticated user of such a secured connection and then run a tool like Wireshark, will any data of other connected users be displayed?
I know the post is a few years old but I came across it today and wanted to clarify some points anyway. Whether you authenticate on a WPA2 network or join an open network, sniffing traffic is not as simple as launching Wireshark and watching all the passwords roll in. To answer your question simply; regardless of WPA2 or Open WIFI, not everyone will be able to intercept network traffic of other users. Network architecture aside, there is also the problem of additional encryption to consider (and I assume we are talking mainly about web traffic here).
SSL for example, is just one additional layer of encryption provided to all individuals when they visit most sites these days so his/her (HTTPS) traffic will be encrypted whether he's on open WIFI or a WPA2 network. VPNs are another great way to further encrypt the traffic to and from your individual device - especially if you are travelling overseas and may not have any other option other than to use the free local WIFI.
The real dangers of using Open WIFI (in my opinion) is the lack of oversight and the fact that you don't know who created the network or for what purpose i.e. it could have been created with the purpose of carrying out Man In The Middle attacks against your encryption, or stealing your credentials through DNS spoofing, and if they were really good they could even inject malware into the network traffic itself. These attacks are a lot easier to carry out if you control the AP/router through which all the traffic will pass through.
For example, an attacker could jam the WIFI signal of a legitimate open WIFI network like Starbucks and simply create his own one with the same ESSID under a different channel. Then once people join his network, he doesn't even need to worry about ARP spoofing to intercept the traffic because it will all be passing through his router anyway making downgrading SSL encryption to harvest login credentials, serve up fake websites, a much easier process.
Bottom line is, there are more problems to sniffing network traffic than just network authentication. I'm not an expert on the matter by any means but just as a starting point, I would recommend having a look at tools and principles used by Ettercap, sslstrip, etc.
You would need to get access to the WiFI first and associate with the access point. You could collect becons and other associated management traffic, but the most you will get is some initialisation vectors, possibly the ssid and some other settings that allow clients to negotiate a connection when they are genenually connecting.
In the days of WEP this was used to collect enough information from the IVs to crack the password and then authenticate and associate with an access point, those days are a thing of the past though.
If you do get access all you have to do is run a interface in promiscuous mode and capture all the traffic, if the traffic is encrypted however you will not be able to make sense of it in programs like tcpdump or wireshark.
You'll probably find an answer to your question here:
Why isn't open WiFi encrypted?
In short, if you're using WPA2 or similar authentication on a wireless network, each connection is encrypted uniquely, even if they're using the same password.
So yes, theoretically you can sniff the traffic that other WiFi users are generating, however it will all be encrypted.
What I want to ask is even on a secured wifi (which requires some kind of password for authentication), the data still travels from a device to the router; can't that data be sniffed using tools?
Yes, if you sniff in monitor mode, but the data will, as noted, be encrypted.
let's say I were an authenticated user of such a secured connection and then run a tool like Wireshark, will any data of other connected users be displayed?
Yes, if you're sniffing in monitor mode, but, unless you've told Wireshark what the network password is, and, if the network uses WPA/WPA2 rather than WEP (people shouldn't be using WEP, as it's easily crackable, as per what TheJulyPilot said), you've captured other users' machines' initial EAPOL handshake, that data will, as noted, be encrypted.
See the "How to decrypt 802.11" page in the Wireshark Wiki for more information.
