When you’re on a public WiFi and sending data unencrypted they can read all your data. They’re looking for usernames/passwords, usually with programs. So they’re usually watching a visual stream of data packets (Google Wireshark and check the images for an example) and waiting for their search finds a hit.

When I was in college, we learned about hacking WiFi but were told that with current encrypted WiFi networks and https, purely getting packet traffic would not be helpful.

Our campus shared space with a university, so my study group went over there and realized that their WiFi was unencryted. What was worst was their site to manage your courses and enrollment was also not using http.

We literally watched as a student logged in and could see his password and username (which happened to be his email).

From that, we could unenroll him for his course in a matter of seconds. The worst thing is with more digging we found he was using the same password for his Facebook.

It was scary as hell to realize it could literally be that easy to hack someone

This was 2008 so hopefully it has changed.

First, all data on an unencrypted Wi-Fi network can be received by all parties, like people talking in a public room.

Secondly, they don’t see your screen but what you are sending and receiving over the network. For example, if you use an unencrypted protocol (like HTTP) then they can capture the packets and see what your browser is asking for and what the server is sending back. If this includes logging into a site then they can get your hashed password and run decryption attacks against it. The real danger there is that people tend to reuse passwords, so they can try your credentials against multiple popular sites. If they crack it, they can log in as you. This is why HTTPS is important to use (and why all banks, etc use it.)

Many of the answers here answer the “what they are seeing” portion really well. However more or less all of these answers talk about public/unencrypted WiFi networks.

There are two ways to “hack WiFi”:

– Eavesdropping the communication between your device and the WiFi network.
– Pretending to be the WiFi network and making your device communicate directly with the hacker.

Eavesdropping works with unencrypted communication. Encrypted WiFi or encrypted communication (HTTPS) both defeat this to large extent (there are still things a hacker might learn on unencrypted WiFi, but if you are using HTTPS to read your e-mail, the hacker should not be able to read those).

However if the hacker manages to trick your device into connecting to their WiFi network, they can now start messing with the communication in other ways as well. Not only can they achieve everything they could do previously by eavesdropping the communication, they can now also change it. They might try to change an encrypted connection in ways that makes it easier for them to break the encryption, they might completely alter the pages that you are seeing over unencrypted connection or they might even try to instruct your installed applications to do something the applications normally wouldn’t do such as “send all local files to us” or “install this totally-not-a-virus on the device”.

The scary thing is how easy it is to have your device connect to a hacker’s WiFi network. If you have your phone set to connect automatically to your HomeWiFi, CoffeeShopWLAN and UniversityWireless, it will keep calling for those when you are walking down the street. Essentially it will keep yelling “Is MyHomeWifi, CoffeeShopWLAN or UniversityWireless around?” the whole time WiFi is on and it’s not connected to a network. At this point the hacker can just listen for those calls and then start advertising their own WiFi network as “MyHomeWifi” for example. Your phone can’t tell the difference and will happily connect to the hacker’s network.

(At least few years back the devices didn’t even check if the original network had been encrypted and the new network is now unencrypted. Not sure if this has changed in the last few years.)

What they visually see is a list of network requests. Most of them are not interesting, because it’s just establishing a connection and finding the correct device to go to etc. Like others said, it gets dangerous when they can see what you sent over an unencrypted connection like HTTP. There they can see the payload in unencrypted form, aka plain text (even files get converted to plain text representation so by decoding it hackers can also see what images you downloaded, for example). Also, even if everything is encrypted, packet sniffing leads to valuable information nonetheless: patterns. If some requests and responses always look the same or come from the same location, this information can help the attacker “spoof” a legitimate responder by spamming the network with responses that look similar to those they observed. If they get lucky, a client browser / device mistakes them for a legitimate response, possibly leading to the user sending sensitive information to the hacker instead. This is pretty unlikely though and most hackers won’t go through that amount of work just to potentially get to sensitive data of one person. But given enough time and effort, it can happen.

When you go to a website, you send a request to a server for information. For example, when you go to [Google.com](https://Google.com), you send Google’s server a request asking for their homepage. Their server sends that information back to you, and your web browser formats it correctly.

>[192.168.0.3](https://192.168.0.3) wants to access [google.com](https://google.com); please send the homepage code.

When you log in to a website, like your bank, you have to send some extra information to the server so that it knows who you are. That’s usually your username and password. When it’s not encrypted, that information is sent in plain text, right alongside of the website that you’re trying to get to.

>[192.168.0.3](https://192.168.0.3) wants to access [bank.example.com](https://bank.example.com), their username is [[email protected]](mailto:[email protected]) and their password is hunter2; please send the transaction list.

Once you’ve told the server who you are, they sometimes send back a session key; this is similar to a coat check. When you go to the website later, you don’t have to give your username and password again – you just give your coat check, and they can identify you from that. That keeps you from having to send the password repeatedly, and saves the server from having to re-authenticate you every time. However, just like in real life, if that coat check gets stolen, anyone can pick up your coat (your data) with it.

On a public wireless network, anyone else can scan the network for these requests, and they’ll see [every “packet” of information being sent over the network](https://jvns.ca/images/wireshark_screenshot.png). From there, they can search the stream of data for patterns, such as looking for e-mail addresses. They can then see your password in the same request, and voila – they have your information.

If you’re interested in how encryption works, I’d highly suggest [this video](https://www.youtube.com/watch?v=3QnD2c4Xovk) which explains the protocol really well and in an easy to understand way.

**Edit:** It looks like I removed the part about encryption while I was editing my comment last night. Encrypting these requests is incredibly easy nowadays, so most websites will encrypt the data that you send it and the data that it sends you. It’s explained better in that video I linked above, but you and the server basically agree on a shared secret phrase that people scanning the network can’t figure out. That way, only you can see the data that you’re being sent and only they can see the data that they’re being sent.

It’s still scary how much is unencrypted today such as DNS requests. When you perform Air-Pcaps (sniffing packets in the air) near hotspots You can usually see all the domains people are resolving and can build a profile of their internet usage.

I worked in Information Security company that demonstrates exactly this. Good question. it has been answered in some ways, I’ll go a different take:

The “Wi” in WiFi stands for Wireless, that is, Over-the-Air (OTA) communication via electromagnetic signals in the radio band, more specifically around 2.4GHz. To answer what a hacker might see, let’s take a look at the several layers information goes through in the process of accessing the Internet:

The OSI Model describes an abstract method of communication between two (or sometimes more) parties. Broadly speaking, a 5 layer model will look like: (merging layers of 7-layer model)
1. Physical layer – the actual signal
2. Link layer – “neighbors communication”, i.e. between adjacent devices
3. Network layer – communication within a network of devices (e.g. The Internet)
4. Transport/Session layer – responsible for handling “full conversations” (opposed to single packets of data)
5. Application layer – basically anything software adds on top of communication. (e.g. custom server applications, protocols, etc.)

Back to what a hacker would “see”: it all depends on which layer he is able to tap to!

Starting with layer 1 – Physical:
These signals are not much different than light we see, other than, well, we can’t see them. But light is a great analogy for this. Think of a flashing light bulb – using the intensity of the light, the color or the frequency of flashes, it is possible to encode messages. Just imagine your friend sending you morse code using a flash light!

A person or device (not necessarily malicious) who would tap to that layer would be able to measure the physical difference in the magnetic field, which when plotted over time – produces a signal. This is a whole story within itself, so without going into too much details, just think of a line graph – sort of like heart monitor or lie detector. The transceiver (transmitter-receiver, e.g. WiFi chip) would know how to decode these messages and pass them to the next layer.

Now let’s skip ahead to the last layer – application. One thing I have yet to mention is encryption! While this can be done in any layer, let’s focus on the Application layer. Assuming a hacker was able to tap to your wireless communication, a good encryption would still prevent him from eavsdropping or modifying the underlying data. Unfortunately, in practice, much of the data is poorly encrypted, suffers from flaws or completely absent at times. In such a case, whatever you see in your browser when you browse the web, may be replicated and mirrored to the hacker and even modified.

Hacking is a whole topic within itself, so to summarize:

TL;DR: a hacker might see anything from meaningless signals to those “cat videos” you thought was secure to download in Incognito mode through VPN within a Virtual Machine; all depending on his attack vector.

Another method is to spoof the wifi network and make you connect to their device instead. This is usually done to capture your cookies, then they can spoof your device and log in on the sites that you use.

Top comment right now doesn’t really answer the question and I’m curious as well.

What does the screen of a hackers computer actually look like when they are doing this?