Windows 10 Wi-Fi Sense Security Concerns

With the release of Microsoft Windows 10 came a host of new features. Many long-time users now have a more familiar Start menu, virtual desktops have to come to the rescue of single monitor users, and Cortana is poised to be the virtual assistant of the future. One feature that has been getting a lot of press lately, and for the wrong reason, is a technology called Wi-Fi Sense. Wi-Fi Sense is designed to make sharing Wi-Fi passwords easier among friends you have stored in Outlook, Skype, or Facebook. But, with this increased ease of use comes some security concerns.
With over 15 million users upgrading to Windows 10 within the first 24 hours there are a lot of new features to discover. One that has come to light recently is Wi-Fi Sense. This technology was originally introduced with Windows Phone 8 and allows the phone to more easily connect to crowdsourced Wi-Fi networks others know about, accept terms of use on the user’s behalf, and allow a user to exchange password-protected Wi-Fi network access with contacts in an encrypted manner. Most, if not all, of those features have survived into the most recent edition of Wi-Fi Sense in Windows 10, and that has a lot of people concerned.
Other platforms such as Android and iOS do something similar, but only between a user’s personal devices. Wi-Fi Sense has taken this a step further and allows those passwords to be securely shared among friends on selected networks. In theory a friend would never have to actually know the network credentials. While this sounds like a good idea at first it makes a lot of people uneasy. It turns out that when one uses Wi-Fi Sense to share network passwords with friends of selected networks, it does so en masse to the entire social network. At this point in time you cannot granularly select which friends within those networks with which you want to share your network credentials. It is all, or nothing. That even extends as far as, if your friend has your Wi-Fi network password and they enable Wi-Fi Sense on their device, they can share your password with all of their friends on their selected networks vicariously with people you do not even know.

This technology is enabled by default in a new install of Windows 10.

Network credentials are not shared to social networks by default, only to the user’s other devices, but a lapse in security is only a checkbox away.
Microsoft claims that if Wi-Fi Sense is enabled and you allow friends on a selected social network to gain access to your network they will not be able to see other resources on your local network such as devices or file shares. Even with this reassurance many people are concerned that hackers will develop a way to break out of the network sandbox and gain unauthorized access to other resources.
Another security concern is: If a friend shares their network credentials to a user with Wi-Fi Sense, and that user is unaware, their device can automatically gain connectivity to any networks their friends are sharing without the user’s knowledge or consent. This would then introduce the ability to perform a man-in-the-middle attack on the unfamiliar network or allow the user to access the Internet through a gateway that may have a spoofed DNS server, which could allow malware to be installed unbeknownst to the user.
One way to combat this, even when other users might share your password through their Wi-Fi Sense without your knowledge or consent, is to alter your network name (SSID) to include “_optout” somewhere in the name. Some examples given are: “my_optout_network” or “MyNetworkName_optout.”
At this point in time we recommend turning off the Wi-FI Sense feature until Microsoft introduces more granular control over how network credentials are shared. It will help keep you and your network more secure.
If you have any additional question or concerns drop us a line at info@infotech.us. We also reply on Facebook and Twitter.
You can also reach the author on Twitter.

Comments