Windows 10 Wi-Fi Sense Raises Security Concerns

The Wi-Fi Sense feature embedded in Windows 10 may make life easier for users, but could it also compromise corporate network security?

Kelly Sheridan, Staff Editor, Dark Reading

July 30, 2015

3 Min Read
<p align="left">(Image: Outline205/iStockPhoto)</p>

Windows 10 Upgrade: 8 FAQs Explained

Windows 10 Upgrade: 8 FAQs Explained

Windows 10 Upgrade: 8 FAQs Explained (Click image for larger view and slideshow.)

Security has played a big part in the development of Windows 10. Microsoft has taken steps to integrate virtualization technology for protecting against identity theft and malware, Device Guard for blocking zero-day attacks, and Windows Hello for biometric authentication.

These security measures are among the many improvements that put Windows 10 ahead of Windows 7 and Windows 8. But, a subtle feature in Microsoft's new OS is sparking broad concern among new users: Wi-Fi Sense.

[ What about digital assistants? Is Cortana Microsoft's Equalizer with Google? ]

The purpose of Wi-Fi Sense is to facilitate easier network connectivity. Microsoft believes it will save people from asking for network passwords; on the flip side, network owners won't have to share that information.

Wi-Fi Sense scans networks to find those in use by other Windows machines, and prompts you to share the password with your friends (Outlook, Skype, and Facebook contacts) when you log on. You cannot choose to share the network with individual people.

This feature is enabled by default in Windows 10 if you choose the express installation option during setup.

Microsoft touts Wi-Fi Sense as a security feature, and notes that shared user passwords are encrypted. Your contacts won't know what your password is or have access to your device, and the encrypted passwords are securely stored. However, they will be able to jump on your network when within range.

As stated in the Wi-Fi Sense FAQ, "For networks you choose to share access to, the password is sent over an encrypted connection and is stored in an encrypted file on a Microsoft server, and is then sent over an HTTPS connection to your contacts' PC or phone if they use Wi-Fi Sense. Your contacts don't get to see your password, and you don't get to see theirs."

Despite its lengthy explanation on the safety of Wi-Fi Sense, security experts are wary of the high potential for breaches. Brian Krebs, of Krebs On Security, calls it a "disaster waiting to happen."

Given the vast number of contacts each person has, and the advanced state of cyberattacks, it's easy to see why. If you share your password via Wi-Fi Sense with your Facebook or email contact list, any of those people could access your network if they're using a Windows 10 device in the vicinity.

Further, if a friend or relative already knows your password, he or she may share it with their contact lists via Wi-Fi Sense. All of a sudden, an entire audience of strangers could potentially have access to your network.

Microsoft claims Wi-Fi Sense does not allow access to any devices or files on a given network. Guests may only use the Internet. However, there remains concern that hackers will be able to crack the encrypted password and gain access to the entire network.

While the potential for attack via Wi-Fi Sense isn't terribly great, you'll still want to proceed with caution.

If you don't want this feature to connect others to your network, alter your network name to include "_optout." Microsoft cites examples such as "mynetwork_optout" or "my_optout_network." This might be a good option for small businesses or homes where multiple people know the password and may share it.

Wi-Fi Sense was first introduced in Windows Phone, but received little attention, likely due to Microsft's tiny share of the mobile market. It has come under the spotlight as a feature in Windows 10 for PCs, which are used among a much larger population.

About the Author(s)

Kelly Sheridan

Staff Editor, Dark Reading

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights