Windows 10 Wi-Fi Sense Raises Security Concerns - InformationWeek
IoT
IoT
Software // Operating Systems
News
7/30/2015
04:06 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Windows 10 Wi-Fi Sense Raises Security Concerns

The Wi-Fi Sense feature embedded in Windows 10 may make life easier for users, but could it also compromise corporate network security?

Windows 10 Upgrade: 8 FAQs Explained
Windows 10 Upgrade: 8 FAQs Explained
(Click image for larger view and slideshow.)

Security has played a big part in the development of Windows 10. Microsoft has taken steps to integrate virtualization technology for protecting against identity theft and malware, Device Guard for blocking zero-day attacks, and Windows Hello for biometric authentication.

These security measures are among the many improvements that put Windows 10 ahead of Windows 7 and Windows 8. But, a subtle feature in Microsoft's new OS is sparking broad concern among new users: Wi-Fi Sense.

[ What about digital assistants? Is Cortana Microsoft's Equalizer with Google? ]

The purpose of Wi-Fi Sense is to facilitate easier network connectivity. Microsoft believes it will save people from asking for network passwords; on the flip side, network owners won't have to share that information.

Wi-Fi Sense scans networks to find those in use by other Windows machines, and prompts you to share the password with your friends (Outlook, Skype, and Facebook contacts) when you log on. You cannot choose to share the network with individual people.

This feature is enabled by default in Windows 10 if you choose the express installation option during setup.

Microsoft touts Wi-Fi Sense as a security feature, and notes that shared user passwords are encrypted. Your contacts won't know what your password is or have access to your device, and the encrypted passwords are securely stored. However, they will be able to jump on your network when within range.

As stated in the Wi-Fi Sense FAQ, "For networks you choose to share access to, the password is sent over an encrypted connection and is stored in an encrypted file on a Microsoft server, and is then sent over an HTTPS connection to your contacts' PC or phone if they use Wi-Fi Sense. Your contacts don't get to see your password, and you don't get to see theirs."

Despite its lengthy explanation on the safety of Wi-Fi Sense, security experts are wary of the high potential for breaches. Brian Krebs, of Krebs On Security, calls it a "disaster waiting to happen."

(Image: Outline205/iStockPhoto)

(Image: Outline205/iStockPhoto)

Given the vast number of contacts each person has, and the advanced state of cyberattacks, it's easy to see why. If you share your password via Wi-Fi Sense with your Facebook or email contact list, any of those people could access your network if they're using a Windows 10 device in the vicinity.

Further, if a friend or relative already knows your password, he or she may share it with their contact lists via Wi-Fi Sense. All of a sudden, an entire audience of strangers could potentially have access to your network.

Microsoft claims Wi-Fi Sense does not allow access to any devices or files on a given network. Guests may only use the Internet. However, there remains concern that hackers will be able to crack the encrypted password and gain access to the entire network.

While the potential for attack via Wi-Fi Sense isn't terribly great, you'll still want to proceed with caution.

If you don't want this feature to connect others to your network, alter your network name to include "_optout." Microsoft cites examples such as "mynetwork_optout" or "my_optout_network." This might be a good option for small businesses or homes where multiple people know the password and may share it.

Wi-Fi Sense was first introduced in Windows Phone, but received little attention, likely due to Microsft's tiny share of the mobile market. It has come under the spotlight as a feature in Windows 10 for PCs, which are used among a much larger population.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Shouldbeu2
50%
50%
Shouldbeu2,
User Rank: Apprentice
8/14/2015 | 11:01:04 AM
Neighborhood wifi?
Given most of your neighbors are fb friends, how would you stop them from hogging your bandwidth? (hmm. Netflix\amazon prime works better on Bob's network since he is paying for fiber..)

I don't let all my FB or other contacts just walk in my house at any time; why would I just let them just use my network at any time?

Since you are responsible for what occurs on\through your network (hacking, illegal sites, etc) doesn't this increase your liability?

What about internal hosted websites (like for security cameras) - would they have access to those?

I don't think I should have to explicitly 'opt out' either; it should be an opt in.
batye
50%
50%
batye,
User Rank: Ninja
8/3/2015 | 1:36:12 PM
good info
@Kellly -thank you, good points and wealth of good security info... - thanks
tzubair
50%
50%
tzubair,
User Rank: Ninja
7/31/2015 | 6:26:02 PM
Re: Mechanics
"From there, it's sent over an HTTPS connection to your contacts' PC or phone (if they're also on WiFi sense)."

@Kellly: Thank you for explaining the underlying architecture. If that's the level of security that has been built in, then it does seem quite secure. It seems like an efficient way to handle the case where the Wifi key changes and everyone has to update it. As long as they are added to your network, they'd not need to update the key on their ends. Further, if you want to prevent someone from using the Wifi, you can simply remove them from your network
tzubair
50%
50%
tzubair,
User Rank: Ninja
7/31/2015 | 6:16:37 PM
Re: Mechanics
"I don't know, but this sounds like dangerously over-social engineering something to me.."

@progman2000: It does't seem dangerous on the surface but it does have the potential to be exploited and be used as social engineering as you mentioned. However, it depends on how secure the system has been made and what is the underlying process like. I do trust Microsoft when it comes to security.
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
7/31/2015 | 12:29:29 PM
Re: Time saver
It's definitely a timesaver and I think for most people, it's a handy tool. My concern would be for people handling sensitive info. One example: employees working from home, especially those with households of people who could share the WiFi password if they know it. In that case it might be smart to block your personal network.

One tweak I'd like to see is the ability to allow individual machines instead of entire social networks. I don't like the idea of sharing my password with my entire Facebook contact list..
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
7/31/2015 | 12:25:26 PM
Re: Mechanics
When you choose to share access to a network, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server. From there, it's sent over an HTTPS connection to your contacts' PC or phone (if they're also on WiFi sense). Your device doesn't become a hotspot; your contact is using your password to log in to the network - they just don't know what it is.

 
GAProgrammer
50%
50%
GAProgrammer,
User Rank: Ninja
7/31/2015 | 11:27:04 AM
A bit paranoid here....
Sure, you can share your WiFi info to Grandma, but how many of her friends are actually going to come within range of your WiFi signal? Can your info be distributed? Sure. However, the physical limitations are going to make this useless to most people with bad intentions. They have to KNOW where you are to get on your network. So what if my WiFi password is sent to 450 people across 6 states? Only about 5 of them will ever actually be close enough to make use of the info.

I am all for being cautious about things, but let's not go overboard with the paranoia here.
progman2000
50%
50%
progman2000,
User Rank: Ninja
7/31/2015 | 8:52:20 AM
Re: Mechanics
I don't know, but this sounds like dangerously over-social engineering something to me...
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
7/31/2015 | 7:45:59 AM
Time saver
As much as I don't like that this is linked with Facebook and Outlook (I email people and have "friends" that I wouldn't invite to my house) I do like the idea of not having to give out my WiFi password every time someone I'm close to comes round. 

It's a nice idea, but needs some tweaks I think as there's too much potential for network infiltration with something like this. 
tzubair
50%
50%
tzubair,
User Rank: Ninja
7/30/2015 | 11:14:33 PM
Mechanics
So from what I understand from this post, if you're part of my network (Outlook, Facebook etc) and if you come to a place with WiFi where I have access to WiFi, I can share the network with you and you can connect to it without knowing the key. I think that does sound a bit useful to me. However, I wonder how the mechnics work. Does it make the router give access to the new device? Or, does your own device become a hotspot and share the network?
Register for InformationWeek Newsletters
White Papers
Current Issue
Cybersecurity Strategies for the Digital Era
At its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll