Windows 10 Wi-Fi Sense Raises Security Concerns - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

IoT
IoT
Software // Operating Systems
News
7/30/2015
04:06 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Windows 10 Wi-Fi Sense Raises Security Concerns

The Wi-Fi Sense feature embedded in Windows 10 may make life easier for users, but could it also compromise corporate network security?

Windows 10 Upgrade: 8 FAQs Explained
Windows 10 Upgrade: 8 FAQs Explained
(Click image for larger view and slideshow.)

Security has played a big part in the development of Windows 10. Microsoft has taken steps to integrate virtualization technology for protecting against identity theft and malware, Device Guard for blocking zero-day attacks, and Windows Hello for biometric authentication.

These security measures are among the many improvements that put Windows 10 ahead of Windows 7 and Windows 8. But, a subtle feature in Microsoft's new OS is sparking broad concern among new users: Wi-Fi Sense.

[ What about digital assistants? Is Cortana Microsoft's Equalizer with Google? ]

The purpose of Wi-Fi Sense is to facilitate easier network connectivity. Microsoft believes it will save people from asking for network passwords; on the flip side, network owners won't have to share that information.

Wi-Fi Sense scans networks to find those in use by other Windows machines, and prompts you to share the password with your friends (Outlook, Skype, and Facebook contacts) when you log on. You cannot choose to share the network with individual people.

This feature is enabled by default in Windows 10 if you choose the express installation option during setup.

Microsoft touts Wi-Fi Sense as a security feature, and notes that shared user passwords are encrypted. Your contacts won't know what your password is or have access to your device, and the encrypted passwords are securely stored. However, they will be able to jump on your network when within range.

As stated in the Wi-Fi Sense FAQ, "For networks you choose to share access to, the password is sent over an encrypted connection and is stored in an encrypted file on a Microsoft server, and is then sent over an HTTPS connection to your contacts' PC or phone if they use Wi-Fi Sense. Your contacts don't get to see your password, and you don't get to see theirs."

Despite its lengthy explanation on the safety of Wi-Fi Sense, security experts are wary of the high potential for breaches. Brian Krebs, of Krebs On Security, calls it a "disaster waiting to happen."

(Image: Outline205/iStockPhoto)

(Image: Outline205/iStockPhoto)

Given the vast number of contacts each person has, and the advanced state of cyberattacks, it's easy to see why. If you share your password via Wi-Fi Sense with your Facebook or email contact list, any of those people could access your network if they're using a Windows 10 device in the vicinity.

Further, if a friend or relative already knows your password, he or she may share it with their contact lists via Wi-Fi Sense. All of a sudden, an entire audience of strangers could potentially have access to your network.

Microsoft claims Wi-Fi Sense does not allow access to any devices or files on a given network. Guests may only use the Internet. However, there remains concern that hackers will be able to crack the encrypted password and gain access to the entire network.

While the potential for attack via Wi-Fi Sense isn't terribly great, you'll still want to proceed with caution.

If you don't want this feature to connect others to your network, alter your network name to include "_optout." Microsoft cites examples such as "mynetwork_optout" or "my_optout_network." This might be a good option for small businesses or homes where multiple people know the password and may share it.

Wi-Fi Sense was first introduced in Windows Phone, but received little attention, likely due to Microsft's tiny share of the mobile market. It has come under the spotlight as a feature in Windows 10 for PCs, which are used among a much larger population.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
7/31/2015 | 12:29:29 PM
Re: Time saver
It's definitely a timesaver and I think for most people, it's a handy tool. My concern would be for people handling sensitive info. One example: employees working from home, especially those with households of people who could share the WiFi password if they know it. In that case it might be smart to block your personal network.

One tweak I'd like to see is the ability to allow individual machines instead of entire social networks. I don't like the idea of sharing my password with my entire Facebook contact list..
Kelly22
50%
50%
Kelly22,
User Rank: Strategist
7/31/2015 | 12:25:26 PM
Re: Mechanics
When you choose to share access to a network, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server. From there, it's sent over an HTTPS connection to your contacts' PC or phone (if they're also on WiFi sense). Your device doesn't become a hotspot; your contact is using your password to log in to the network - they just don't know what it is.

 
InformationWeek Is Getting an Upgrade!

Find out more about our plans to improve the look, functionality, and performance of the InformationWeek site in the coming months.

Commentary
New Storage Trends Promise to Help Enterprises Handle a Data Avalanche
John Edwards, Technology Journalist & Author,  4/1/2021
Slideshows
11 Things IT Professionals Wish They Knew Earlier in Their Careers
Lisa Morgan, Freelance Writer,  4/6/2021
Commentary
How to Submit a Column to InformationWeek
InformationWeek Staff 4/9/2021
White Papers
Register for InformationWeek Newsletters
Video
Current Issue
Successful Strategies for Digital Transformation
Download this report to learn about the latest technologies and best practices or ensuring a successful transition from outdated business transformation tactics.
Slideshows
Flash Poll