‘Wi-Fi Sense’ Vulnerability in Windows 10, the “Most Secure Windows Yet”
With Wi-Fi Sense enabled, Windows 10 will automatically sign you into open Wi-Fi networks, as well as private networks that your Outlook.com, Skype, and Facebook contacts have logged into-so you won’t have to manually sign into the network when you visit your buddy’s house.
First, a bit of anti-scaremongering. Welcome to the very weird and insecure world of Wi-Fi Sense.
As a Windows Phone user, I’ve been using both aspects of Wi-Fi Sense for almost a year on my Nokia Lumia 1520. The password(s) is always encrypted before being shared to one’s contacts.
With that out of the way, let’s talk a little bit about how Wi-Fi Sense works in Windows 10.
With Windows 10, Microsoft is more closely uniting its operating systems that run tablets, phones, and desktops.
Like a few other Windows 10 features, Wi-Fi Sense started its life in Windows Phone. You can use any combination of Outlook, Skype and Facebook so you can prevent your Facebook friends from ever getting access if you would like. One such feature is Wi-Fi Sense, which has many security enthusiasts and users alike anxious. Another issue is how Wi-Fi Sense goes about sharing to social networks. Unless prompted otherwise, the OS will share your WiFi passwords, albeit encrypted, with your Outlook, Skype, and Facebook friends and contacts.
Fortunately, it appears that Wi-Fi Sense does not share credentials from networks that are secured with additional authentication protocols, such as corporate networks that use 802.1x EAP. Wi-Fi Sense can do this first step for you. (Also see: Eight Reasons Why You Should Upgrade to Windows 10) But that’s not the only problem with Wi-Fi Sense. WiFi Sense is enabled by default in Build 10240 of Windows 10; if you choose “Express Settings”, Microsoft enables the option and allows your device to acquire WiFi passwords from friends and shares your password with the same group of people. And it just so happens that this relatively lax attitude towards privacy underwrites the business model of multi-billion dollar corporations, many of whom seek ever-more lenient rules on what they can and cannot do with your personal information. Corporate networks notwithstanding (and you shouldn’t share those networks with Wi-Fi Sense anyway), most people give out their Wi-Fi keys freely. Connecting to a Wi-Fi network in Windows 10 is much the same as in Windows 8. Security firms have repeatedly advised users to not connect to an open Wi-Fi network. Depending on Microsoft’s infosec protocols, this is either completely fine and dandy, or a potential goldmine for wardriving hackers. There are definitely occasions when having your computer sharing your Wi-Fi password could be bad but it’s not likely to be the great security risk that some are making it out to be. When Outlook, Skype and Facebook are connected, the password is shared with all of your contacts on those platforms. So, for example, if Adam shares a passkey with Beth via Wi-Fi Sense, Beth can not then use Wi-Fi Sense to share Adam’s passkey with her friend Cathleen. For most users, the added convenience of Wi-Fi Sense will probably win out.
When you install Windows 10, you might want to turn it off. Here’s why.
How do I turn Wi-Fi Sense off? Considering most Facebook friends lists range from “close family” to “some guy you vaguely remember from second grade”, some more granularity there would be nice. In the settings applet that pops up, click “Manage Wi-Fi settings”.
Krebs recommends opting out of Wi-Fi Sense and tells Windows users to “change your Wi-Fi network name/SSID to something that includes the terms “_nomap_optout” – a move that should also keep Google from mapping your network’s location”. That’s something Microsoft really ought to have addressed when it brought the feature over from Windows Phone; just because I want to share this kind of data with some people doesn’t mean I want to share it with everyone.