Windows Wi-Fi Sense needs a rethink
Microsoft Wi-Fi Sense gives all your contacts access to your router

As users begin turning up to work with Windows 10 enabled on their BYOD devices, one feature known as Wi-Fi Sense will have IT security teams scrambling to understand the implications for their network.

The idea behind Windows 10 Wi-Fi Sense is to reduce the strain on users of managing Wi-Fi connections while they are on the move. Its first goal is to automatically sign users into any open Wi-Fi network that they encounter. There is some benefit to this although it presupposes that open Wi-Fi is safe by default and that hackers are not spoofing the router name in your local coffee shop.

Its second goal is to sign users in automatically to any private network that their Outlook.com, Skype and Facebook contacts have shared with them ONLY after they’ve shared a network back to that contact. This clarification is inside the Wi-Fi Sense FAQ under What Does WiFi Sense do? The key here is that the two users need to have exchanged network access.

Does Wi-Fi Sense give everyone access to my networks?

Microsoft is very sensitive to the suggestion that Wi-Fi sense will lead to an uncontrolled explosion of Wi-Fi access. By having the initial requirement to share a network with each other, they believe that this will reduce concerns that details are widely spread. Microsoft also makes it clear that the two users will not get access to every network that the other person can see only networks that have been shared between the two users.

For example:

  • Mary shares her home network access with David and Jane who each share their home network access with Mary.
  • David then shares his work network with Mary as he knows she will be visiting him at work and will want access to the Wi-Fi while she waits.
  • Jane does not get access to David’s work network as he has only shared it with Mary.

The reason that Jane does not get access to David’s work network despite them both being connected to Mary’s network is that David has not shared access with Jane. Mary could share access but she would need to know the password to the network in order to share it with Jane and in this example, David didn’t give her that password.

This dispels one of the myths that once you are connected to someone you have access to every network they have access to. However, it does make it easier for people to share networks with third parties. At the moment there doesn’t seem to be a tool to track who has given what access to a third party. The fact that the user has explicitly shared access means there is a record of the action and this is something that IT security teams will want easy access to. At present, that isn’t something Microsoft has offered.

Wi-Fi Sense is not just on Windows 10, Windows Phone 8 is also capable of using Wi-Fi Sense and while Windows Phone accounts for a very small number of devices, it still adds to the security risk.

Microsoft expects to have completed over 80 million Windows 10 upgrades by the middle of August and over 100 million by the end of August if not earlier. This means that there are a lot of devices that will potentially have access to your Wi-Fi router password.

Access only to the Internet

According to Microsoft, this will only give people access to the Internet. It will not enable them to access any open shares or data off the network. The problem with this is that Microsoft cannot give an absolute guarantee because someone will inevitably hack this capability. Once that happens, everything accessible via Wi-Fi will be open to the world.

Location data revealed even if turned off

One of the features that will cause concern with Wi-Fi Sense is that Microsoft freely admits it will do location discovery for the device even when that is turned off in the user settings. It claims it has to do this in order for Wi-Fi Sense to identify open Wi-Fi hotspots nearby to connect you to.

For privacy advocates this will raise a red flag that Microsoft needs to address.

How to turn it off

This is not simple. You need to:

  1. Disable everything under the Manage Wi-Fi setting tab in Windows 10.
  2. Tell Windows 10 to forget every Wi-Fi network you’ve come into contact with that you don’t want to share.

For most users step 2 will not be as easy as you think. Hotels, conferences, conference centres and businesses tend to use recognisable names. Friends, relatives and acquaintances who have given you access to their routers tend to leave them as Sky123456 or BT-Fon 454545. Identifying which you want to keep and which ones you don’t will inevitably leave most people deleting nothing.

If you want to stop anyone sharing access to your home router or even a work router the name of the router will need to be changed. The solution is appending “_optout” to the end of the router name. For example FatPipe becomes FatPipe_optout.

Conclusion

Over the next few weeks every company that has Windows 10 users will need to make a major security assessment. They will need to add “_optout” to the end of every router name. This is not an inconsequential task for any company and it will cost them a considerable amount of time and effort. They also need to add Windows 10 Wi-Fi Sense to their security risk register.

Microsoft will not like the suggestion that they are now part of the security risk to the business but there is no other way to deal with Wi-Fi Sense.

It will also be interesting to see how long before the European Commission waits before it calls in Microsoft and tells them to make Wi-Fi Sense an opt-out feature by default. If they do take this step then they will also need to compel Microsoft to remove all cached encrypted passwords.

LEAVE A REPLY

Please enter your comment!
Please enter your name here