July 7, 2015 By Douglas Bonderud 2 min read

With the release of Windows Phone 8.1, Microsoft included a tool called Wi-Fi Sense that allowed users to share wireless connections among friends without the need for passwords. Since Windows Phone adoption isn’t exactly stellar, there wasn’t much press, but now Sense is making the jump to PCs and tablets with Windows 10. The problem? Microsoft’s sharing service wants to hand out encrypted Wi-Fi passwords to contacts from multiple sources, including Facebook, Skype and Outlook. This broad-spectrum access has a number of security experts wondering: Is Sense a feature or a flaw?

Share and Share Alike

According to CSO Online, the idea behind Wi-Fi Sense is simple: Give users better access to Wi-Fi by allowing automatic logins. So long as the network owner is running Windows 10, Sense is enabled by default; any contacts also using the operating system get automatically logged into the Wi-Fi network when they’re in range. The official FAQ said that the Wi-Fi password is first encrypted and then sent to secure Microsoft servers before it’s passed on to contacts requiring access. At no point do they see the password, but they are still granted full Internet access.

It’s worth noting that the service doesn’t work over 802.1X networks, which form the bulk of enterprise connections, and users can opt out by adding “_optout” at the end of their network name. But because Sense is automatically active with new Windows 10 installations, it’s clear that Microsoft wants to encourage sharing wherever possible. The problem? Not all users have the best intentions.

Windows 10 Asks: Who Are You?

When users configure Wi-Fi Sense, they’ll be asked for access to their Facebook contacts but not Outlook or Skype. As noted by How-To Geek, that’s because Microsoft doesn’t own Facebook, so Sense is treated like a third-party app, whereas the other programs are company property and therefore automatically linked to Sense. Once enabled, the tool allows contacts logged into any of these three services to access shared wireless networks when they’re in range.

But here’s where things get worrisome: Users can’t pick and chose who among their contacts has access. The result? All Facebook, Skype and Outlook contacts, from best friends to mere acquaintances, get the same level of access. Users in the habit of accepting any Facebook friend request that comes their way or who use Skype for business could find themselves with a local network full of unknown hangers-on.

Of course, Microsoft stated that wireless passwords will be strongly encrypted on owner devices and login data will be securely stored on corporate servers, making it impossible for malicious actors to access the PCs of other users or change administrator settings. But just like Google’s LinkNYC project — which turns old New York phone booths into wireless hotspots — effective security depends on technology giants making good on their promises of encryption, and they’re keeping those encryption details close to the chest. If cybercriminals manage to compromise New York City wireless hubs or hack the admin password of a Sense network, these assurances are null and void, and users are left cleaning up the mess.

Windows 10 wants to make Wi-Fi sharing the de facto standard by removing the need to manually share passwords. But with the feature automatically enabled and offering limited user oversight, it may be too much, too fast. Sometimes it’s OK not to share.

More from

Airplane cybersecurity: Past, present, future

4 min read - With most aviation processes now digitized, airlines and the aviation industry as a whole must prioritize cybersecurity. If a cyber criminal launches an attack that affects a system involved in aviation — either an airline’s system or a third-party vendor — the entire process, from safety to passenger comfort, may be impacted.To improve security in the aviation industry, the FAA recently proposed new rules to tighten cybersecurity on airplanes. These rules would “protect the equipment, systems and networks of transport…

Protecting your digital assets from non-human identity attacks

4 min read - Untethered data accessibility and workflow automation are now foundational elements of most digital infrastructures. With the right applications and protocols in place, businesses no longer need to feel restricted by their lack of manpower or technical capabilities — machines are now filling those gaps.The use of non-human identities (NHIs) to power business-critical applications — especially those used in cloud computing environments or when facilitating service-to-service connections — has opened the doors for seamless operational efficiency. Unfortunately, these doors aren’t the…

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today