July 7, 2015 By Douglas Bonderud 2 min read

With the release of Windows Phone 8.1, Microsoft included a tool called Wi-Fi Sense that allowed users to share wireless connections among friends without the need for passwords. Since Windows Phone adoption isn’t exactly stellar, there wasn’t much press, but now Sense is making the jump to PCs and tablets with Windows 10. The problem? Microsoft’s sharing service wants to hand out encrypted Wi-Fi passwords to contacts from multiple sources, including Facebook, Skype and Outlook. This broad-spectrum access has a number of security experts wondering: Is Sense a feature or a flaw?

Share and Share Alike

According to CSO Online, the idea behind Wi-Fi Sense is simple: Give users better access to Wi-Fi by allowing automatic logins. So long as the network owner is running Windows 10, Sense is enabled by default; any contacts also using the operating system get automatically logged into the Wi-Fi network when they’re in range. The official FAQ said that the Wi-Fi password is first encrypted and then sent to secure Microsoft servers before it’s passed on to contacts requiring access. At no point do they see the password, but they are still granted full Internet access.

It’s worth noting that the service doesn’t work over 802.1X networks, which form the bulk of enterprise connections, and users can opt out by adding “_optout” at the end of their network name. But because Sense is automatically active with new Windows 10 installations, it’s clear that Microsoft wants to encourage sharing wherever possible. The problem? Not all users have the best intentions.

Windows 10 Asks: Who Are You?

When users configure Wi-Fi Sense, they’ll be asked for access to their Facebook contacts but not Outlook or Skype. As noted by How-To Geek, that’s because Microsoft doesn’t own Facebook, so Sense is treated like a third-party app, whereas the other programs are company property and therefore automatically linked to Sense. Once enabled, the tool allows contacts logged into any of these three services to access shared wireless networks when they’re in range.

But here’s where things get worrisome: Users can’t pick and chose who among their contacts has access. The result? All Facebook, Skype and Outlook contacts, from best friends to mere acquaintances, get the same level of access. Users in the habit of accepting any Facebook friend request that comes their way or who use Skype for business could find themselves with a local network full of unknown hangers-on.

Of course, Microsoft stated that wireless passwords will be strongly encrypted on owner devices and login data will be securely stored on corporate servers, making it impossible for malicious actors to access the PCs of other users or change administrator settings. But just like Google’s LinkNYC project — which turns old New York phone booths into wireless hotspots — effective security depends on technology giants making good on their promises of encryption, and they’re keeping those encryption details close to the chest. If cybercriminals manage to compromise New York City wireless hubs or hack the admin password of a Sense network, these assurances are null and void, and users are left cleaning up the mess.

Windows 10 wants to make Wi-Fi sharing the de facto standard by removing the need to manually share passwords. But with the feature automatically enabled and offering limited user oversight, it may be too much, too fast. Sometimes it’s OK not to share.

More from

How to craft a comprehensive data cleanliness policy

3 min read - Practicing good data hygiene is critical for today’s businesses. With everything from operational efficiency to cybersecurity readiness relying on the integrity of stored data, having confidence in your organization’s data cleanliness policy is essential.But what does this involve, and how can you ensure your data cleanliness policy checks the right boxes? Luckily, there are practical steps you can follow to ensure data accuracy while mitigating the security and compliance risks that come with poor data hygiene.Understanding the 6 dimensions of…

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today