July 7, 2015 By Douglas Bonderud 2 min read

With the release of Windows Phone 8.1, Microsoft included a tool called Wi-Fi Sense that allowed users to share wireless connections among friends without the need for passwords. Since Windows Phone adoption isn’t exactly stellar, there wasn’t much press, but now Sense is making the jump to PCs and tablets with Windows 10. The problem? Microsoft’s sharing service wants to hand out encrypted Wi-Fi passwords to contacts from multiple sources, including Facebook, Skype and Outlook. This broad-spectrum access has a number of security experts wondering: Is Sense a feature or a flaw?

Share and Share Alike

According to CSO Online, the idea behind Wi-Fi Sense is simple: Give users better access to Wi-Fi by allowing automatic logins. So long as the network owner is running Windows 10, Sense is enabled by default; any contacts also using the operating system get automatically logged into the Wi-Fi network when they’re in range. The official FAQ said that the Wi-Fi password is first encrypted and then sent to secure Microsoft servers before it’s passed on to contacts requiring access. At no point do they see the password, but they are still granted full Internet access.

It’s worth noting that the service doesn’t work over 802.1X networks, which form the bulk of enterprise connections, and users can opt out by adding “_optout” at the end of their network name. But because Sense is automatically active with new Windows 10 installations, it’s clear that Microsoft wants to encourage sharing wherever possible. The problem? Not all users have the best intentions.

Windows 10 Asks: Who Are You?

When users configure Wi-Fi Sense, they’ll be asked for access to their Facebook contacts but not Outlook or Skype. As noted by How-To Geek, that’s because Microsoft doesn’t own Facebook, so Sense is treated like a third-party app, whereas the other programs are company property and therefore automatically linked to Sense. Once enabled, the tool allows contacts logged into any of these three services to access shared wireless networks when they’re in range.

But here’s where things get worrisome: Users can’t pick and chose who among their contacts has access. The result? All Facebook, Skype and Outlook contacts, from best friends to mere acquaintances, get the same level of access. Users in the habit of accepting any Facebook friend request that comes their way or who use Skype for business could find themselves with a local network full of unknown hangers-on.

Of course, Microsoft stated that wireless passwords will be strongly encrypted on owner devices and login data will be securely stored on corporate servers, making it impossible for malicious actors to access the PCs of other users or change administrator settings. But just like Google’s LinkNYC project — which turns old New York phone booths into wireless hotspots — effective security depends on technology giants making good on their promises of encryption, and they’re keeping those encryption details close to the chest. If cybercriminals manage to compromise New York City wireless hubs or hack the admin password of a Sense network, these assurances are null and void, and users are left cleaning up the mess.

Windows 10 wants to make Wi-Fi sharing the de facto standard by removing the need to manually share passwords. But with the feature automatically enabled and offering limited user oversight, it may be too much, too fast. Sometimes it’s OK not to share.

More from

Cyberattack on American Water: A warning to critical infrastructure

3 min read - American Water, the largest publicly traded United States water and wastewater utility, recently experienced a cybersecurity incident that forced the company to disconnect key systems, including its customer billing platform. As the company’s investigation continues, there are growing concerns about the vulnerabilities that persist in the water sector, which has increasingly become a target for cyberattacks. The breach is a stark reminder of the critical infrastructure risks that have long plagued the industry. While the water utility has confirmed that…

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Quishing: A growing threat hiding in plain sight

4 min read - Our mobile devices go everywhere we go, and we can use them for almost anything. For businesses, the accessibility of mobile devices has also made it easier to create more interactive ways to introduce new products and services while improving user experiences across different industries. Quick-response (QR) codes are a good example of this in action and help mobile devices quickly navigate to web pages or install new software by simply scanning an image.However, legitimate organizations aren’t the only ones…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today