With the release of Windows Phone 8.1, Microsoft included a tool called Wi-Fi Sense that allowed users to share wireless connections among friends without the need for passwords. Since Windows Phone adoption isn’t exactly stellar, there wasn’t much press, but now Sense is making the jump to PCs and tablets with Windows 10. The problem? Microsoft’s sharing service wants to hand out encrypted Wi-Fi passwords to contacts from multiple sources, including Facebook, Skype and Outlook. This broad-spectrum access has a number of security experts wondering: Is Sense a feature or a flaw?
Share and Share Alike
According to CSO Online, the idea behind Wi-Fi Sense is simple: Give users better access to Wi-Fi by allowing automatic logins. So long as the network owner is running Windows 10, Sense is enabled by default; any contacts also using the operating system get automatically logged into the Wi-Fi network when they’re in range. The official FAQ said that the Wi-Fi password is first encrypted and then sent to secure Microsoft servers before it’s passed on to contacts requiring access. At no point do they see the password, but they are still granted full Internet access.
It’s worth noting that the service doesn’t work over 802.1X networks, which form the bulk of enterprise connections, and users can opt out by adding “_optout” at the end of their network name. But because Sense is automatically active with new Windows 10 installations, it’s clear that Microsoft wants to encourage sharing wherever possible. The problem? Not all users have the best intentions.
Windows 10 Asks: Who Are You?
When users configure Wi-Fi Sense, they’ll be asked for access to their Facebook contacts but not Outlook or Skype. As noted by How-To Geek, that’s because Microsoft doesn’t own Facebook, so Sense is treated like a third-party app, whereas the other programs are company property and therefore automatically linked to Sense. Once enabled, the tool allows contacts logged into any of these three services to access shared wireless networks when they’re in range.
But here’s where things get worrisome: Users can’t pick and chose who among their contacts has access. The result? All Facebook, Skype and Outlook contacts, from best friends to mere acquaintances, get the same level of access. Users in the habit of accepting any Facebook friend request that comes their way or who use Skype for business could find themselves with a local network full of unknown hangers-on.
Of course, Microsoft stated that wireless passwords will be strongly encrypted on owner devices and login data will be securely stored on corporate servers, making it impossible for malicious actors to access the PCs of other users or change administrator settings. But just like Google’s LinkNYC project — which turns old New York phone booths into wireless hotspots — effective security depends on technology giants making good on their promises of encryption, and they’re keeping those encryption details close to the chest. If cybercriminals manage to compromise New York City wireless hubs or hack the admin password of a Sense network, these assurances are null and void, and users are left cleaning up the mess.
Windows 10 wants to make Wi-Fi sharing the de facto standard by removing the need to manually share passwords. But with the feature automatically enabled and offering limited user oversight, it may be too much, too fast. Sometimes it’s OK not to share.