Security experts question wisdom of automatically sharing Wi-Fi credentials to contacts over-the-air with Windows 10
Security experts have raised concerns about a new feature in Windows 10 that allows users to automatically share access to their Wi-Fi network log-in credentials to friends and family wirelessly.
Wi-Fi Sense was introduced in Windows Phone 8.1 and is designed to make it as easy as possible for users to connect to open hotspots by automatically connecting them to public Wi-Fi and providing information to networks when necessary.
But it also allows people to share their own Wi-Fi networks with Facebook, Skype or Outlook.com contacts without the need to share their passwords. This, it is claimed, makes it simpler to access friend’s Wi-Fi and means you don’t have to give up your credentials.
“Your contacts and friends are then automatically connected to the Wi-Fi network you share if they’re using Wi-Fi Sense on their Windows Phone,” said Microsoft. “Likewise, your phone will automatically connect to Wi-Fi networks they share with you to give you Internet access.”
The company stresses that all information is encrypted and that guest users cannot change passwords or access any other device on the network, just web browsing.
“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” it said.”
“Remember, you don’t get to see Wi-Fi network passwords, and you both get Internet access only. They won’t have access to other computers, devices, or files stored on your home network, and you won’t have access to these things on their network.”
All of these features are optional and can be switched off in the settings menu, but experts are questioning whether the convenience is worth the obvious security risks of transmitting such information wirelessly and allowing “contacts” to let devices connect to possibly unsafe networks.
“According to Microsoft the Wi-Fi password is sent over an encrypted connection and only provides internet access and no network access,” said Mark James, security specialist at ESET. “However, how secure this is remains to be seen. In theory if the password is being sent then its capable of being compromised, the idea behind this is great for family and friends but not so great for most business environments.
“With any contact having potential access to your network we need to take extra care before allowing this default option to be active. That said though, it’s no less secure than having the Wi-Fi password printed and stuck to the office wall, as with most “ease-of-use” options you need to apply it to you situation and see if it’s a viable option.”
“Without getting into how secure the implementation is and whether an attacker can get hold of cleartext Wi-Fi password or not, this is a perfect example of how convenience makes us vulnerable,” added Amichai Shulman, CTO of Imperva. “It is clear that this type of feature allows our contacts (which we don’t always actually know) connect to the same network we’re connected to and at the same time it can probably allow someone in our contacts list to force our device into connecting to an unsecure Wi-Fi network.
“Whether this capability picks up or not depends entirely on how useful it is or how disruptive it is (e.g. if your device constantly jumps between networks it may not be very convenient) and not on how secure it is perceived. This particular capability is yet another indicator to how fragile our definition of perimeter is, and as a consequence the need for enterprises to invest in security solutions around the data resources rather than around ‘perimeter’.”
One way avoid Wi-Fi Sense altogether is to add “_optout” into the SSID of your Wi-Fi network, and of course, change your Wi-Fi password altogether.
Take our Microsoft quiz here!