Wi-Fi sensibility: Not really risky, but not really needed

Windows 10--bear with me--has shipped, but this column isn't about the new operating system, which has received generally positive reviews from our friends at PCWorld and elsewhere. Rather, it's about a feature that started receiving attention a few weeks before release and more on the ship date: Wi-Fi Sense.

Wi-Fi Sense allows Windows 10 users to connect automatically to open Wi-Fi networks, as well as to share access to Wi-Fi networks for which they have passwords. The former isn't controversial at all: iOS allows carriers to set up automatic connections to networks they run or partner with as of several releases ago. Many apps for mobile devices and computers also allow this.

The latter could be a problem. The case has been both overstated and understated, and it's tangential to you if you don't use Windows 10 (including Windows 10 Mobile), but you'll still be subject to Windows 10 users who have access to any networks you run or use.

Senseless Wi-Fi lends

A Windows 10 user logged into a Microsoft account with Wi-Fi Sense active (which is on by default, but can be turned off) who is given or has a password to a Wi-Fi network that uses "personal" style protection can opt to share access to that network with anyone in her or his Outlook.com contacts, Facebook friends, and Skype contacts. The system doesn't share "enterprise" flavors (such as the dominant WPA2 Enterprise), which require individual user certificates or user-and-password logins.

Any Windows 10 user can access networks from other Windows 10 users who include him or her in their contacts unless they disable the feature. The proviso is that one can only use shared Wi-Fi network information if one has already shared a network. If someone never participates by using Wi-Fi Sense to share, that person never gains access to contacts' shared network.

Microsoft's implementation sounds reasonably clever. The Wi-Fi password is both encrypted and sent securely from a user's Windows 10 system joining the network. However, this relies on Microsoft managing the encryption keys. Microsoft notes, "Your contacts don't get to see your password, and you don't get to see theirs," and while that's true, the password does need to be decrypted within Windows 10.

Microsoft only allows first-degree sharing--the person connecting to a network can share only with their friends, and those contacts cannot share in turn with others. It also requires that for each network joined for which a password is entered, that a user must agree to share it, and can choose over which social networks the Wi-Fi network is shared.

(Earlier reports either said or implied that the default Wi-Fi Sense setting not just opted users into being able to use it, but automatically shared joined networks. Colleague Ed Bott put the kibosh on that.)

This prevents an actual network effect, in which sharing a network would quickly cascade across six degrees (whether Kevin Bacon is involved or not), so that every Windows 10 user would have access within a few weeks to every shared network by any Windows 10 user. Microsoft's design prevents that.

Windows 10 also puts in a kind of local firewall for users who access a network through Wi-Fi Sense, which is very similar to the Guest network feature added to Apple base stations a few years ago. Locally available resources--like computers, home-sensing devices, printers, and the like--can't be reached because Windows doesn't provide network routes to them.

Sense and Sense's ability

Microsoft's approach is better thought out than the advance word led me to believe. At each opportunity for access to be spread farther or potentially expose network users, they've clamped it down. However, it does introduce risk by allowing first-degree acquaintances of those who have password-based access to a given network and who choose to share it.

As with all such risks, the question is how useful is that vulnerability to exploit, and how much effort would it take? Malware targeting Windows 10 could potentially intercept or decipher passwords delivered for network access. (The passwords must be locally cached in some fashion, because without Wi-Fi network access, Windows couldn't request the encrypted form on demand to connect to the network in question.)

And while Windows 10 blocks access to local resources, it's possible again that malware could bypass that resistance, and that block doesn't exist if someone recovers the password. However, on balance, it seems unlikely that there's a good vector to exploit that would harvest enough passwords or network access that were useful enough assuming malware could be developed to do so, because the value of a Wi-Fi password is only in your physical proximity to a network. A Wi-Fi password doesn't help with a remote network break in.

Apple chose a very different approach with syncing Wi-Fi passwords. Starting in iOS 7.0.3 and OS X 10.9, enabling iCloud Keychain copies Wi-Fi passwords among all devices that use the same iCloud login and likewise have the keychain feature enabled. This is nice at coffeeshops: I've logged in using a password on my iPhone, and then my laptop automatically connects a moment later. Passwords are protected using encryption information particular to you. Even though it's synced via iCloud, Apple lacks the pieces necessary to decrypt those items. (This is distinct from photos, contacts, and the like that can also be viewed at iCloud.com, which by necessity Apple has to decrypt to show to you.)

Microsoft provides a couple different opt out methods. Windows 10 users can disable the feature (Settings > Network & Internet > WiFi > Manage WiFi Settings). As soon as a Windows 10 user turns off Wi-Fi connection sharing, all of that person's entries are no longer available to contacts, and vice versa.

And there's an opt out at the base-station level, if you want your network to remain unusable by Windows 10 people you know. Microsoft says add _optout anywhere in the network's name, such as Glenn Home Network_optout or even Hey_optout_this_network. That's similar to Google's _nomap option to prevent a base station's inclusion as a data point in Google Location Services.

An AirPort base station user can make this configuration change by launching AirPort Utility, selecting the base station, and clicking Edit (enter its password if prompted). In the Wireless tab in OS X, rename the network in Wireless Network Name. If you have multiple base stations with the same name for roaming, rename all of them identically.

This is a hassle, because the changed name means that all of your devices that connect to the base station have to be re-associated to the new name, and the password entered again for each device, except those synced via iCloud Keychain after you enter the first one.

Obviously, changing a network's password will prevent the shared version from working until the sharing user updates the connection, if they're even given the new password. But it has the same problem of requiring re-entering the password on routinely connected devices.

Should Microsoft have deployed this feature? I suppose. It seems like guest networking, widely available on Apple and non-Apple Wi-Fi routers, is an easier solution. For users who are capable of entering a password correctly and choosing to share it, enabling guest networking on a modern router doesn't seem impossible difficult and it's easier to control or change.

It has such a feel of a marquee feature that sounds good, but in practice offers very little to the most likely users. But it doesn't seem to open up networks to easy exploitation or on any real scale.

Join the CSO newsletter!

Error: Please check your email address.

Tags Wi-FiiCloudNetworkingsecurityMicrosoftwirelessWindows 10WLANs / Wi-FiprivacySensepcworld

More about AppleFacebookGoogleMicrosoftSkype

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Glenn Fleishman

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts