Security experts have raised concerns about a new feature in Windows 10 that allows users to automatically share access to their Wi-Fi network log-in credentials to friends and family wirelessly.
Wi-Fi Sense was introduced in Windows Phone 8.1 and is designed to make it as easy as possible for users to connect to open hotspots by automatically connecting them to public Wi-Fi and providing information to networks when necessary.
But it also allows people to share their own Wi-Fi networks with Facebook, Skype or Outlook.com contacts without the need to share their passwords. This, it is claimed, makes it simpler to access friend’s Wi-Fi and means you don’t have to give up your credentials.
The company stresses that all information is encrypted and that guest users cannot change passwords or access any other device on the network, just web browsing.
“For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared,” it said.”
“Remember, you don’t get to see Wi-Fi network passwords, and you both get Internet access only. They won’t have access to other computers, devices, or files stored on your home network, and you won’t have access to these things on their network.”
All of these features are optional and can be switched off in the settings menu, but experts are questioning whether the convenience is worth the obvious security risks of transmitting such information wirelessly and allowing “contacts” to let devices connect to possibly unsafe networks.
“With any contact having potential access to your network we need to take extra care before allowing this default option to be active. That said though, it’s no less secure than having the Wi-Fi password printed and stuck to the office wall, as with most “ease-of-use” options you need to apply it to you situation and see if it’s a viable option.”
“Without getting into how secure the implementation is and whether an attacker can get hold of cleartext Wi-Fi password or not, this is a perfect example of how convenience makes us vulnerable,” added Amichai Shulman, CTO of Imperva. “It is clear that this type of feature allows our contacts (which we don’t always actually know) connect to the same network we’re connected to and at the same time it can probably allow someone in our contacts list to force our device into connecting to an unsecure Wi-Fi network.
“Whether this capability picks up or not depends entirely on how useful it is or how disruptive it is (e.g. if your device constantly jumps between networks it may not be very convenient) and not on how secure it is perceived. This particular capability is yet another indicator to how fragile our definition of perimeter is, and as a consequence the need for enterprises to invest in security solutions around the data resources rather than around ‘perimeter’.”
One way avoid Wi-Fi Sense altogether is to add “_optout” into the SSID of your Wi-Fi network, and of course, change your Wi-Fi password altogether.
Take our Microsoft quiz here!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…