Windows 10: Wi-Fi Sense makes no security sense at all
Davey Winder is concerned about the implications of a new Windows 10 feature...
Would you share your Wi-Fi password with your Facebook friends, or your Skype and Outlook.com contacts for that matter? Microsoft thinks you should, and so makes this a default setting of Windows 10. Welcome to the very weird and insecure world of Wi-Fi Sense.
There is no official press launch for Windows 10, but there is an invite only 'fan celebration' the night that the new operating system goes public. I will be there, despite my fan status being debatable, but I will not be raising a glass to one aspect of Windows 10 that makes no sense whatsoever to me: Wi-Fi Sense. By rights this should be renamed by Microsoft to Wi-Fi No Sense At All because it really is one of the silliest things to emerge from Seattle since Windows Me.
Seriously, this is such a badly thought out 'feature' of Windows 10 that goes way beyond the irony of the naming process. Essentially it's moving something that has been part of the Windows Phone world for a while now into the mainstream courtesy of the launch of Windows 10.
What is it? It's three things that you need to be concerned about: firstly it's a method of sharing your Wi-Fi password in an encrypted form to your contacts including Facebook friends so they can connect to your Wi-Fi networks if they are within range, secondly it's turned on by default and thirdly it's a security car crash.
Let's look at these three points in turn. Number one is the what it does, but we should really be asking why we need it to do this at all. It rather assumes that when a friend of mine comes and visits then it is somehow way too problematical for them to ask what the Wi-Fi password is, or for me to have a guest account set up for them to use.
Instead, Microsoft thinks that this process should be automated so that any friend that visits gets access courtesy of the password being sent to them once in range. There are some provisos here, such as the friend (or business contact) needing to be using Windows 10 (or a Wi-Fi enabled device) themselves and being one of your named contacts to start with. I'm not convinced that this is a great time saver or convenience, certainly not for the average small business owner and it's usefulness is doubtful even in the home.
Number two, the fact that it's on by default, is a real no-no for me. Anything with a potential negative impact upon my security (and more of that in a moment) should be opt in not opt out. OK, so some may say that a check box giving you the option to opt out when you first connect to a wireless network is enough to make it a non-problem. Wrong. Windows 10 will keep your saved Wi-Fi passwords if you've taken the upgrade path that most will given the current 'free offer' so all the previously saved networks will get the automatic password sharing treatment by default.
Which leads me on my most pressing concern, and that's the small matter of security. There is a reason that we security types bang on about not sharing passwords willy nilly, and that rather obviously is that it broadens the attack surface.
The more people who have your password so the more dilute the security of whatever it unlocks access to becomes. There is an argument which says that, for the home user at any rate, Wi-Fi Sense is more practical than giving your password out to John when he visits and then changing it after he's left to remain secure. More practical and secure, because the password is never revealed to John (it's encrypted) just access is granted automatically.
The flaws in this argument are many and varied, but we can boil them down to the simple fact that for Wi-Fi Sense to work at all that encrypted password must be stored centrally by Microsoft ("stored in an encrypted file on a Microsoft server' according to Microsoft itself) and copied to the Windows 10 (or Windows Phone) device that John is using.
The insecurity logic is fairly straightforward here: if the device connects to your protected Wi-Fi network then it needs to know the key, if the device knows the key then a hacker will eventually determine how to find that key and also use it to gain network access. Similarly, while Microsoft insists that Wi-Fi Sense only provides the user with internet access and nothing else on the wireless LAN, so no access to other computers or files, it remains to be seen how well this stands up in the face of a determined attacker. Surely it would be far better to not default to such a potentially insecure regime in the first place? What the hell is wrong with a secured guest account anyway?
So how do you remove this from your newly updated Windows 10 machine? Thankfully that appears to be fairly simple: go to Wi-Fi|Network Settings|Manage Wi-Fi Settings and then just uncheck everything. It's a pain, and most people won't do it because they won't even know that Windows 10 is sharing their passwords in this fashion, but it's the only secure way forwards at the moment beyond not upgrading to Windows 10 in the first place.
Or is it? Well no, it's not; I lied. And here is where things start getting really insecure, and Microsoft is guilty of an almighty cock-up in the 'what the hell are we thinking' department. Even if you disable Wi-Fi Sense on your own computer, anyone who does connect to it with a Wi-Fi Sense enabled device (someone you have given the password to, that you do want to have access) and who hasn't opted out will inadvertently pass your password on to their Facebook friends and other contacts.
Yep, friends of friends will now have access to your wireless network if they are within range. I'm not quite sure that getting everyone who connects to your network to sign a disclaimer that they have disabled Wi-Fi Sense is realistic outside of a Sheldon Cooper view of the world, so the only way to get out of this self-propagating insecurity loop is to use something of a security kludge that Microsoft makes available. You have to change the name of your SSID for every wireless network by appending _optout to disable Wi-Fi Sense completely. Unfortunately, Google Location Services also uses a SSID optout command (_nomap) for those not wanting Google Maps and other services to know where they are. To use both you have to place the _nomap optout last in the pecking order like this: _optout_nomap.
Still think that 'Sense' is an apt name for this feature? I don't, and unless you are insane or work for the Windows 10 development team I doubt you will either...