With Windows 10 (and previously, Windows 8.1 phone), Microsoft has created a way for you to share WiFi passwords without revealing them – sort of. In my opinion, and in the opinion of a lot of other security professionals, this is a complete security disaster. There are some things that you can do to mitigate the security disaster, but you should not have to.
HOWEVER, GIVEN MICROSOFT’S IMPLEMENTATION, IF YOU CARE ABOUT THE SECURITY OF YOUR WIFI NETWORK, YOU REALLY SHOULD TAKE SOME ACTION.
First, what did they do. With WiFi Sense turned on, you have the ability to share the WiFi password of WiFi networks that you connect to with your Facebook friends, Skype buddies and Outlook.com contacts. Microsoft does it behind the scenes, but they take the password, store it on their server and distribute it to your friends if they are in range.
You can control whether you share it with your Facebook, Skype, Outlook.Com and Hotmail contacts but ONLY at the SERVICE level. If you say yes to Facebook, then you are agreeing to share it with all 7,429 of your Facebook friends.
I have seen reports that it is enabled by default and other reports that it is disabled by default and still other reports that it is enabled if you specify express setup.
It is also unclear what happens if you disable WiFi Sense, but someone that you gave your WiFi password to has it turned on, does YOUR WiFi password get shared? They don’t answer that question. I suspect the answer is yes.
You can opt out of this, but in order to do that, you have to rename your access point. If your WiFi name is MitchsWifi, you have to rename it to MitchsWifi_Optout.
Microsoft CLAIMS that people who receive your WiFi password won’t be able get to your internal computers, only the Internet. I believe that about as much as I believe the federal budget will be balanced next year.
If you also don’t want Google to map (on Google Maps) your WiFi, you have to rename it _Nomap. If you don’t, then Google will map the address of your WiFi in the public Google maps. From the example above, if you don’t want Google or Microsoft to help you out, you would have to name your WiFi MitchsWifi_Nomap_Optout. That sure is friendly.
One other thing. Microsoft will also answer standard questions that an access point might ask for like your name, email and accept terms of service for you.
The last one is really cool. What happens if Microsoft does accept the terms of service for you and you do something really evil. The owner finds out and says that you violated the agreement and do whatever they can do, like take your first born child. You say that not only did I not agree to those terms of service, I never even saw them. I believe (and believing anything when it comes to the law is always dicey), that the court would say that there was no way for someone to be bound to the terms of an agreement that they never saw or even had reason to know that it existed, since many WiFi hotspots do not present a terms of service agreement. I hope, maybe, that it just fills in the blanks but doesn’t click enter.
Finally, if you have it enabled, you could be connected to any number of seamy WiFi access points without you being aware. If one of those access points infects your computer, is Microsoft liable? Interesting question. After all, you did not actively do anything to connect to that access point, Microsoft did it, kind of, without your knowledge or approval. Microsoft, I am sure, would say that you turned on WiFi Sense, so you are responsible. But, if WiFi Sense is turned on by default in any of the cases above, then that logic doesn’t hold. Think of this more work for lawyers!
So what can you do? Unfortunately, nothing easy.
If you are a business and you have WiFi access to your internal network, then that is probably the most serious situation.
1. Rename your Wifi access point. Not my first option, but it is supposed to work.
2. Restrict access to your WiFi by MAC address. This is a SERIOUS pain in the tush, but this will work. This falls into the “don’t try this at home category” – unless you are a geek.
3. Enable two factor authentication on your WiFi. Certainly for businesses, this is a good idea anyway.
4. For businesses, enable 802.1X authentication (often called Radius). This is what is called enterprise WiFi. Way more secure than passwords and WiFi Sense can’t deal with it.
5. Separate WiFi from any connection to your internal network (where your PCs and laptops live). This is easier for businesses, but with all the Internet of Things non-security, home users are going to need to start doing this also. This does not handle what you do if you need WiFi on your internal network for other reasons. Then you have to resort to one of the other options.
Microsoft has an FAQ page here. It isn’t great, but it does answer some questions.
Information for this post came from Krebs, among other sources.