The FUD Wagon is rolling strong today after multiple online media outlets have picked up the story that Wi-Fi Sense, available on Windows Phone 8.1 and the soon to be released Windows 10, is Microsoft’s latest security blunder. The best advice that I can offer when you see these articles is to close them... close them, and forget that you’ve ever seen them. I don’t want you to just take my word for it though, so let’s dive into Wi-Fi Sense and the current FUD surrounding it.
Wi-Fi Sense Overview
Wi-Fi Sense is comprised of two major features but there are a few additional points worth making.
Feature 1: Connect to Wi-Fi Hotspots (Enabled by Default)
This feature allows your Windows device to connect to known open hotspots. This is a security issue as open Wi-Fi is about as insecure as it gets. However, most people use hotspots every day and don’t even think about it. They connect at McDonald’s and Starbucks, at the restaurant where they eat dinner, the bar where they’re having drinks, and the airport and hotel when they travel. The reality here is that Microsoft is taking an insecure action that most people already perform (connecting to an open Wi-Fi Hotspot) and making it easier by automating it. Since everyone already does this, I’m having a hard time calling it a security issue but Microsoft should have disabled this by default and allowed users to opt-in if they wanted to automate the process.
Feature 2: Exchange Wi-Fi network Access with My Contacts (Enabled by Default)
This is where most of the ongoing discussion has been centered – the insecurity that supposedly exists when this option is enabled. FUD Counter #1: Enabling this feature does nothing. The sharing occurs when users enable additional settings that are disabled by default. If you’ve upgraded to Windows 10, none of your existing Wi-Fi connections are shared by default – you must enable sharing on a per-connection basis by going to Settings > Wi-Fi > Manage Wi-Fi Settings, and selecting the individual connection. Similarly, new Wi-Fi configurations aren’t shared by default. When you setup a connection and enter your password, you must opt-in to connection sharing. FUD Counter #2: Since you opt-in at the time of password entry, it’s not possible for friends accessing your network via Wi-Fi Sense to share your password with their friends. If you give your friend the password and they enter it, then yes, they could opt-in and share your password. They would have to purposely (perhaps “maliciously”) opt-in and if that were the case, they could also just share your password via word of mouth or even a Facebook status update. Either way, the act of sharing your password would be a conscious decision regardless of how it’s done. This feature includes the following share options:
- Outlook.com contacts (enabled by default)
- Skype contacts (enabled by default)
- Facebook friends (enabled by default)
FUD Counter #3: There’s talk of the fact that you’re sharing your Facebook friends with Microsoft. Many people already do that with Skype/Facebook integration or the People app. The reality is that Facebook data is shared with many companies less trustworthy than Microsoft. This isn’t a “security concern”; it’s barely a privacy concern. Additionally, security conscious or privacy minded people, can reconfigure their access point SSID and add the string ‘_optout’ to the end of the SSID, disabling Wi-Fi Sense from storing and sharing information related to the AP. In the end, this isn’t a major security blunder or a cause for the ringing of the alarms. This is a useful feature that many people will enjoy and use. I do foresee technical issues but those don’t impact security. For instance, this feature makes sense on a Windows phone; it can grab the data via the cellular network and then connect to Wi-Fi. For that reason, it makes sense to include this in Windows 10. The limited adoption of the Windows phone means that it won’t see widespread use and the lack of a network connection means that laptops and tablets won’t be able to pull down the Wi-Fi sense information to use the connection when they first visit your home. For this reason, I don’t see a lot of added convenience initially but there may be aspects of the service that I’m not considering. To those that are ringing the warning bell about this feature: Please stop the fear mongering. To the media that ran the articles: Please don’t give these fear mongers their 15-minutes of fame. Articles, like the ones circulating regarding this feature, only further the gap of trust between the security community and consumers. We need to come together and help consumers recognize legitimate security concerns. Every time FUD is spread, malicious actors get their wish. Disinformation is a popular tactic during war and FUD is the worst type of disinformation... because it has a legitimate source, making it that much more believable.
