‘Windows 10 automation of Wi-Fi password sharing is potential security risk’
The Register argues Win Phone legacy feature could be disastrous for networks
A Windows Phone feature that allows Wi-Fi passwords to be shared with a user's contacts may pose a threat to security when bundled with Windows 10, UK tech site The Register has highlighted.
Wi-Fi Sense already allows Windows Phone 8.1 users to type a password for their phone that is shared with their laptop. But the feature will reportedly be switched on by default in Windows 10, which is projected to have an install base many times larger than Windows Phone. Policing the security implications could prove a headache for enterprise admins.
Although Wi-Fi Sense does not reveal the password in plain text to contacts, it does allow them to join your Wi-Fi network if they are in your Outlook.com or Skype contacts list, and Windows 10 will also allow an opt-in for Facebook friends, which means Microsoft will have access to this list of contacts as well.
"For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contact's phone if they use Wi-Fi Sense and they're in range of the Wi-Fi network you shared," reads the Wi-Fi Sense FAQ.
But it also says: "When you share network access, your contacts get internet access only. For example, if you share your home Wi-Fi network, your contacts won't have access to other computers, devices, or files stored on your home network."
However, if a computer logs into a Wi-Fi network it must store the key in some form, argues The Register. With a little ingenuity, an unauthorised third party could get full access to everything within reach of the network. This means that if a company were to be targeted by a hacker, they would not need to resort to spear-fishing. All they need do is ensure they are on the contacts list of an employee that used Wi-Fi Sense and then make sure they were in range of the company's Wi-Fi network to gain access.
Microsoft, in an apparent admission of the issue, has offered a workaround that involves changing the name (SSID) of a Wi-Fi network to include the text "_optout".