As you probably know, Windows 10 has been released. If you did a fresh install, you might have noticed there was an “Express Settings” button – which means “Trust Microsoft to make the right choices”. You might be surprised that what they think is right, might be (should be?) different than what is actually right and good for you.
For example, one thing that is turned-on by default is Wi-Fi Sense.
What is Wi-Fi Sense?
This is a feature that makes it easier for people to connect to Wi-Fi, including (by default):
- Automatically connect to public Wi-Fi hotspots (and other hotspots which Microsoft recommends – see how they establish this).
- Automatically share an encrypted version of your Wi-Fi SSID passwords with your: Outlook, Skype, and (optionally) Facebook friends.
- Via the method just described, be able to automatically connect to networks to which your friends from Outlook, Skype, and (optionally) Facebook connect to.
To be clear, it doesn’t share the actual Wi-Fi password, but it does (via an encrypted method) make a Wi-Fi network which wouldn’t otherwise be available. This sounds great! But is it?
Why could this be bad? How could this be exploited?
For public Wi-Fi – that is generally a very dangerous place. Most public hotspots use a “bridged” type Wi-Fi connection. That means that someone else sitting at the same place can run a network sniffer and capture all of the network traffic connected to all of the people on that network (similar to a network bridge). If anything is not encrypted, it will be visible. Even if it is encrypted, it is still subject to cracking later on. So as a rule, if you connect to a public Wi-Fi hotspot, you should:
- Close your e-mail and any apps which keep connecting over the network.
- Use a different browser (or “igcognito” mode) so that your regular cookies are not visible.
- Be very conservative about what you do on that network.
- Disconnect the second you are done using that network!
Public Wi-Fi is not something you want your laptop to casually connect to, unsupervised, when it feels like it!
By the way, newer Wi-Fi technology includes connection isolation (a.k.a. client isolation) which means you have a dedicated connection through the Wireless Access Point (WAP). This means that other users can’t view your traffic (similar to a network switch). That company who owns the access point potentially could, but this is generally much safer because not just anyone can observe your network traffic.
The problem is, not many places use this “client isolation” technology yet, despite it being available on pretty much all modern Wi-Fi access points.
For sharing your Wi-Fi settings – this has several implications. For example, but not limited to:
- What if someone pretends to be someone you know, and you add them to Skype or Outlook. Now, they could get access to your home Wi-Fi. Then, they can park outside your house and have unfettered access to your private network.
- For those that blur the line between their personal and work laptop (or BYOD people), what if someone gets the Wi-Fi password for your work and breaches your work network using this… all because of your laptop leaked this information? You added them as a friend and they can now sit outside of your work with a laptop in a van and have unfettered access to the private network.
- What if a malicious user pretends to be someone you know, so that you will maliciously connect to their wireless access point – where they can sniff all of your network traffic?
There are lots of scenarios and variants to this, but this could pretty easily be exploited. In fact, it truly is just a matter of time before these are mainstream exploits.
So, you either need to be hyper-vigilant when adding Skype or Outlook friends, and/or you might consider turning off this feature.
What about Windows Phone?
I have Windows Phone 8.1 where this was already a thing – note how the screens looks very similar to Windows 10. I normally leave both of these off.
This was worth writing down because having Wi-Fi Sense turned ON in Windows 10 is the default. This could have some significant security implications. So, if you aren’t OK with this, go and turn that setting off and don’t ever click “Express Settings” in Windows again!! 🙂
If you want more information, Brian Krebs did a more thorough write-up here: http://krebsonsecurity.com/2015/07/windows-10-shares-your-wi-fi-with-contacts/