For those who haven’t seen it yet, Windows 10 includes a feature, WiFi Sense, that allows a user’s friends to share WiFi access with others. For example, Bob might allow Alice to access his access point. With WiFi access, she never has to log in again to use Bob’s network.
This doesn’t necessarily give Alice access to network resources, just the Internet. However, access to the access point provides opportunities for using it to commit a crime while putting the blame on Bob. And then there’s the chance that the barrier between Bob’s guest network and his internal network isn’t as strong as it should be.
WiFi Sense challenges arise when Alice decides to share the access capability with her friends. According to an article in Extreme Tech,
“WiFi Sense will automatically connect you to detected crowdsourced WiFi networks, acquire network information and provide “additional info” to networks that require it (it’s not clear exactly what constitutes additional info), and can be used to automatically share your WiFi password with your contacts on Facebook, Skype, and Outlook.
That last feature is the potentially controversial one. When you turn on this feature of WiFi Sense (and it’s not clear if the feature comes activated or not), it will request permission to connect to Outlook, Skype, and Facebook on your behalf. Other users on your friends list who also run Windows 10 will have their contact information shared with you as well, assuming they also enable the feature.”
So whether questionable people might have access to Bob’s access point depends on how Alice sets the switches during initial access.
Microsoft apparently has two solutions to this, neither of them acceptable to those of us who attempt to help keep systems secure. First, Bob can change the name of his SSID to include an opt out tag, as shown below,
Or he can set up the connection for Alice and make sure her sharing settings are properly set. Both options rely on Bob or Alice making the right choices. No one in security believes relying on human behavior for security is a good idea.
Microsoft, what were you thinking?