Windows 10 “WiFi Sense” automatically leaks your wifi password to strangers
Even if you personally disable it on your own computer, anyone else connecting to your network (example: non-technical friend) will leak your password to all of _their_ facebook friends.
The only way to opt out of this "feature" is to change the name of your SSID to include _optout at the end -- or force EVERY SINGLE PERSON connecting to your network to disable the feature on their PC before connecting.
There is no other way to opt out.
https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/use-wi-fi-sense-to-get-connected
https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/how-do-i-opt-my-network-out-of-wi-fi-sense
https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/wi-fi-sense-faq
http://www.howtogeek.com/219700/what-is-wi-fi-sense-and-why-does-it-want-your-facebook-account/
115 comments
[ 97.5 ms ] story [ 3125 ms ] threadEdit1: Also, previous connections are by default not shared automatically either, you have to go to manage known networks and select them and press share before it gets shared.
Edit2: If people connect through your shared network, then it shouldn't allow their friends to connect as well. (To my knowledge of this)
Edit1: tho i can see the downsides of this, add you neighbor on Facebook and get free access to their WiFi xD
Edit2: You can select whether, you want to share network with Outlook, Skype and Facebook friends, so what i wrote in Edit1 could be invalid if you simply uncheck Facebook.
I don't use Windows, so I cannot use this system at all.
"add you neighbor on Facebook and get free access to their WiFi"
That's missing the much bigger downside. Give your neighbor your Wi-Fi password and they can share it with hundreds of their friends automatically.
Microsoft claims users will not be able to find the password and that users will only be able to access the Internet, but that assumes there are no security holes. I'm not comfortable putting my network security in the hands of a company I did not choose to associate with.
It could also require buying new hardware. Once again, I would know to look for a Wi-Fi Sense-proof router, but my friends would not.
I also don't think we should be expected to solve problems that Microsoft caused. Why should the industry adapt to Windows rather than the other way around?
You don't even need a "security hole": the machine needs to know the key to connect. From there, it's your machine -- you will be able to read it out of memory. Now, this is probably out of reach for most "average users", but for even a moderately capable attacker it provides little protection (and tools automating this will likely become available).
At best, if the Wifi network is using a passphrase it'll only send you the key (which is calculated by applying the PBKDF2-HMAC-SHA1 function to the passphrase using the SSID as a salt for 4,096 iterations), but this still lets the user get on the network and decrypt traffic.
Give your neighbor your Wi-Fi password, and they can trumpet it on the streets, distribute on pamplets, post it on HN, and update their Facebook status with it.
I am a little shocked at the HN reaction here. I've had a Windows Phone since January and I've thought the feature was not only useful, but a great idea. The only benefit for me has been the automatic TOS acceptance though since nobody else I know has a Windows Phone.
If you're running a "secure" wireless network and don't want anyone else to use it, well, don't give anybody you don't trust the password, and make sure they're not running services like Wi-Fi Sense. Generally speaking, the common man is going to want any of his friends he lets into his house onto his Wi-Fi anyway.
I don't believe Wi-Fi Sense is on at all by default (I am pretty sure I had to turn it on), and it explicitly shares only Wi-Fi networks you select, not all of them. You have to go in to your saved Wi-Fi networks and share each one individually. You also have to individually check each list of contacts (Outlook, Skype, Facebook, etc.)
It is absolutely not sharing all your networks automatically with all your Facebook friends.
Here are screenshots (note I'm 99% sure I turned on Wi-Fi Sense):
http://i.imgur.com/bzaK2aT.png http://i.imgur.com/vnbDkdj.png
I suppose it's ironic the FUD is directed against Microsoft now.
That said, I think Microsoft made a serious blunder here; it's inherently flawed and I can't immediately think of a way for them to fix it without getting rid of its entire raison d'être.
If your friends connect to the network using Wi-Fi Sense, it might spread to their friends. I'm not sure.
>... WiFi Sense can do a lot of things for you to get you connected to the Internet using WiFi, so you don't have to do them on your own. These include:...
> - Accepting a WiFi network's terms of use on your behalf...
That doesn't seem appropriate.
It isn't as though anyone actually reads the terms of use anyway.
Probably the best feature of Wi-Fi Sense.
Apple deals with this somewhat by opening a Webkit view of apple.com (unsecured) and displaying it the user if it's not in fact apple.com. But an even further level of automation would be great.
Let's be honest, no one reads these things anyway. If you're one of the handful of people in the world who would decide not to use a WiFi network because you didn't like its TOS, then you're 1) probably not running Windows anyway and 2) could turn this feature off.
Time and again courts have upheld click-through TOS and EULAs. Ignorance is rarely an excuse. So if something clicks through a captive portal for you, the defense of "I didn't know..." isn't going to hold much water.
The only defense might be that Microsoft accepted the terms and they should accept responsibility for any violations on their behalf. But good luck getting them to voluntarily indemnify you.
If there was no reasonable way for you to even know the terms were there at all, I don't think any court is going to consider them to be binding. That's why these places show them to you when you try to use their network, instead of just hiding them in the freezer.
It's quite possible that using the Microsoft software to bypass a captive portal without agreeing to the terms will land you in jail for a felony.
Is Microsoft going to indemnify you against being the trial case of that legal theory?
How do you define "quite possible"? I'd estimate that this is exceedingly unlikely to happen.
In the US perhaps. Most other places have consumer protection laws that require a much higher standard for contracts to be legally binding.
I'd love this feature - connecting to all the open wifi connections around downtown and then letting my phone/laptop log me in through their terms of use acceptance pages (looking at you Tim Horton's) seamlessly.
http://technode.com/2014/11/17/wifi-hotspot-sharing-skeleton...
> Your contacts don't see your WiFi network password.
> When you share network access, your contacts get Internet access only.
How can they ensure these two?
Most likely they mean "we disable the show password option".
It is supposed to be impossible to RE the code for anything useful - the keys are encrypted using the public key of the secure enclave. You'd need to break the chip itself to win, and since Intel knows this, we can assume they'll make it incredibly hard.
Of course, since MS wants this to work on current hardware, not "shipping sometime in the future" we can assume they aren't using Intel SGX. But in theory it's fairly strong DRM.
https://software.intel.com/en-us/blogs/2013/09/26/protecting...
The password is not stored on the devices of the people you share with. It's stored on Microsoft servers. When the device someone you have shared with notices that a network you've shared is available, it gets the key to connect, then presumably forgets it.
I wonder if it is possible to do better? The idea would be that when setting up the connection (so, setting up session keys and authenticating) the device could pass these packet through to Microsoft's server. Microsoft's server could then calculate the response packets and give them to the device to relay to the access point. When the connection set up is all done, Microsoft's server could pass the session key to the device, and subsequent packets would be handled entirely on the device.
There are two (at least) things that could torpedo this kind of approach. (1) the protocols might work in such a way that you cannot hand off the setup/authentication, or they might require frequent enough re-keying that spotty cell access could prevent keeping wifi working, and (2) the connection setup and authentication might be handled in firmware that does not provide a low enough level interface to do the fiddling needed.
Also this entire thing seems dumb. If you need to connect to Microsofts server before you have wifi then you already have data.
So you still need minimal internet connectivity in the first place In order to ask MS' servers? Suddenly sounds less useful for things that aren't phones.
Does all the collected WiFi data go to Microsoft HQ?
Bear in mind though that Google probably knows your wifi password if you or a friend syncs their phone's authentication data.
(Google's legal troubles were a separate issue btw)
Have every Win10 installation generate a public/private key pair. Share the public key with MS.
When you share a password with all your contacts, MS can send all of their public keys to you, where you then encrypt the password with them and send the results back to MS. MS can then send the encrypted passwords to the contacts, who can then retrieve the password with their private key.
Something tells me they probably didn't do it this way, but it doesn't sound like a particularly hard goal to achieve if one thought it was important.
I agree that it must be do-able, it's just tricky to make it work transparently and simply so every user benefits.
Google requires you to have "_nomap" at the end of SSIDs to "opt out" of certain services...
COMCAST56B4_nomap_output_security_reinforce_superhappy_wifienable_security_ALLOW-P^[A-Za-z0-9\.]+$-_DISALLOW-P^[pet][0-9]$
And of course, all this data is open to .gov subpoena, yes?
EDIT:
Oh boy!
Some WiFi hotspots ask you to accept the terms of use in a web browser, provide additional information or do both before you can connect. WiFi Sense can do these things on your behalf to get you connected quickly.
Yeah, this isn't a fucking trap at all.
* just friend my business on Facebook
Someone has to realize how dangerous this is. How would ANY corporation EVER allow a single Windows 10 machine to connect to their wifi, let alone contractors, or...
Do they not realize how paranoid network admins are to begin with? Windows XP forever, I guess.
https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w... - Section: "I'm concerned about sharing WiFi networks. Can you tell me a little more?"
By using WPA-Enterprise, this wifi sense feature will likely do nothing.
RouterOS ships with one. But RouterOS/Mikrotik offers some pretty incredible functionality at a sub-$35 price point. It is very atypical of anything (even in the SMB space).
However RouterOS isn't a "consumer" system by design. In fact you better have solid network knowledge or you'll struggle even as a power user.
I'd be less uncomfortable if you had to deliberately choose which friends to share a certain network with. "Share with this person", or something.
Only if he opts _in_ to sharing it.
If this features truly works as stated, it is an incredibly arrogant thing for MS to do.
1) Wi-fi access point owner is absent from that decision about sharing the password or not, other than the SSID name (thus, I suggested that Microsoft should have made this ins option basis. This way, at least that it would show that the owner of the AP is WILLING to participate in that.)
2) People do very stupid things. They may not even see a single implication before they "check" it. I've seen a lot of people enabled certain feature "because it sounds useful" without seeing further implication. Especially when they are not that tech-inclined, they may flip that switch "because everyone else's doing it," "that's the way I do in my home," or "I didn't know that's what it meant." I'd know if he/she is sharing my wi-fi password on Facebook by that person writing on their timeline (which I'll pick up my phone and start screaming at that person) but this seems to be much more discreet than that.
Again, it doesn't really matter if that checkbox is checked or not. It's a bit of a different story if they had to drill down to several layers of menu (which I wouldn't change my opinion that it is still a bad idea) -- but it sounds like this option is presented right in their face everytime they are connecting to new networks.
I suspect that the API is such that all of the friends of the fake accounts will relay to the fake accounts all of their respective friends passwords (given they had connected to said friend's network at least once), and that two steps should given sufficient coverage in dense urban areas to get worms that give near total wifi coverage of the area.
Such a worm platform could of course be used to launch a wide range of attacks, as it has a relatively high concentration and a solid coverage of the area (for data relaying).
This screams badness at every level: it's relying on the notion of a Facebook friendship to root security, despite that Facebook friendships have no such semantic meaning in the context of Facebook.
You were doing so well Microsoft... but this... this is really, really bad, to the point it might pose an infrastructure risk for cities.
My idea was simply a way to accelerate the spread of a worm through consumer wifi gear by using the set of fake profiles to always be friends-of-friends with the owner of the network (and thus friends with someone who has connected, thus allowing you to connect).
The process would be something like this:
1. Find a vulnerability in consumer wifi gear, such that insecure default allow the default config to accept new code from only inside the LAN. (These types of vulnerabilities with default passowords are common; however, remote access is often disabled.)
2. Upload code to one router.
3. Infected routers look for neighbors who they can connect to the network of, then upload the attack code once they're masquerading as a device on the LAN.
4. Repeat 3.
Normally, the reason that this attack doesn't really work is that there are simply too few open or insecure LANs of the same hardware type for the attack to have an effective spread rate, thus it's only a thin weak network and breaks quickly in the face of customers fixing, upgrading, or simply turning off their gear.
However, in allowing friends-of-friends to get access to a LAN, Microsoft has removed this barrier to worms spreading across consumer networking gear for anyone that can amass a stock set of profiles with decent geographical coverage, making it a viable way to accelerate the spread of a worm through networking gear.
Ed: Of course, once the routers themselves are infected, and you have good geographical coverage, the infected routers can be used as a platform to launch attacks. Again, the reason that we don't see this in practice is that it's too hard to get access to all of those LANs because of even the weak security that exists. Microsoft removed that, making the attack viable if people can infiltrate the Facebook social graph.
Automation like this is dangerous, I'm not sure saving 10 seconds is worth this kind of massive trust and security breach. When I give someone my wifi password, I know they can just post it on Facebook but at least that's a conscious decision. Same with accepting EULA, at least that was a choice, even if I didn't read it. Doing either thing automatically though is just ridiculous in terms of privacy, security and potential legality so how does a giant company with lots of smart developers and lawyers decide this is a good idea?