Monday, August 3, 2015

Wi-Fi Sense? Why oh why?

I'm still very confused as to why Microsoft would even consider putting Wi-Fi Sense into Windows 10. Honestly, it makes no sense and nothing good from a security perspective could come from handing out access to you Wi-Fi network. Microsoft says it's safer than having to write down your Wi-Fi credentials and it's less awkward. Um, well, no. Here are a few things that concern me:

  • This wasn't a security hole in the last OS, since it didn't exist, and now it is. They've just opened up the threat landscape towards more attacks, not tightening down their security. Over the years Microsoft has made large strides in securing their OS, but this is just plain out silly.
  • Having the ability to share your Wi-Fi passwords with your contacts (Facebook, Skype, etc.) could become a disaster. What if a celebrity accidentally shared out Wi-Fi access to their multitude of followers? We're not talking about giving your Wi-Fi password to your Grandma. There could be serious stalkers, or malicious intent going on with people who were just handed the abilty to access these Wi-Fi network. Many times network discovery is disabled, but does that mean it will be? Either way, this is just another hole.
  • Also, if you're going to give out the credentials to your Wi-Fi, who cares if you're going to write it down at this point? I know people might be reusing this password, but at that point just say "No". 
  • This is also the reason that most Wi-Fi home routers have a "Guest" network. It's so you can setup a Wi-FI network for, wait for it..............Guests. That's right folks, you actually don't need to give out the password you might have been reusing on your personal Wi-Fi and can create an entirely separate network for your guests. Just make sure your password and SSID don't offend Grandma.
  • What if I want to share my employers Wi-Fi? Is that against policy? Can I just send this information up to the cloud and hope that no one will abuse it? Seriously, this is a problem. There are so many questions about this service from a security perspective, and such little win, that it should just be removed from the OS completely. 
  • There's a reference that the paraphrases will be stored on Microsoft's servers (aka cloud). I don't care if it's encrypted at rest, this is something I don't want stored in a cloud that I can't control, from a company that's been known to hand over customer information on whim. 
If you're running Windows 10, and don't want to hand out access to your Wi-Fi network, you can disable the feature or name your SSID with _optout in the title. This of course let's everyone know you're running Windows 10, but it's better than the alternative. 

No comments:

Post a Comment