Windows 10 will be here in less than a month. The WiFi Sense feature, copied from Windows Phones, may be a security issue that allows unauthorized people access to some WiFi networks. The Register has a good article on why it seems like a good idea, and the implications. Betanews goes into more detail, and how to protect networks, but to me it misses the point that if a client is in your office they may get access to your internal WiFi as well as the public one. In theory that shouldn’t matter as there will be other security layers to stop them seeing anything confidential, but why let people get this far?
Good: it saves having to shout across the office or house “what’s the Wi-Fi password?”
Bad: Microsoft store the password centrally so it can be shared with your friends, to be precise your Outlook.com contacts, Skype contacts and Facebook friends. Consider your Outlook.com contacts. They will include work colleagues, clients, potential clients, consultants etc. Do you want to give all of them access to your internal WiFi?
Hackers wouldn’t have had attacks on WiFi Sense high on their hit list while it was just being used by the limited number of people with Windows phones. Once Windows 10 is available it must move up the list of interesting targets, and any flaws in the security measures are going to found.
There are ways to protect networks
- if 802.1X is being used the password cannot be shared
- add ‘_optout’ to the SSID
- under the Wi-Fi settings menu untick the “Share WiFi networks I Select” options
The best option is disable the feature. IT administrators should be able to do this at the Windows 10 enrollment phase. This step needs to be added to set up checklists before Windows 10 is deployed.