Windows 10 comes with a feature called “Wi-Fi Sense” designed to make it easier for your friends to get online at your home or office without your having to give out the password every time.
It’s a cool idea. But Wi-Fi Sense has triggered a firestorm among some security experts, who are concerned that it gives hackers one extra weapon in their arsenal.
A lot of the panic seems a little overblown. But if you’re extra security conscious, you might want to turn it off. It provides a committed hacker one more easy way to get on to your network, where they might find it easier to get into the devices connected to that network.
How it works
The feature actually made its debut on Windows Phone 8.1, but Wi-Fi Sense went largely ignored (along with Windows Phone itself).
The way it works is pretty simple: When you log in to any wireless network, Windows 10 asks if you want to share that password with your friends (including Facebook friends, Skype contacts, and anyone in your Outlook rolodex).
Then, when those friends are within range of that network, Windows 10 jumps to life with that saved password you just shared and logs them in automatically. It means not having to read “Bus1n3zz1Ns1d3rRu13z” out loud, character by character, when your friends just want to hop on your home Wi-Fi.
Microsoft says it’s a security feature, since your friends never actually know what your password is. All the Wi-Fi Sense feature does is give visitors direct access to the Internet, not to the host’s computer or other devices — the same as giving any other visitor your Wi-Fi password.
It’s enabled by default in Windows 10, unless you explicitly uncheck it during installation.
Microsoft seems to have thought through the big risks: You control which contacts from which social networks get access to which networks (and if you don’t choose any, nothing happens), passwords are encrypted, and those passwords get sent up to a Microsoft server for safe storage, off of the actual device. (You can read a full FAQ about the feature here.)
But there are still opportunities for misuse.
It’s true that those encrypted passwords get shunted up to a Microsoft server for safekeeping, but at some point, they have to come back down to the device (your laptop, tablet, whatever) so Windows 10 can log you in to the network.
Some security experts are concerned that there’s a window where an attacker could somehow grab the encrypted Wi-Fi Sense password and decrypt it. And, as security researcher Brian Krebs noted recently, people tend to re-use the same passwords for everything, meaning that it could be a way for hackers to harvest more personal data.
There’s another possibility, where a malicious attacker could send you an innocuous Facebook friend request and get access to all of your Wi-Fi Sense passwords, giving them access to not only your home network, but all the others that you have the passwords for. That could be a nice “gimmie” to attackers, especially in any workplace with an improperly secured network.
But overall, it seems like concerns over Wi-Fi Sense are overblown. And while it’s generally considered a bad thing in security to let unknown parties into your wireless, since it gives bad people one more way into the network, both of these instances seem like unlikely scenarios. Plus, the actual risks to most normal users are close to nil — this isn’t like giving out your Social Security Number or ATM PIN number.
Still, if you’re concerned about your home wireless network, Microsoft says you can add “_optout” to the end of the name and make it invisible to Wi-Fi Sense. So a network called “BusinessInsider” would be eligible for Wi-Fi Sense, but a network called “BusinessInsider_optout” would not.
On Windows 10 itself, you want to go to Settings, then Network & Internet, then Wi-Fi, then Manage Wi-Fi Settings. Turn off everything under the Wi-Fi Sense heading and have it forget the networks you share.