Thursday, July 30, 2015

Microsoft Windows 10 "WiFi [Non]Sense

With the release of Windows 10 on Wednesday, a new feature (used previously by Windows Phones) has been included that has me shaking my head. Microsoft calls it "WiFi Sense", but it lacks common sense. When a Windows 10 computer connects to a wireless network, there is an option turned on by default to "share" it with your contacts (including on Hotmail, Skype,, and even Facebook friends). The wireless password is then stored (at least in encrypted format) on a Microsoft server, for the occasion that any one of those contacts that come close enough to your wireless signal, is given that password for their Windows 10 system (or Windows Phone) without having to ask you!

Say you have an associate over that wants to show you how great his new Windows 10 tablet is. Are you comfortable with your wireless password being shared with anyone that happens to be one of his contacts? I provide an open wireless connection for guests, but that is from the "DMZ" (Demilitarized Zone, just like in military terminology) interface of my firewall, unable to touch the main network for my family. My network equipment is even on a separate "administrative" network without a WAP (Wireless Access Point), locked down to a few computers only I run.

Despite that easily accessible "guest" network, there have been instances where family members have provided the wireless password to their friends (I'm not saying any names). I reserve IP addresses for every single known device on the network (yes, down to my thermostat and security camera DVR system), and as commented earlier, have any interfaces for equipment I access out-of-reach of others. My security level, however, is tempered by knowledge gained during presentations by Sean-Philip Oriyano and others at IT Pro TV, Steve Gibson on TWiT's (This Week in Technology) "Security Now!", and experience over the years.

There are ways to minimize the threat from WiFi [Non]Sense, but you are forced to rename your wireless network(s) to have "_optout" on the end of the name. WiFi Sense is enabled by default, and if the person connecting the Windows 10 system simply chooses to share it with their contacts, it can't be undone. I advise having your network as secure as possible, and to check the resources I have linked for help.