The feature, dubbed Wi-Fi Sense, shares an encrypted version of a user’s WiFi network password with their Skype, Outlook, and possibly Facebook contacts.
The sharing with Skype and Outlook contact is by default, while the user must opt in to share with Facebook contacts. The contacts never actually see the password, which is stored remotely on a Microsoft server, but if they ever come within reach of your WiFi network, they’ll be able to log on.
If that doesn’t sound like a good idea to you, you’re not alone in thinking so.
“The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices,” he writes. “But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next.”
After all, hackers with a goal are not easily deterred by roadblocks put in their way. Just look at the Home Depot payment terminal breach. The hackers in that case used phishing e-mails to access the credentials of a third-party air-conditioning contractor for the retailer. What’s to stop someone from deceiving a user into adding them to their contacts?
Microsoft’s argument is that Wi-Fi Sense is actually safer than simply giving your friends your WiFi password whenever they come to visit. The idea is that it’s more secure to grant contacts access to the network without ever having to give them the password than it is to explicitly share your password with them.
Once someone has the actual password, it can be shared with others or possibly used to figure out other passwords for websites and services. Microsoft claims that your Wi-Fi Sense contacts have no way to pass your passwords on to others.
Microsoft also says that Wi-Fi Sense will not share passwords for networks secured with authentication protocols like 802.1x EAP, meaning most corporate networks would not be included. But if your business uses a more simple wireless network that’s similar to what you’d find in a typical home environment, Wi-Fi Sense is probably not a good idea.
Over at Forbes.com, Amit Chowdry acknowledged the concerns of Wi-Fi Sense but said he believes the benefits outweigh the risks.
“This feature lets your friends access your Wi-Fi network without having to actually tell them your password. Sometimes people use the same password for their e-mail and Wi-Fi network, which could be a major privacy risk if their friends are nosy,” he writes. “Wi-Fi Sense also makes connecting to your Wi-Fi network less of a hassle if your password is extra long with a variety of letters, numbers and symbols. And Wi-Fi Sense does not actually show your Wi-Fi password at all.”
But that seems to bring up the concern about the fact that all these network passwords are going to be stored by Microsoft. That has to be a tempting target for hackers hoping to access all that information.
“Depending on Microsoft’s infosec protocols, this is either completely fine and dandy, or a potential goldmine for wardriving hackers,” writes Ars Technica’s Sebastian Anthony. “Again, as long as you don’t share the passkey from your workplace’s Wi-Fi network, the potential security risk is low.”
So how do you opt out?
People wanting to avoid having anything to do with Wi-Fi Sense can do two things: Opt out of the feature on Windows 10, and change the name of their wireless router.
The first is the easiest. Simply go to “Change Wi-Fi settings” on your computer, then click “Manage Wi-Fi settings,” where you can turn the feature off.
To keep anyone from using Wi-Fi Sense to access your home network, change the SSID of your network by adding “_optout” to the end. So if your network name is “ChrisIsAwesome,” you’d change it to “ChrisIsAwesome_optout.”