ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Windows 10 Wi-Fi Sense is a bad idea

    Scheduled Pinned Locked Moved IT Discussion
    microsoftwindows 10security
    118 Posts 6 Posters 36.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller
      last edited by

      It's all about risk and reward. This is a new attack vector with a lot of potential. Personally I think it is more powerful to use to trick people into accessing things that they didn't know they would access rather than to try to gain access to things, but both are possible.

      It opens a lot of doors for data leakage. Tons and tons of people use social media networks for a lot of things without any planning done around network security. Most people. Nearly all people. In fact, only crazy people would have their lists culled to some level of safety around network access. Who would guess that a random social media list of randomness would be the same list that lets people onto your wifi? Or onto your business' wifi. Or onto your parents' wifi or any other wifi you happen to have access to and be near?

      Suddenly you need to verify all those associations. I have hundreds of people on FB, many I have never met. Some I have no idea who they are. My FB is completely public, it doesn't matter at all who is "friends" with me. My Skype account is not my own and it has to have lots of people I don't know on it because I work with them. People who may or may not be cleared to have access to all of the same wifi that I have access to.

      This is a lot like how Social Security Numbers are used by the government for one purpose and should be able to be public because they are not identifiers. But then a few companies decided to treat them as secret, identifying information and created a disaster of stolen identities and false credit information because social security numbers are not secure, unique or IDs. They've been used for a purpose for which they were not designed or intended and while it seemed like "everything would be fine", it obviously is not because you can't just do that.

      Security is not something to treat casually. What Microsoft did here has potential to be useful, but tons of potential to abuse very easily. Being available would make it neat, making it default makes it scary.

      Maybe there is some control there that we don't see, but this is something to really worry about.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @Alex Sage
        last edited by

        @anonymous said:

        @scottalanmiller said:

        Think about this.... have you ever had any friend had their Facebook account hacked? I see people I know have that happen all of the time. It's not a secure system. Nothing in the use of Facebook suggests that the person using FB takes it seriously. Sure some people do and that is great for them. For other people it is just a completely casual account.

        Now you are by association granted access through all of those allowances of lack of security.

        And more importantly, allowing it to other networks, not just your own, just because you are nearby.

        How does the hacker know I have wifi sense on? How do they know where I live?

        They don't care where you live, they care where you are. Where you live isn't important. It's finding you at a place where you are working that is most powerful.

        1 Reply Last reply Reply Quote 0
        • scottalanmillerS
          scottalanmiller
          last edited by

          Okay so a little good news, fro Ars Technica: By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you'll be asked if you want to share it with your friends/social networks.

          Lots of people will just say yes to everything not understanding this. As a business, or as IT, we need to be very, very aware that employees will do this all the time.

          1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            Although also important to note: By default, if you choose Express Settings during the installation process, Wi-Fi Sense is turned on in Windows 10.

            1 Reply Last reply Reply Quote 0
            • JaredBuschJ
              JaredBusch
              last edited by

              Here is a record of my wifi hotspot. 1 block from my house, before I moved a month ago.

              img

              A 1 Reply Last reply Reply Quote 1
              • JaredBuschJ
                JaredBusch @Alex Sage
                last edited by

                @anonymous said:

                http://arstechnica.com/gadgets/2015/07/wi-fi-sense-in-windows-10-yes-it-shares-your-passkeys-no-you-shouldnt-be-scared/

                That article does not negate my arguement that this is a bad thing.

                @your_linked_article said:

                First, a bit of anti-scaremongering. Despite what you may have read elsewhere, you should not be mortally afraid of Wi-Fi Sense. By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you'll be asked if you want to share it with your friends/social networks.

                Yes, I never argued that you had to say yes. ONCE. That is the problem, once you say yes, it is shared. done. no wy to stop it from spreading.

                1 Reply Last reply Reply Quote 0
                • A
                  Alex Sage @JaredBusch
                  last edited by

                  @JaredBusch said:

                  Here is a record of my wifi hotspot. 1 block from my house, before I moved a month ago.

                  img

                  If you so worried about it why not hide your SSID and enabled MAC address filtering. Both provide no real security by the way.

                  1 Reply Last reply Reply Quote 0
                  • scottalanmillerS
                    scottalanmiller
                    last edited by

                    The Ars Technica article pretty much sums up at the end like this:

                    • If you share a network that isn't yours, like a business one, it's your fault.
                    • You probably aren't secure about security at home anyway, so who cares if you are breached.

                    That's the wrap up in my words. They try to justify the idea by saying you can't do this for business wifi and by pointing out that you probably didn't care about security otherwise.

                    And sure, lots of people don't care about their security at home. But a lot of people do. Especially people in apartment buildings or large cities where it would be trivial to steal bandwidth or use a network connection for something nefarious and social engineering your way into a FB or Skype list would generally be trivial.

                    1 Reply Last reply Reply Quote 0
                    • JaredBuschJ
                      JaredBusch @Alex Sage
                      last edited by

                      @anonymous said:

                      @scottalanmiller business networks aren't allowed to be shared.

                      Your linked article actually says exactly the opposite.

                      @your_linked_article said:

                      Fortunately, it appears that Wi-Fi Sense does not share credentials from networks that are secured with additional authentication protocols, such as corporate networks that use 802.1x EAP. However, if your office Wi-Fi is secured with a simple WPA/WPA2 key, you probably shouldn't share that network with Wi-Fi Sense.

                      A scottalanmillerS 2 Replies Last reply Reply Quote 1
                      • A
                        Alex Sage @JaredBusch
                        last edited by

                        @JaredBusch said:

                        @anonymous said:

                        @scottalanmiller business networks aren't allowed to be shared.

                        Your linked article actually says exactly the opposite.

                        @your_linked_article said:

                        Fortunately, it appears that Wi-Fi Sense does not share credentials from networks that are secured with additional authentication protocols, such as corporate networks that use 802.1x EAP. However, if your office Wi-Fi is secured with a simple WPA/WPA2 key, you probably shouldn't share that network with Wi-Fi Sense.

                        Why is your business using a simple WPA2 key?

                        scottalanmillerS 1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller @JaredBusch
                          last edited by

                          @JaredBusch Yes, the Ars Technica article points out that business networks using standard WPA or WPA2 would definitely be shared.

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller @Alex Sage
                            last edited by

                            @anonymous said:

                            Why is your business using a simple WPA2 key?

                            Because most of us work in the SMB and that's plenty for that market. How many small businesses can justify building out a more complex infrastructure for WiFi?

                            1 Reply Last reply Reply Quote 0
                            • JaredBuschJ
                              JaredBusch
                              last edited by

                              @anonymous Well it looks like there is some kind of heck

                              @your_linked_article said:

                              Microsoft says that Wi-Fi Sense only shares your passwords with direct friends/contacts, and not friends-of-friends. So, for example, if Adam shares a passkey with Beth via Wi-Fi Sense, Beth cannot then use Wi-Fi Sense to share Adam's passkey with her friend Cathleen.

                              The problem with that is I do not trust it because both article state it can share a network you already have access to.

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                If you are working for a large business or some place with complex WiFi needs, sure. But lots and lots of SMBs need nothing more than WPA2.

                                1 Reply Last reply Reply Quote 0
                                • A
                                  Alex Sage
                                  last edited by

                                  The real issue was you selected "Express Setup" without reading what it was doing.

                                  scottalanmillerS JaredBuschJ 2 Replies Last reply Reply Quote 0
                                  • scottalanmillerS
                                    scottalanmiller @Alex Sage
                                    last edited by

                                    @anonymous said:

                                    The real issue was you selected "Express Setup" without reading what it was doing.

                                    And by "you" I assume that you mean every user given access to every network that you have responsibility for. The issue is not MY network, it it the networks that I have to protect and manage. It's a new way to social engineer end users, not me.

                                    1 Reply Last reply Reply Quote 0
                                    • JaredBuschJ
                                      JaredBusch @Alex Sage
                                      last edited by

                                      @anonymous said:

                                      The real issue was you selected "Express Setup" without reading what it was doing.

                                      Do not try to push it on the user. That is a cop out long the lines of "Just blame the user for not reading the EULA."

                                      A 1 Reply Last reply Reply Quote 1
                                      • A
                                        Alex Sage
                                        last edited by

                                        @JaredBusch are you not going your friends access to your network until you have made sure they have wifi sense disabled?

                                        JaredBuschJ 1 Reply Last reply Reply Quote 0
                                        • scottalanmillerS
                                          scottalanmiller
                                          last edited by

                                          I agree, this is a nasty trick for end users. Microsoft has been trying to make a reputation of "secure by default" and this is anything but. If you know what it is doing, not a big deal. If this happens and you don't understand it and let's be honest, end users by and large can't understand it even if they took the time to attempt to do so, then the end result is that Windows is not secure by default.

                                          1 Reply Last reply Reply Quote 0
                                          • JaredBuschJ
                                            JaredBusch @Alex Sage
                                            last edited by

                                            @anonymous said:

                                            @JaredBusch are you not going your friends access to your network until you have made sure they have wifi sense disabled?

                                            I have a guest WiFi SSID (WPA2 protected, weak password) with no access to my private network. This is not an issue for me for random people.

                                            Yes, before anyone gets my main SSID password I will require it.

                                            A 1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post