Windows 10 Wi-Fi Sense is a bad idea
-
I'm not saying that this is a completely crazy idea, I'm saying that without warning sharing security data with completely unrelated and arbitrary lists of people by default is insane. Completely insane.
Not only that, it is potentially illegal. Do you know that everyone on your list should have access to every network you have been granted access to?
-
are we sure it is enabled by default? I think I was asked to turn it on....
-
@anonymous said:
BTW I am sharing my personal wifi password using this
Go for it. That's perfectly fine. YOU are AWARE that you are sharing it with whole social networks. You can take the time and delete anyone that you don't want having access. It is perfectly fine for you to not just trust the people on that list but trust Facebook and Skype to be secure with their accounts and for you to trust those people with the security of those accounts.
But what about people who don't understand those things?
-
I use Apple's SSID sharing built into iOS to let all my devices connect after one has. but that does not come close to sharing it with someone else.
-
@anonymous said:
are we sure it is enabled by default? I think I was asked to turn it on....
See the screenshots above. that was on a brand new Windows 8.1 to Windows 10 upgrade.
Enabled by default. The only "choice" is to grant FB access. -
@JaredBusch said:
I use Apple's SSID sharing built into iOS to let all my devices connect after one has. but that does not come close to sharing it with someone else.
What if someone hacks one of your devices?
-
Think about this.... have you ever had any friend had their Facebook account hacked? I see people I know have that happen all of the time. It's not a secure system. Nothing in the use of Facebook suggests that the person using FB takes it seriously. Sure some people do and that is great for them. For other people it is just a completely casual account.
Now you are by association granted access through all of those allowances of lack of security.
And more importantly, allowing it to other networks, not just your own, just because you are nearby.
-
@scottalanmiller said:
Think about this.... have you ever had any friend had their Facebook account hacked? I see people I know have that happen all of the time. It's not a secure system. Nothing in the use of Facebook suggests that the person using FB takes it seriously. Sure some people do and that is great for them. For other people it is just a completely casual account.
Now you are by association granted access through all of those allowances of lack of security.
And more importantly, allowing it to other networks, not just your own, just because you are nearby.
How does the hacker know I have wifi sense on? How do they know where I live?
-
@anonymous said:
What if someone hacks one of your devices?
Different scenario. Risk yes, and a risk I have chosen to accept. But that is a completely different level of risk than publicly sharing on a social network.
-
So let's just imagine this scenario of total innocence...
- You are granted access to a secure wireless network at a business where you are doing some consulting.
- You have a friend on Facebook.
- Friend thinks FB is a joke and doesn't secure it because, why should they, it isn't important to them.
- Someone easily gets access to their FB account.
- That person now has access, when you are nearby, to a network you don't have the right to give out access to.
-
@anonymous said:
How does the hacker know I have wifi sense on? How do they know where I live?
Facebook shares a lot of that information. Some of this will be automatic. In a casual attack, yes, this is pretty minor. In a targeted attack, it's quite powerful.
-
@scottalanmiller business networks aren't allowed to be shared.
-
@anonymous said:
How do they know where I live?
You mean, like with this publicly available wifi database?
-
@anonymous said:
@scottalanmiller business networks aren't allowed to be shared.
And how do you know that each person with a Windows 10 device marked the network as a business network? Windows generally marks networks as public until changed by the user.
-
-
It's all about risk and reward. This is a new attack vector with a lot of potential. Personally I think it is more powerful to use to trick people into accessing things that they didn't know they would access rather than to try to gain access to things, but both are possible.
It opens a lot of doors for data leakage. Tons and tons of people use social media networks for a lot of things without any planning done around network security. Most people. Nearly all people. In fact, only crazy people would have their lists culled to some level of safety around network access. Who would guess that a random social media list of randomness would be the same list that lets people onto your wifi? Or onto your business' wifi. Or onto your parents' wifi or any other wifi you happen to have access to and be near?
Suddenly you need to verify all those associations. I have hundreds of people on FB, many I have never met. Some I have no idea who they are. My FB is completely public, it doesn't matter at all who is "friends" with me. My Skype account is not my own and it has to have lots of people I don't know on it because I work with them. People who may or may not be cleared to have access to all of the same wifi that I have access to.
This is a lot like how Social Security Numbers are used by the government for one purpose and should be able to be public because they are not identifiers. But then a few companies decided to treat them as secret, identifying information and created a disaster of stolen identities and false credit information because social security numbers are not secure, unique or IDs. They've been used for a purpose for which they were not designed or intended and while it seemed like "everything would be fine", it obviously is not because you can't just do that.
Security is not something to treat casually. What Microsoft did here has potential to be useful, but tons of potential to abuse very easily. Being available would make it neat, making it default makes it scary.
Maybe there is some control there that we don't see, but this is something to really worry about.
-
@anonymous said:
@scottalanmiller said:
Think about this.... have you ever had any friend had their Facebook account hacked? I see people I know have that happen all of the time. It's not a secure system. Nothing in the use of Facebook suggests that the person using FB takes it seriously. Sure some people do and that is great for them. For other people it is just a completely casual account.
Now you are by association granted access through all of those allowances of lack of security.
And more importantly, allowing it to other networks, not just your own, just because you are nearby.
How does the hacker know I have wifi sense on? How do they know where I live?
They don't care where you live, they care where you are. Where you live isn't important. It's finding you at a place where you are working that is most powerful.
-
Okay so a little good news, fro Ars Technica: By default, it will not share Wi-Fi passwords with anyone else. For every network you join, you'll be asked if you want to share it with your friends/social networks.
Lots of people will just say yes to everything not understanding this. As a business, or as IT, we need to be very, very aware that employees will do this all the time.
-
Although also important to note: By default, if you choose Express Settings during the installation process, Wi-Fi Sense is turned on in Windows 10.
-
Here is a record of my wifi hotspot. 1 block from my house, before I moved a month ago.
