Microsoft’s WiFi [non]Sense

You know who has no say-so in how wireless LAN keys are shared in Microsoft’s new WiFi Sense feature? The actual owner of the wireless LAN.  The decision to share credentials is in the power of the connecting user, not the WLAN owner.  Stupid much?

I have several thousand “friends” on Facebook and more than a thousand contacts in my contact list. I use Gmail for my email and each time I respond to someone they are added to my list of contacts, even if they are not a person with whom I will ever again exchange an email.

If I come to your house or business and connect to your WLAN by entering a key that you tell me I will be the one in control of the decision to make your WLAN accessible to several thousand people. If your WLAN SSID is unique enough and findable by using a service like WiGLE people from all walks of life will have automatic connectivity to your WLAN when they pass by your place.  I’m struggling to process that; Microsoft has had an aneurysm.

A more absurd feature is difficult to imagine. The lack of contemplation on the security aspects of WLAN connections by Microsoft on this is hard for me to wrap my head around. I know we live in a social media world but the idea that it’s OK for a friend or business associate to automatically share my WLAN connection information with their friends is insane.  Letting a friend or customer connect to your wireless LAN is a courtesy.  Microsoft just turned it into a catastrophe.

Oh, and adding ‘_optout’ to my SSID name in order to not participate? Are you fracking kidding me? You can’t embrace the wonder that is social media without also acknowledging the fact that things as seemingly unimportant as an SSID are an extension of our personalities. That plucky name you gave your WLAN or that well thought-out naming convention you decided upon for corporate reasons just got hijacked by Microsoft. If you don’t want the Windows 10 users who happen upon your wireless network to share your keys with all of their contacts you’ll need to append an ‘optout’ to that awesome wireless network name of yours.

Thanks, Microsoft. I don’t use your operating system but now I have to defend my wonderfully non-MS network from the odd chance that one of your computers will one day connect to my WLAN.  You suck.

Technically speaking, you are not supposed to use WPA2-Personal for business reasons.  Businesses, regardless of size, are better served and secured using enterprise WLAN solutions.  Despite being the ‘correct’ way of doing things the reality is that a staggering number of businesses use WPA2-Personal (and will continue to do so).  The technical leap from Personal to Enterprise is more than the average business owner can handle.  So, right or wrong, it is what it is.  Microsoft seems to have blanked out this bit of reality.  Oh, don’t forget that changing the SSID like this is also going to kick all of your other users off the WLAN.  They will all need to reconnect.  Not big drama but, depending on the number of wireless devices impacted, it could be inconvenient.

Another note:

ARStechnica put out an article on this and, from what I can tell, must be on on Microsoft’s payroll.  They ultimately defend and indefensible position.  For instance, they wrote:

 “…just how sacred is your Wi-Fi password anyway? Corporate networks notwithstanding (and you shouldn’t share those networks with Wi-Fi Sense anyway), most people give out their Wi-Fi keys freely. You could even argue that Wi-Fi Sense is more secure: if I ask Adam for his Wi-Fi password, I am free to give it away to anyone. If I receive the password via Wi-Fi Sense, I can still connect to Adam’s network, but I can’t tell anyone else the password.”

Uh, …my WiFi passphrase is quite sacred.  Security conscious people don’t give out their WiFi passwords freely; they give them to specific individuals who come into their home and they are intended for the person’s personal use.  The existence of a passphrase implies a measure of sacredness to the right to access my network.  If I didn’t care who connected to my WLAN, I’d set it to OPEN authentication with NO ENCRYPTION.  The idea that sharing my WLAN passphrase with a friend readily extends to all the contact of my friends, too, is a fool’s logic.  The continued suggestion that it makes things more secure is equally silly.  If it hasn’t already been done there will be a tool available in a week or so that shows the keys in plaintext.  One need only look at Microsoft’s current mechanism of WLAN profile storage to see the writing on this particular wall.

Friendship is not transitive and forcing WLAN owners to extend a trust relationship to friends of friends is wrong, wrong, wrong.

Next the ARS article states:

“as long as you don’t share the passkey from your workplace’s Wi-Fi network, the potential security risk is low.”

What the author fails to mention is that the decision is not up to the employer, it’s up the to the connecting user.  BYOD puts a bit of a damper on this, don’t you think?  That is, of course, unless the employer adds the stupid ‘_optout’ text to the end of their SSID.

The ARS article continues with:

“Microsoft says that Wi-Fi Sense only shares your passwords with direct friends/contacts, and not friends-of-friends. So, for example, if Adam shares a passkey with Beth via Wi-Fi Sense, Beth cannot then use Wi-Fi Sense to share Adam’s passkey with her friend Cathleen.”

None of this negates the fact that dozens, hundreds or (in my case) thousands of other people have been granted access to my WLAN because I made the tragic mistake of letting a dinner guest connect to my wireless network.

About the Author

Colin Weaver

Colin Weaver is co-owner and lead instructor at ITdojo, Inc., a network security and information assurance training center and consulting firm located in Virginia Beach, VA. His passion for technology, networks, and security has led him to become enthralled with the idea of IPv6 and its implementation. In this blog he will share with you glimpses of what he has learned and a hint at what you’ll learn in his classes.