The expressions of alarm are all over the place. Suddenly people have discovered something called “WiFi Sense” that Microsoft is including in Windows 10 when it’s released at the end of July.
Once the new version of Windows is released, this feature of Windows will have an impact on your wireless network security. So you will need to plan on how to handle it before it launches.
Microsoft’s WiFi Sense is a means of sharing connection information between users. The original idea was to make connections between wireless hotspots quick and easy so that you don’t have to fumble around with your wireless device every time you find yourself near a new source of WiFi.
To make this happen, Microsoft learns the log-in characteristics of WiFi access points, and it saves them. In addition, WiFi Sense can share those characteristics with your other Windows devices and, if you wish, your friends and contacts. The information it shares includes the WiFi password, which effectively opens up private WiFi to public use.
Before you hit the panic button, a little context and some background might be helpful. WiFi Sense isn’t new. This feature was part of Windows Phone 8.1, but you likely never heard of it because almost nobody used that version of Windows Phone. The carriers that sold Windows phones mostly didn’t upgrade them, so the proportion of phones with that feature was vanishingly small.
WiFi Sense also isn’t unique in its capability to share wireless log-in information. Analyst Craig Mathias of Farpoint Group pointed out to me that Passpoint from the WiFi Alliance performs a similar task of sharing log-in information and automating the process of using access points. Passpoint is also not new.
What is new is that WiFi Sense will now be a standard part of the mainstream version of Windows, which unlike the previous edition is expected to be widely adopted. This means that there will be millions of users who have the ability to share their WiFi log-in information with all of their social media and address book contacts, likely without actually being aware that they’re doing so. It’s the lack of awareness that provides part of the risk.
The reason for the risk is that WiFi Sense also automatically accepts any terms and conditions presented by the WiFi access point. Normally this isn’t a problem, since what you’re agreeing to is that you won’t do anything illegal. But suppose a WiFi site includes terms that say the site has the right to download your personal data? Sometimes it’s a good idea to actually read all that legal boilerplate.
Microsoft’s WiFi Sense Poses Manageable Security Risks
There are also risks associated with owning the access point that’s being used. Microsoft assures everyone that the only thing people connecting through WiFi Sense will be able to do is reach the Internet.
But, even if that’s true, it’s your company’s bandwidth that’s being use and it’s your company’s IP address that shows up on the other end of the connection. Do you really want the DEA or the local vice squad showing up at your door because of the illegal activities carried out by an interloper who got your log-in data from Facebook?
Fortunately, there are some steps beyond just making sure your wireless access points use WPA2 security. Enterprise-grade WiFi access points and controllers will support 802.1X wireless authentication protocol. Using 802.1X for authentication means that only those who are authorized to access your WiFi network can actually get in. In addition, WiFi Sense will not share log-in information for networks with 802.1X authentication.
Unfortunately, the infrastructure for using 802.1X is beyond the capabilities of many smaller enterprises. However, other means of secure authentication exist that are less expensive and easier to manage than 802.1X, such as the pre-shared encryption used by Ruckus Wireless and available through their WiFi controllers. Here’s a video explaining that.
You can also rename your access points with the suffix “_optout” at the end of your network name or SSID, and that will tell WiFi Sense that you don’t want to be included. In addition, many enterprise-class WiFi products may allow you to assign each user a unique password, which will also defeat the abilities of WiFi Sense.
When the time comes to start upgrading your current computers to Windows 10, and when you buy new machines with Windows 10 already installed, you can set up your standard version so that WiFi Sense isn’t enabled. This may not help with BYOD devices, unfortunately, but you can make it a condition of use that employees allow you to turn that feature off before they can use personally owned devices on the company network.
Fortunately, very few mobile devices will be using Windows 10, except for perhaps Surface tablets. You can place the same conditions of use on those that you place on laptops and phones.
It’s not a perfect solution, but by making use of 802.1X authentication or some other similar means of access control mandatory, you’ll be making your network far more secure anyway. The days of the single share key in WiFi should already be over, but they’re not. For your enterprise, real security is necessary, and now Microsoft has provided the impetus.