September 17, 2021 - Blog
How to manage Windows 10 wifi sense security risks
Last week a Windows 10 feature, WiFi Sense, caused an uproar online after it was revealed that the application would potentially share the user’s WiFi password with their Facebook, Skype, or Outlook contacts by default. The way WiFi Sense is intended to work is that a user who has the feature turned on will automatically send their WiFi password through a secure connection to a Microsoft server wherein it’s encrypted. When one of the user’s contacts are close to the WiFi hot spot in question, the password is unencrypted and securely delivered to the second person’s device without revealing the text password.
The feature is intended to automatically connect users to open networks, accept a WiFi network’s terms of service automatically, and enable exchanges of password protected WiFi network access with contacts, providing internet access without revealing one another’s passwords. Network access provided through the WiFi Sense app is limited to the internet and should not faccilitate connections to any other devices on the network. A lot of the security concerns centered on whether users could access other devices on the network and how Microsoft planned to store and encrypt the passwords as well as their decryption keys. There were also concerns regarding the owners of a wireless access point exposing themselves to risk by providing access to unauthorized users through automated password dissemination.
There are a number of scenarios in which WiFi Sense will not share login information for your network. If the network’s WiFi access points and controllers use 802.1X authentication only those who are authorized to access the network could use the connection. In the Wi-Fi Sense FAQ for Windows Phone 8, Microsoft states that: “Enterprise networks that use 802.1X can't be shared. If you connect to one of these enterprise networks at work or somewhere else, those network credentials won't be shared with any of your contacts.”
Another way that a network administrator can opt out of WiFi Sense is to include the phrase “_optout” in the network name/SSID. To opt out of WiFi Sense, connect directly to you router through an Ethernet cable, enter the address for the router’s configuration page, enter your credential information, and on the router configuration page, add the phrase “_optout” to the network name. For example, a network called “Lavasoft_optout” would not be utilized by the WiFi Sense application.