ML
    • Recent
    • Categories
    • Tags
    • Popular
    • Users
    • Groups
    • Register
    • Login

    Windows 10 Wi-Fi Sense is a bad idea

    Scheduled Pinned Locked Moved IT Discussion
    microsoftwindows 10security
    118 Posts 6 Posters 36.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • scottalanmillerS
      scottalanmiller @Alex Sage
      last edited by

      @anonymous said:

      All the examples given here are a long shot at best.

      No, I gave one that happened. Only thing that kept it from being a problem was that it wasn't Windows 10. Literally, only thing.

      Not long shots, actual scenario in the last two months. Just the first one that I thought of.

      1 Reply Last reply Reply Quote 0
      • scottalanmillerS
        scottalanmiller @JaredBusch
        last edited by

        @JaredBusch said:

        @anonymous said:

        @JaredBusch said:

        @anonymous said:

        Me too, but isn't the risk the same? How do you know they can't use the Guest wifi to access your main network? What if they torrent? Seems like you would be safer to just not let anyone on your network.

        I monitor my AP like any trained person would do. Yes, user will not, but I do. I don't care if they torrent. I have logs and proof that just because it was my IP, it was not my device on my private network.

        That will never hold up in court. You are responsible for everything downloaded and uploaded.

        Actually, it will. That is the point of logs. I can PROVE the MAC address and such of the device and what local IP it had at the time, etc.

        That's how hotels and other open services handle it. Otherwise we could also say that we can never be responsible because the ISP is responsible. It is through this exact same process that they pass the buck on to you. And then you on to others.

        1 Reply Last reply Reply Quote 0
        • A
          Alex Sage
          last edited by Alex Sage

          @JaredBusch Aren't you concerned that Microsoft is still storing your password somewhere?

          Just because you stop sharing it, doesn't mean it wasn't already exposed.

          It seem to me the only way to make sure your secure, is to change your wifi password.

          scottalanmillerS 1 Reply Last reply Reply Quote 0
          • scottalanmillerS
            scottalanmiller
            last edited by

            As a technical hack, it looks like this is a hard one to break, but certainly possible, like anything. The fears here, I think are this:

            • it makes social engineering much easier. A focused social engineering attack is made easier by this being just another tool for social engineers to use.
            • It makes it trivially easy to accidentally give away access to things you shouldn't be giving away (like access to the wifi at a lakehouse you rented, to your neaighbours house, your parents, etc.) Things that you would never give away broadly, but you wanted to share with family members or your other devices or you just click "share" out of habit.
            1 Reply Last reply Reply Quote 0
            • scottalanmillerS
              scottalanmiller @Alex Sage
              last edited by

              @anonymous said:

              @JaredBusch Are you concerned that Microsoft is still storing your password somewhere?

              Just because you stop sharing it, doesn't mean it wasn't already exposed.

              It seem to me the only way to make sure your secure, is to change your wifi password.

              And that was my other point, is that reliable now that there is an automatic cascade of your new password to all kinds of devices and people? I'm not sure how this works and end users certainly won't. Automatic sharing from multiple devices might cause exposures that they aren't expecting or can't find.

              1 Reply Last reply Reply Quote 0
              • A
                Alex Sage
                last edited by Alex Sage

                Let's remember that You have to manually opt into every Wi-Fi network that you want to share.

                For every network you join, you'll be asked if you want to share it with your friends/social networks.

                By default, if you choose Express Settings during the installation process, Wi-Fi Sense is turned on in Windows 10.

                However, it doesn't actually do anything until two things occur:

                • First, you need to sign in with a Microsoft account. Wi-Fi Sense won't work with a local account.

                • Whenever you connect to a new W-Fi network, it asks if you want to share it with other people.

                1 Reply Last reply Reply Quote 0
                • scottalanmillerS
                  scottalanmiller @JaredBusch
                  last edited by

                  @JaredBusch said:

                  @anonymous said:

                  @JaredBusch said:

                  @anonymous said:

                  Me too, but isn't the risk the same? How do you know they can't use the Guest wifi to access your main network? What if they torrent? Seems like you would be safer to just not let anyone on your network.

                  I monitor my AP like any trained person would do. Yes, user will not, but I do. I don't care if they torrent. I have logs and proof that just because it was my IP, it was not my device on my private network.

                  That will never hold up in court. You are responsible for everything downloaded and uploaded.

                  Actually, it will. That is the point of logs. I can PROVE the MAC address and such of the device and what local IP it had at the time, etc.
                  Also, as I said I monitor my AP. SO I can show that I blocked said device also.

                  The difference with getting breached through this WiFi Sharing is that you actually gave out the password voluntarily.

                  1 Reply Last reply Reply Quote 0
                  • A
                    Alex Sage
                    last edited by

                    Most people give out their Wi-Fi keys freely. You could even argue that Wi-Fi Sense is more secure: if I ask Adam for his Wi-Fi password, I am free to give it away to anyone. If I receive the password via Wi-Fi Sense, I can still connect to Adam's network, but I can't tell anyone else the password.

                    scottalanmillerS 1 Reply Last reply Reply Quote 0
                    • scottalanmillerS
                      scottalanmiller @Alex Sage
                      last edited by

                      @anonymous said:

                      Most people give out their Wi-Fi keys freely. You could even argue that Wi-Fi Sense is more secure: if I ask Adam for his Wi-Fi password, I am free to give it away to anyone. If I receive the password via Wi-Fi Sense, I can still connect to Adam's network, but I can't tell anyone else the password.

                      Yes, that's what I said.... this is so insecure that the justification for it in the article was to point out that most people already are insecure, so the vulnerabilities exposed here just don't matter. To me, this is the same as admitting that it is a horrible idea or else they would have no need for this argument. This isn't stating that it is secure, nor even suggesting it, it is just saying that most people screw up security so badly that this doesn't really hurt anymore.

                      But that's only talking about their home networks. As the same article points out one line above this quote, if that same treatment happens with a business network it would be really bad.

                      You just quoted the same line that I used a page back to show how the article didn't wind up being positive in their take on the technology. They try to spin it well, but ultimately they have no faith in it either by way of having no faith in the people who will use it.

                      1 Reply Last reply Reply Quote 0
                      • A
                        Alex Sage
                        last edited by

                        http://money.cnn.com/2015/07/30/technology/windows10-wifi-sense/

                        1 Reply Last reply Reply Quote 0
                        • scottalanmillerS
                          scottalanmiller
                          last edited by

                          It's basically like saying "most people are such bad drives and won't use seatbelt anyway so the fact that we didn't include working brakes really doesn't matter.... for those users."

                          1 Reply Last reply Reply Quote 0
                          • scottalanmillerS
                            scottalanmiller
                            last edited by

                            The thing is, they could have easily made this technology work with a "share my password" technology that lets you do it, one time, with a tiny bit of effort and be really secure and leverage the good parts of this and avoid the bad ones. But they didn't do it that way.

                            1 Reply Last reply Reply Quote 0
                            • A
                              Alex Sage
                              last edited by Alex Sage

                              CNN Money

                              Should you stop using it?
                              You're probably safe using Wi-Fi Sense.
                              All these nightmare scenarios are possible ... but farfetched. Even the worst-case scenario -- a stalker using Wi-Fi Sense to steal your naked photos -- would require that person to sit outside your house with a Windows 10 PC while he hacks into your network.
                              But if you do want to protect those naked photos and you shared your network via Wi-Fi Sense you can stop that. Windows 10 lets you do that in settings (it takes a few days to register). You can also opt your network out of Wi-Fi Sense entirely by adding the phrase "_optout" to the end of your Wi-Fi network's name.

                              http://money.cnn.com/2015/07/30/technology/windows10-wifi-sense/

                              1 Reply Last reply Reply Quote 0
                              • scottalanmillerS
                                scottalanmiller
                                last edited by

                                So actually this technology is a lot more invasive than might be realized at first. Here is a few things that need to be considered...

                                It does not share a wifi password "when you are in range." That's not what any of these things say. It shares ALL of your passwords with ALL of your contacts, always. It's a big many to many sharing of information.

                                Those contacts all have access to everything that you share. You can change the passwords of your devices to cut them off (in theory) but you can't cut them off individually, only be changing the password AND stopping all sharing to keep them from getting the update.

                                This is actually a bit riskier, in fact a ton riskier, than I had understood from the initial description. All of your data goes up to Microsoft and MS pushed it down to all of your contacts. They can then take themselves offline and stop you from telling MS or their devices that you don't want them to have access.

                                1 Reply Last reply Reply Quote 1
                                • scottalanmillerS
                                  scottalanmiller
                                  last edited by

                                  One has to ask, once you get to this point of sharing passwords and once you take the Ars Technica tact of saying "well, it isn't like you were secure anyway", why are we securing access points at all? Why not solve all of this and just not put a password on the devices?

                                  I mean, people still need to be pretty close to use it. You only let people into your house that are friends. You would give out your password to anyone in your house anyway.

                                  All of the logic that we would use to make this sound reasonable would also, by only a tiny step towards ease of use, make giving up on wifi passwords altogether, right?

                                  1 Reply Last reply Reply Quote 1
                                  • scottalanmillerS
                                    scottalanmiller
                                    last edited by

                                    And I'm not trying to be silly there, I really mean for people who think this is a great idea because they really were going to give out that password anyway and really do feel that they trust anyone that is in their house anyway... why not have the AP be open?

                                    If you live in a dense city where tons of people can see your wifi, I doubt having WiFi Sharing is going to fly. If you don't live in a place where twenty people can see your wifi at once, why lock it down at all? Are we really fearing someone hiding in our bushes to check the weather forecast?

                                    1 Reply Last reply Reply Quote 1
                                    • scottalanmillerS
                                      scottalanmiller
                                      last edited by

                                      Or to put it another way....

                                      If we need to be truly secure, this doesn't cut it, at all, not without some serious effort and trusting of third party systems that are not designed or intended to be used this way and with trusting every person on those systems to understand the security you have entrusted to them.

                                      If we aren't concerned about security, and I'm totally of this camp that nearly everyone gets oddly anal about security for no reason, then why bother with the passwords and all of this?

                                      1 Reply Last reply Reply Quote 1
                                      • scottalanmillerS
                                        scottalanmiller
                                        last edited by

                                        Take my dad as an example. He has a password on his wifi. But why? There is nothing on his network to secure and he owns a farm. You'd have to be in his garage or under the eaves to even maybe get a signal. Pretty much at that point you could literally cut into his ethernet cables and get access that way. There is a level of wifi protection that we often just assume needs to be there but we don't have with Ethernet. At some point it just doesn't make sense at all.

                                        1 Reply Last reply Reply Quote 0
                                        • A
                                          Alex Sage
                                          last edited by Alex Sage

                                          My guest network is completely open. I don't want to have to give out the password to guests.

                                          I login from time to time, and take a look at who is using the guest network, and if I saw a bunch of people using it, I might have to lock it down.

                                          I know I am lucky to live in a small town.

                                          scottalanmillerS 1 Reply Last reply Reply Quote 0
                                          • scottalanmillerS
                                            scottalanmiller
                                            last edited by

                                            My wife's parents are similar. They live in the middle of a village but their wifi doesn't even extend to their yard. Yes someone leaning on the side of the house would get a signal, but they would also get the free village wifi much better. The only people that might have regular access are the next door neighbours on the one side and if they needed access my in-laws would have directly given them the password. They might have it for all that I know. The only other building nearby is a police station - they are probably to be trusted (and they are too far away to see the SSID.)

                                            Just two cases but the first two. Almost anyone that I know first hand at home (that I use their wifi) has some crazy hard to use wifi password yet doesn't have good enough wifi for it to extend past their front porch for use.

                                            1 Reply Last reply Reply Quote 0
                                            • 1
                                            • 2
                                            • 3
                                            • 4
                                            • 5
                                            • 6
                                            • 5 / 6
                                            • First post
                                              Last post