Following the news that Microsoft has unveiled a feature in Windows 10 called WiFi Sense, which enables users to share access to WiFi networks that require a password with all their contacts – in Skype, Outlook and Facebook, Comments from security experts Imperva and ESET which discuss the potential security concerns with the feature:
Amichai Shulman, CTO of Imperva :
“Without getting into how secure the implementation is and whether an attacker can get hold of cleartext WiFi password or not, this is a perfect example of how convenience makes us vulnerable. It is clear that this type of feature allows our contacts (which we don’t always actually know) connect to the same network we’re connected to and at the same time it can probably allow someone in our contacts list to force our device into connecting to an unsecure WiFi network.
Whether this capability picks up or not depends entirely on how useful it is or how disruptive it is (e.g. if your device constantly jumps between networks it may not be very convenient) and not on how secure it is perceived. This particular capability is yet another indicator to how fragile our definition of perimeter is, and as a consequence the need for enterprises to invest in security solutions around the data resources rather than around ‘perimeter’.”
Mark James, Security Specialist at ESET :
“According to Microsoft the WiFi password is sent over an encrypted connection and only provides internet access and no network access. However, how secure this is remains to be seen. In theory if the password is being sent then its capable of being compromised, the idea behind this is great for family and friends but not so great for most business environments. With any contact having potential access to your network we need to take extra care before allowing this default option to be active. That said though, it’s no less secure than having the Wi-Fi password printed and stuck to the office wall, as with most “ease-of-use” options you need to apply it to you situation and see if it’s a viable option. If it’s a company guest Wi-Fi network then having to waste the first 15 minutes while someone finds the password could make the meeting go a lot smoother, on the other hand if you supply an internal Wi-Fi network for your staff then I would not recommend Wi-Fi sense is used. Access to your network should be authorised and monitored at all times.”