Commenting on reports that the Wi-Fi password sharing feature in Windows 10 is raising security concerns as the new feature allows anyone who gets your Wi-Fi password for their PC could potentially allow others onto your network, Tripwire cyber security expert, Tyler Reguly provided the following comments:
Tyler Reguly, Manager of Security Research for Tripwire (www.tripwire.com):
“This is a great example of one of the times when the security industry makes life harder for the end user. How can we expect consumers to recognize real security risks when they’re constantly surrounded by FUD like this? This is definitely making a mountain out of a molehill. Let’s consider the implementation. You opt-in to sharing your Wi-Fi password with your contacts. They don’t access the password, they can simply access the network using the password. They cannot share that password out, since the option to share the password is set during password entry (a step that a consumer of Wi-Fi Sense information doesn’t perform). So the idea of sharing with friends of friends is invalid. Now, if they enter the password themselves, they can share it, but again, they’d have to purposely enable sharing; which if they wanted to do, they could also just tell other people. The other side of Wi-Fi Sense is crowdsourcing open access points and connecting you to them. Sure, this isn’t the most secure of ideas, but people do it all the time. They connect at McDonald’s and Starbucks, at the restaurant where they’re having dinner, the bar where they’re having drinks, and the hotel and airport when they travel. This doesn’t decrease security, it simply makes an insecure action easier. But since people are already doing it, who cares? That said, the only real complaint here is that the ‘Connect to Wi-Fi hotspots’ option should be disabled by default, allowing those that use hotspots to opt-in.
“The real question that you have to wonder about is how it will work. With a phone, this makes sense, it can download the required password to connect to the Wi-Fi via the cellular network, but how will a laptop or tablet running Windows 10 do this? It seems like a flawed concept when applied to the PC world, not due to a lack of security, but the implementation itself. Since they use location and SSID to provide the password via Wi-Fi Sense, it seems like an existing Internet connection would be required. I suppose this allows Windows 10 PC users to share passwords with Windows phone users, but that seems like a small use case.”
Wi-Fi Sense Overview:
1) Wi-Fi Sense – Connect to Wi-Fi hotspots: Enabled by Default
2) Wi-Fi Sense – Exchange Wi-Fi Network access with my contacts: Enabled by Default
- Outlook.com contacts: Enabled by Default
- Skype contacts: Enabled by Default
- Facebook friends: Enabled by Default (*with a note that it needs permission to use your Facebook account*)
3) Existing Connections are NOT shared by default.
4) New Connections are NOT shared by default.
5) Enabling / Disabling sharing for a connection is a simply process — Settings –> Wi-Fi –> Manage Wi-Fi settings –> Select Connection
6) You can opt out your Access Point simply by renaming it (adding ‘_optout’ to the SSID name).[su_box title=”Tyler Reguly, Manager of Security Research for Tripwire” style=”noise” box_color=”#336588″]
Tyler Reguly is a Manager of Software Development with Tripwire, and a key member of VERT (Vulnerability and Exposure Research Team), where he focuses on web application security and vulnerability detection. Tyler is involved in industry initiatives such as CVSS-SIG and WASSEC, and has spoken at many security events, including SecTOR and OWASP Toronto. Additionally, he has contributed to the Computer Systems Technology curriculum at Fanshawe College in London, Ontario by developing and teaching a number of security related courses. Tyler is frequently quoted by security industry press and is a prolific blogger.[/su_box]
Manager of security R&D
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.