Beware of sharing WIFI password with Windows 10 users

Discussion in 'Windows 10' started by zwanderer, Jul 29, 2015.

  1. zwanderer

    zwanderer MDL Novice

    Jun 6, 2015
    12
    1
    0
    Not sure if discussed already, I just bumped into it today, but the geniuses at Redmond never fail to impress...

    https : // nakedsecurity.sophos.com/2015/07/01/windows-10-wi-fi-sense-feature-shares-your-wi-fi-network-with-your-friends/



    Apparently, if you tell your WIFI password to a person using Windows 10, the password will be shared by all his skype and facebook friends, unless you include "_optout" in your WIFI SSID...


    I'm just imagining the fun when someone is summoned to a court for downloading pirated music just because the entire facebook has his WIFI password, or because the MS servers storing WIFI passwords are as secure as APPLE servers storing Jennifer Lawrence's nudes... Way to shoot itself on the foot?
     
  2. Garbellano

    Garbellano MDL Addicted

    Aug 13, 2012
    948
    246
    30
    :clap:thats funny. So, to opt-out you not only have to change your WiFI password but change the name of your OWN network to yourWIFInetwork_optout. Yea, thats funny.
     
  3. jordanmills

    jordanmills MDL Novice

    Oct 9, 2009
    1
    0
    0
    #3 jordanmills, Jul 29, 2015
    Last edited: Jul 29, 2015
    I bet they'll have a way to register it by bssid MAC and exclude it at their site. They do that for wifi-based location services: windows phone dot com /en-us/support/location-block-list

    Sorry for the link mangling, but it won't let me post a real link.
     
  4. IAmTheDude

    IAmTheDude MDL Member

    Oct 12, 2011
    112
    19
    10
    Im sure theres a option to opt out of it during initial setup? Might be wrong though and also doesn't mean they wont still take the password anyway...
     
  5. sml156

    sml156 MDL Member

    Sep 8, 2009
    126
    66
    10
    There's a lot of FUD & frankly inaccurate information floating around here.
    When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know.
    This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise.
    Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. sauronxxx

    sauronxxx MDL Member

    Jul 29, 2009
    147
    10
    10
    #6 sauronxxx, Jul 29, 2015
    Last edited: Jul 29, 2015

    that´s nonsens.. and "wifi sense" is not new.

    the only issue is if you tell your friend your password as PLAINTEXT... he puts your password into HIS system and shares it via wifi sense with his friends.

    but that´s your fault.. you should make sure nobody knows your passwords.

    wifi sense itself shares only ENCRYPTED passwords and only with YOUR friends.
    not with friends of your friends.

    and of course you don´t have to use this feature....
     
  7. zwanderer

    zwanderer MDL Novice

    Jun 6, 2015
    12
    1
    0
    Let me see...

    First, if I share my WiFi password with a friend, it's probably because I want ONLY my friend into my network, I have no clue who he has as facebook/skype friends... Without WiFi sense, my WiFi password only leaks if he deliberately does it, and that's a completely different story, but with WiFi sense, he may not even know he's sharing my WiFi password, or to whom he's sharing it...

    Second, if in your install is showing the share tickbox disabled by default, most probably you were paying attention during install when it asked about wi-fi sense... during my installation process I noticed it was just a text wall saying how wonderful and convenient wifi sense is, and that will be on by default, unless I click the small letters link (not even button) at the bottom... do you think the millions of tech illiterates will notice it like us? I guess 99% will leave it at default during install, and most won't even noticed that tickbox when they type in the password...

    Third, as the WiFi owner, the only control you have over it is by changing the SSID name to add _optout, which is pretty stupid. I can't be certain that whoever I shared my WiFi with had WiFi sense disabled, which means the argument "you don't have to use this feature" is invalid... Hence the title of the thread, "Beware of sharing WiFi password with Windows 10 users"... So whenever a friend that visits me and wish to use my WiFi, I'll have to triple check if he's using Windows 10 with default settings... Again, the millions of tech illiterates that owns a WiFi won't even know about WiFi sense, or noticed that WiFi is being jacked by his friend's friends...

    Fourth, even if MS stores my WiFi password encrypted, I will trust MS servers as much I trust Apple iCloud with my nudes... the key used to store those passwords WILL leak with 100% certainty, specially because WiFi sense users will have to decrypt the password to be able to join the network...

    Fifth, I know WiFi sense is not new, but AFAIK, wasn't enabled by default on Windows Phone 8, which is the biggest issue...

    Sixth, this adds a HUGE security flaw, imagine this scenario:
    1) there's a person I want to attack
    2) I'll befriend that person on facebook or skype
    3) I'll setup a few WiFi networks that do some malicious thing, like intercept every HTTP traffic
    4) I'll spread those networks on places I know the victim will be without WiFi coverage, for example, on the path of his work-home commute
    5) I'll join my own WiFi networks and share it on WiFi sense
    6) Windows 10 on default behavior, with all its magnificent wisdom says "thou shalt not waste data plan quota", and will force him to join my network of traps
    7) ???
    8) Profit
     
  8. sauronxxx

    sauronxxx MDL Member

    Jul 29, 2009
    147
    10
    10
    #8 sauronxxx, Jul 29, 2015
    Last edited: Jul 29, 2015

    read about the Feature you got it wrong.

    in the past you had to tell him the plaintext Password (unsecure).
    today you have to worry that Microsoft is hacked.

    in the first case it´s more likely a Person Close to your wifi gets the Passwords.
    i doubt a hacker in China can log into my wifi.


    with wifi sense he does not know your Password because it is ENCRYPTED.
    so he can not share it.

    only YOU can share it with YOUR friends in an encrypted way.
    he does not share your Password with HIS friends.

    what you write is only possible when he KNOWS your unencrypted password (like the old days when you had to tell him).
    but now you don´t have to tell him your Passwords.

    as to traps... common sense is always needed.
    don´t join open Networks you don´t trust.
     
  9. zwanderer

    zwanderer MDL Novice

    Jun 6, 2015
    12
    1
    0
    #9 zwanderer, Jul 29, 2015
    Last edited: Jul 29, 2015
    (OP)
    Derp... I guess you're the one that should read. You don't choose who you share your WiFi credentials to, if you type your own WiFi password, it will be shared TO EVERYONE in your facebook and skype... It's all or nothing... The objective of the feature is to have everyone on WiFi as much as possible...

    Hence I'll opt out of WiFi sense because I don't all my friends to have access to my WiFi, but the problem is that even if I opt out, I'll have to make sure whoever I want to share my WiFi with has to opt out too, which is out of my control... Actually it is on my control, by changing my SSID, but guess what, 99% won't even know about it...

    Edit: You clearly didn't understand the feature... By default behavior, Windows will automatically join those WiFi sense to avoid using data plan as much as possible, It's not the user choosing which network to join...