A Windows 10 WiFi feature that shares network passwords and access with email and social media contacts is facing a backlash after security experts raised a number of concerns with the service.
WiFi Sense works by sharing WiFi passwords by default when installing Windows 10 in 'Express Mode' with contacts listed in Outlook, Skype and, with opt-in consent, Facebook.
Microsoft then stores the passwords in an encrypted form but provides access to the password to contacts, so they can use your WiFi network. It claims this will help increase the amount of availabile WiFi connections for most people.
While the password feature is turned on by default users retain control over whether or not they share their network.
However, users have already taken to social sites to complain about the potential risks the feature poses.
Setting up Windows 10. Can confirm that both parts of WiFi Sense are turned on by default.— Brandon Hicks (@Brandon_h) July 29, 2015
Wifi Sense in Windows 10 sounds like a huge security issue most people won’t know about.— Richard Allum (@TheParaplanner) July 30, 2015
One reason I am delaying the upgrade to @Microsoft Windows 10 is the WiFi Sense that comes with it. Have to secure my WiFi first.— Kiran J. Holla (@kiranjholla) July 30, 2015
Security experts have said these concerns are not without merit. Mark James, security specialist at ESET, warned that the feature raises specific concerns for business users.
"In theory if the password is being sent it's capable of being compromised. The idea behind this is great for family and friends, but not so great for most business environments," he said.
"If you supply an internal WiFi network for your staff I would not recommend WiFi Sense is used. Access to your network should be authorised and monitored at all time."
Shane Buckley, chief executive at WiFi networking firm Xirrus, also warned that the feature is a serious security problem and a potential "deal-breaker" for IT departments.
"Enabling WiFi access to a user's contact book is a major security flaw. It's a deal-breaker for most IT leaders and will stall the rollout of Windows 10 in many environments. Microsoft needs this feature to be enabled only by departments for corporate customers and by individuals for home users," he said.
Gavin Millard, technical director at Tenable Network Security, was less critical of WiFi Sense but acknowledged some of the concerns.
"Although this is a very useful feature, saving you from diving behind a dusty bookcase or sofa and trying to input the complex WPA password, it could leave networks more open to abuse or users connecting to rogue hotspots set up to grab personal information or deliver malware," he said.
But, security expert Brian Krebs is less optimistic about the usefulness of the feature, calling it "a disaster waiting to happen".
"[Microsoft] says your contacts will only be able to share your network access, and that WiFi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices," he said.
"But these words of assurance probably ring hollow for anyone who's been paying attention to security trends over the past few years.
"Given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it's doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next."
When contacted by V3, Microsoft said that WiFi Sense is a feature aimed at giving users "choices and benefits".
"What it doesn't do is reveal passwords, allow your friends to share your Wi-Fi with their friends, nor does it put your personal information at risk," it said.
Microsoft does shed some light on the WiFi Sense FAQ page where it explains that the only way to make sure your WiFi network cannot be used by contacts is to actually name the network itself.
"If you share password-protected WiFi networks with your Skype contacts, all your Skype contacts will have internet access over the networks you share. You can't pick and choose individual contacts.
"If you don't want WiFi Sense to be able to use your WiFi network, you can opt your network out of it by including _optout in the WiFi network name."
Claims to have "the most competitive logic density" in the industry
Dell's high-end mobile workstations upgraded with Intel Coffee Lake CPUs
Webstresser admins were also arrested in the UK, Croatia, Canada and Serbia
Security firm claims that 117,638 sites out of 135,035 analysed contain serious security flaws