Skip to content ↓ | Skip to navigation ↓

The FUD Wagon is rolling strong today after multiple online media outlets have picked up the story that Wi-Fi Sense, available on Windows Phone 8.1 and the soon to be released Windows 10, is Microsoft’s latest security blunder.

The best advice that I can offer when you see these articles is to close them… close them, and forget that you’ve ever seen them. I don’t want you to just take my word for it though, so let’s dive into Wi-Fi Sense and the current FUD surrounding it.

Wi-Fi Sense Overview

Wi-Fi Sense is comprised of two major features but there are a few additional points worth making.

Feature 1: Connect to Wi-Fi Hotspots (Enabled by Default)

This feature allows your Windows device to connect to known open hotspots. This is a security issue as open Wi-Fi is about as insecure as it gets. However, most people use hotspots every day and don’t even think about it. They connect at McDonald’s and Starbucks, at the restaurant where they eat dinner, the bar where they’re having drinks, and the airport and hotel when they travel.

The reality here is that Microsoft is taking an insecure action that most people already perform (connecting to an open Wi-Fi Hotspot) and making it easier by automating it. Since everyone already does this, I’m having a hard time calling it a security issue but Microsoft should have disabled this by default and allowed users to opt-in if they wanted to automate the process.

Feature 2: Exchange Wi-Fi network Access with My Contacts (Enabled by Default)

This is where most of the ongoing discussion has been centered – the insecurity that supposedly exists when this option is enabled.

FUD Counter #1:

Enabling this feature does nothing. The sharing occurs when users enable additional settings that are disabled by default.

If you’ve upgraded to Windows 10, none of your existing Wi-Fi connections are shared by default – you must enable sharing on a per-connection basis by going to Settings > Wi-Fi > Manage Wi-Fi Settings, and selecting the individual connection. Similarly, new Wi-Fi configurations aren’t shared by default. When you setup a connection and enter your password, you must opt-in to connection sharing.

FUD Counter #2:

Since you opt-in at the time of password entry, it’s not possible for friends accessing your network via Wi-Fi Sense to share your password with their friends. If you give your friend the password and they enter it, then yes, they could opt-in and share your password. They would have to purposely (perhaps “maliciously”) opt-in and if that were the case, they could also just share your password via word of mouth or even a Facebook status update. Either way, the act of sharing your password would be a conscious decision regardless of how it’s done.

This feature includes the following share options:

  • Outlook.com contacts (enabled by default)
  • Skype contacts (enabled by default)
  • Facebook friends (enabled by default)

FUD Counter #3:

There’s talk of the fact that you’re sharing your Facebook friends with Microsoft. Many people already do that with Skype/Facebook integration or the People app. The reality is that Facebook data is shared with many companies less trustworthy than Microsoft. This isn’t a “security concern”; it’s barely a privacy concern.

Additionally, security conscious or privacy minded people, can reconfigure their access point SSID and add the string ‘_optout’ to the end of the SSID, disabling Wi-Fi Sense from storing and sharing information related to the AP.

In the end, this isn’t a major security blunder or a cause for the ringing of the alarms. This is a useful feature that many people will enjoy and use. I do foresee technical issues but those don’t impact security.

For instance, this feature makes sense on a Windows phone; it can grab the data via the cellular network and then connect to Wi-Fi. For that reason, it makes sense to include this in Windows 10. The limited adoption of the Windows phone means that it won’t see widespread use and the lack of a network connection means that laptops and tablets won’t be able to pull down the Wi-Fi sense information to use the connection when they first visit your home. For this reason, I don’t see a lot of added convenience initially but there may be aspects of the service that I’m not considering.

To those that are ringing the warning bell about this feature: Please stop the fear mongering.

To the media that ran the articles: Please don’t give these fear mongers their 15-minutes of fame.

Articles, like the ones circulating regarding this feature, only further the gap of trust between the security community and consumers. We need to come together and help consumers recognize legitimate security concerns. Every time FUD is spread, malicious actors get their wish. Disinformation is a popular tactic during war and FUD is the worst type of disinformation… because it has a legitimate source, making it that much more believable.

Hacking Point of Sale
  • tourofrooms

    I can agree there are people making a big loud noise as a cry for attention RE wifi-sense. But to say this feature is good to have in Windows is no better. The personal router is something we configure within our own homes for our own personal use. Many people have paid technicians to configure them properly for the best performance and utmost security. And you think having options like wifi-sense in Windows, even if the default is NOT sharing the router, a good thing?

    Ever heard of the scam where the poor unsuspecting user who may get random phone calls from alleged microsoft employees claiming to be investigating a virus from their IP address? They tell them to go into windows and dowmload a program, and it is actually a remote access program giving that scam artist access to a user's computer. They instruct the user to follow a few steps which inevitably leads to all of their personal info being hacked. If any banking passwords were stored, it's over. If it is as easy as enabling a setting under wifi-sense and being on someone's friend list from 1 of the sites mentioned, I'd be on my guard too

    Many of us are quite capable of granting permissions to others on a case by case basis. In the event we want to make a separate network for guests or other family members who visit us, there are alot of very manageable options within today's routers to do that. But I do not find wifi-sense a necessary idea. It's just aother way to potentially weaken the barriers put in place by the router. The knowledgeable end user or the paid technician do not need Microsoft making automated ways for the multitude of potential threats to find other ways to break the barriers.

    Maybe those settings in wifi-sense must be enabled ot be a risk, and by default, we might be fine. But if you read messages on other sites, the chief complaint is that people who are not very skilled with configuring computers are always tempering with settings and the likelihood that someone will end up opening up the door for trouble is very high. How could anyone not see this? This whole idea is the worst thing Microsoft could have done. We do not need tem interfering with the most important piece of hardware within our home that is the backbone to our security. If anyone disagrees, then they are not concerned with MY security. Or perhaps you think it's ok to play the game of "odd are in our favor" because it will not LIKELY be a security problem. No thanks. I'd rather play the game where my security is being controlled by one central configuration utility, likely the one that came with my router, and NOT having any secondary options for partial control. All I need is to come home and find out my laborious grandson, who is so intutive and curious, experimenting with some settings and found a way to tinker with wifisense. Sorry, but NO THANKS

    WIFIsense is just a wide open doorway for danger to walk through & it is a guarantee that some will not know how to manage their computer in the event they accidentally enabled sharing of their router. WiFi-sense is one more way to promote the weakening of those defenses many have learned how to trust and depend on. It's not like we have a paid technician come analyze our network every day to let us know someone tampered with a setting which opened the door for all these people to use their router. So now we have to have a knowledgeable network adminstrator in every home to ensure nobody tampers with the Windows options. Even if anyone purposely wants to allow their contacts to access their router, let me just say this:

    You cannot trust most of the people you have on your friends lists online anyway. It's a known fact people are in contact with others online whom they have never even met and without even knowing if these people are trustworthy, people accept their friend invites. And now, Micorsoft has just made away for those gullable young girls to let that stalker access her network router and who knows what else is on his agenda……. Think about THAT for a while.

    I almost agree with this write up but only about the 15 minutes of fame agenda. But anyone who supports wifi-sense as some great way to bring all of the trustworthy people from your online world together under some notion that we can somehow trust them with access to our network like this is pretty stupid

  • gt56yhnb

    Wow. You just don't get it. Microsoft have introduced a new feature that requires those who don't want to share their wifi to reconfigure their router and reconnect every device. I haven't asked for this feature, I don't want it, and now I have to take preventative measures to maintain the status quo.

    Do you think it acceptable that I have to make changes to maintain my security just so you don't have the hassle of having to type a few characters into your device? Let's face it, unless you are a total numpty, it's far easier for you to type in a few characters than it is for me to reconfigure my router and reconnect all my devices.

    If wifi sense is such a great feature, I take it you will join me in calling for Microsoft to change the emphasis so those who want wifi sense (and want any visitor to share their connection with their friends) have to actively support it by adding "_optin" to their router's name (and reconfigure their local network).