Tuesday, July 28, 2015

Windows 10 and Wi-Fi Sense: Here be Dragons

I’ve read about.

I “get” it from the “helpfulness” and convenience side of things.

I absolutely don’t get it from a security standpoint.

So basically in Windows 10 it’s a feature that allows you to share your Wi-Fi network settings (and credentials) with other contacts via Facebook, or Outlook.com, or Skype. It seems to be a feature for Windows Phone 8.1/10 and Windows 10 in general.

My bae knows I’m coming over to crash at their pad, knows I love to do the Wi-Fi thing, sends me their Wi-Fi creds via Wi-Fi Sense and I’m golden for the hookup when I drop in. No awkward asking for Wi-Fi creds or trying to type in that 64-character strong password!

Thanks Microsoft.

You can optionally set it to automatically share your network settings/creds with your contacts, not just on a per-contact basis. Helpful isn’t it.

It seems that once they have the contact, they cannot then share the settings/creds with their friends/contacts as well, unless they already know the actual (clean-text) password and share it with others. Nor can you use Wi-Fi sense with enterprise networks using 802.1x. It also does not grant them access to other computers or devices on the shared network.

A workaround is to rename your network SSID to end with “_optout”.  Which kind of begs the question; if you are already OK with sharing this security why would you want to then go and “_optout”.

According to my understanding, while they can access your shared network, they don’t get to see your shared password. Small consolation because any malware or infection they have on their systems comes along for the ride and is granted permission to be on your network and in your “home”.

And that’s the core of the concern. While many non-technical users will be happy with the convenience of easily sharing network access to their family and friends, the deeper threat is what could happen once that “guest” system is connected on the network; exploit scans? pen-testing? downloading of questionable files?

To me it falls under that “it’s just network access to the Internet what’s the harm?” false security mentality that is so ubiquitous nowadays that drives security sysadmins to the point of madness. Just like the “why is it a problem that I borrowed my Ethernet cable at work to plug in my personal XP laptop during my lunch hour?…it’s not like I’m using my locked-down enterprise work system.”

Really? Just can’t see the problem there can you? Hmm.

Yes all those points are still risks under the “old-school” model of Wi-Fi access sharing; here’s my SSID, here’s the password, need some help? But at least there is a pause or opportunity to consider the device/user/access being granted--maybe go over some house rules and review/vet the system if you are a security geek.

Nor do I see a way to later selectively (retroactively) block or disable access granted to a contact…short of renaming your SSID and/or changing the access authentication password. Though I suppose if your Wi-Fi router supports it (and you know the former-bae’s MAC address) you might be able to block them via access point filtering.

Regardless, the current GSD recommendation is to run away from this “helpful” feature as fast as you can.

Now that I’m thinking about it, it’s probably time to consider setting up a “guest” Wi-Fi network with a different SSID that is isolated from the main “trusted” Wi-Fi network.

…or pick up a Wi-FI router that supports an isolated “guest” SSID zone as mine does.

More readings:

hat tip to TinyApps blog


Claus Valca

No comments: