By FDI Creative Services on 05/18/2016
Category: Krebs on Security

Microsoft Disables Wi-Fi Sense on Windows 10

Microsoft has disabled its controversial Wi-Fi Sense feature, a component embedded in Windows 10 devices that shares access to WiFi networks to which you connect with any contacts you may have listed in Outlook and Skype — and, with an opt-in — your Facebook friends.

Redmond made the announcement almost as a footnote in its Windows 10 Experience blog, but the feature caused quite a stir when the company’s flagship operating system first debuted last summer.

Microsoft didn’t mention the privacy and security concerns raised by Wi-Fi Sense, saying only that the feature was being removed because it was expensive to maintain and that few Windows 10 users were taking advantage of it.

“We have removed the Wi-Fi Sense feature that allows you to share Wi-Fi networks with your contacts and to be automatically connected to networks shared by your contacts,” wrote Gabe Aul, corporate vice president of Microsoft’s engineering systems team. “The cost of updating the code to keep this feature working combined with low usage and low demand made this not worth further investment. Wi-Fi Sense, if enabled, will continue to get you connected to open Wi-Fi hotspots that it knows about through crowdsourcing.”

Wi-Fi Sense doesn’t share your WiFi network password per se — it shares an encrypted version of that password. But it does allow anyone in your Skype or Outlook or Hotmail contacts lists to waltz onto your Wi-Fi network — should they ever wander within range of it or visit your home (or hop onto it secretly from hundreds of yards away with a good ‘ole cantenna!).

When the feature first launched, Microsoft sought to reassure would-be Windows 10 users that their Wi-Fi password would be sent encrypted and stored encrypted — on a Microsoft server. The company also pointed out that Windows 10 users had to initially agree to share their network during the Windows 10 installation process before the feature would be turned on.

But these assurances rang hollow for many Windows users already suspicious about a feature that could share access to a user’s wireless network even after that user changed their Wi-Fi network password.

“Annoyingly, because they didn’t have your actual password, just authorization to ask the Wi-Fi Sense service to supply it on their behalf, changing your password down the line wouldn’t keep them out – Wi-Fi Sense would learn the new password directly from you and supply it for them in future,” John Zorabedian wrote for security firm Sophos.

Microsoft’s solution for those concerned required users to change the name (a.k.a. “SSID“) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”).

I commend Microsoft for taking this step, if albeit belatedly. Much security is undone by ill-advised features in software and hardware that are unnecessarily enabled by default.


Tags: Gabe Aul, John Zorabedian, microsoft, sophos, SSID, Wi-Fi Sense

This entry was posted on Wednesday, May 18th, 2016 at 9:32 am and is filed under A Little Sunshine. You can follow any comments to this entry through the RSS 2.0 feed. You can skip to the end and leave a comment. Pinging is currently not allowed.

Related Posts