Microsoft has dropped a major security clanger with a new feature in Windows 10 that has been pinpointed as a glaring security hole – less than one month before the new operating system is due to launch, reports computing.co.uk
Wi-Fi Sense, which actually debuted in Windows Phone, enables a user to share access to Wi-Fi networks that require a password for access with all their contacts – in Skype, Outlook.com (formerly Hotmail) and even Facebook. That means that when their contacts pass a Wi-Fi network that they have a password for, it will enable them to access the network without having to ask for the password.
While it doesn’t directly reveal the password to everyone the user has ever sent an email to, it does mean that the password is taken and stored, not just on the original user’s device, but also by Microsoft and, by extension, any of the user’s contacts.
That, at least, is what the Wi-Fi Sense frequently asked questions states: “For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts’ phone if they use Wi-Fi Sense and they’re in range of the Wi-Fi network you shared.”
It also provides Microsoft the unprecedented means to map users, their connections and also where they go – and, potentially, to sell that data to third parties, data protection laws notwithstanding.
The only way a Windows 10 user can prevent their own Wi-Fi network from working with Wi-Fi Sense, and potentially letting Microsoft take the password and share it with everyone in the world, is to add the suffix “_optout” to the Wi-Fi networks name. Furthermore, they must also add “_nomap” if they don’t want to be mapped by Microsoft as well.
For many organisations, though, particularly organisations that have valuable intellectual property or sensitive information to keep safe, this automatic sharing of Wi-Fi passwords represents another security risk – especially among less IT-literate staff, who may not even be aware of the full implications of the feature.
Microsoft introduced the feature in Windows Phone 8.1, but barely anyone noticed the security risk because of its low market share. However, with bring your own device (BYOD) and Windows 10 the spotlight has suddenly been swung on Wi-Fi Sense.