
Windows 10 “WiFi Sense” automatically leaks your wifi password to strangers - hayksaakian
Even if you personally disable it on your own computer, anyone else connecting to your network (example: non-technical friend) will leak your password to all of _their_ facebook friends.<p>The only way to opt out of this &quot;feature&quot; is to change the name of your SSID to include _optout at the end -- or force EVERY SINGLE PERSON connecting to your network to disable the feature on their PC before connecting.<p>There is no other way to opt out.<p>https:&#x2F;&#x2F;www.windowsphone.com&#x2F;en-gb&#x2F;how-to&#x2F;wp8&#x2F;connectivity&#x2F;use-wi-fi-sense-to-get-connected<p>https:&#x2F;&#x2F;www.windowsphone.com&#x2F;en-gb&#x2F;how-to&#x2F;wp8&#x2F;connectivity&#x2F;how-do-i-opt-my-network-out-of-wi-fi-sense<p>https:&#x2F;&#x2F;www.windowsphone.com&#x2F;en-gb&#x2F;how-to&#x2F;wp8&#x2F;connectivity&#x2F;wi-fi-sense-faq<p>http:&#x2F;&#x2F;www.howtogeek.com&#x2F;219700&#x2F;what-is-wi-fi-sense-and-why-does-it-want-your-facebook-account&#x2F;
======
finnyspade
There's a lot of FUD & frankly inaccurate information floating around here.

When connecting to a password protected router you are given an UNCHECKED BY
DEFAULT option to share the password with your friends. What this means is,
the user can deliberately share the password they know.

This is just as secure as any other system because once you give a user a
password they could share it if they chose. Nothing here is "automatic" no
data is being proliferated without user consent. If your employees leak your
password this way, then it's the same as leaking passwords otherwise.

Again this not an opt-in-by-default scenario. It requires a user knowing a
password to actively choose to share for each router independently.

~~~
tdicola
Even if people opt into it, why should this happen automatically? If one of my
friends told every single Facebook friend of theirs the password to my wifi I
would have a very strong conversation with them and probably never invite them
into my home or even consider them a friend anymore. Just because they _can_
share the password doesn't mean they _should_ share the password.

I don't see why this kind of automatic sharing should be a 'feature' or
frankly should exist at all. I would wager it helps almost no-one (given WP8's
miniscule adoption numbers) and just serves to stir up controversy like this
that makes MS look bad.

~~~
finnyspade
This solves the problem of asking people the wifi password whenever you go
over to their house. To a lot of people it's just a pain. When you tell your
friends your password, just tell them not to share it. Done!

I would wager it helps the windows phone users and doesn't hurt other people.
Also it's coming to windows 10 I believe.

~~~
tdicola
No, when you save the credentials of the wifi password locally that solves the
problem of having to ask your friend for the password every time you go to
their place. There's no need to broadcast the password to every friend to fix
that scenario. This is your friend sharing out your credentials to everyone
they know automatically--perhaps to people who you don't know or don't want to
have the password.

What happens when a jealous ex or stalker that's still a mutual friend
suddenly gets access to your wifi network? What about the security
implications of MS' servers storing the passwords, and do they disclose
whether those passwords can be subpoenaed by law enforcement? This seems like
a hornet's nest of nasty privacy and policy issues. It boggles my mind why
they think this would be worth doing.

~~~
finnyspade
It's not only your friends sharing when you don't want it. It's end users that
own the router that want to share it. If you put yourself into your
grandmother's shoes it may be less mindboggling. Security is all about
securing content to the extent to which it is valuable. Many people would
argue that their wifi password is not that valuable and therefore not
requiring the greatest amount of security. Some people will find this feature
convenient. It's for them and clearly not for you. You are no less insecure
than you were previously. If you trust the people you give your wifi password
to, then there's no issue.

------
unsignedint
Asking people to change their SSID so the system won't share something they
are not supposed to be sharing to begin with is very ridiculous. I really
don't understand why this is not opt-in to begin with. Microsoft should be
forcing people to put in _optin in their SSID to allow this feature to work if
they are so inclined to use an SSID to regulate access. At least it would be
semi-tolerable if there was a web form of some sort that I can simply put in
BSSID so it gets blacklisted systemwide, but I don't think that's even there.

~~~
RexRollman
Agreed. At my house, we have three laptops, a desktop, three tablets and two
smart phones. I don't want to have to change the wireless settings of nine
devices because of Microsoft.

If this features truly works as stated, it is an incredibly arrogant thing for
MS to do.

~~~
finnyspade
It doesn't work as stated. Users have to opt to share the password when they
connect to wifi router. This checkbox is empty by default meaning you don't
share the password by default.

~~~
unsignedint
It doesn't make it much different whether that checkpoint is off or not, I
basically see two problems with it:

1) Wi-fi access point owner is absent from that decision about sharing the
password or not, other than the SSID name (thus, I suggested that Microsoft
should have made this ins option basis. This way, at least that it would show
that the owner of the AP is WILLING to participate in that.)

2) People do very stupid things. They may not even see a single implication
before they "check" it. I've seen a lot of people enabled certain feature
"because it sounds useful" without seeing further implication. Especially when
they are not that tech-inclined, they may flip that switch "because everyone
else's doing it," "that's the way I do in my home," or "I didn't know that's
what it meant." I'd know if he/she is sharing my wi-fi password on Facebook by
that person writing on their timeline (which I'll pick up my phone and start
screaming at that person) but this seems to be much more discreet than that.

Again, it doesn't really matter if that checkbox is checked or not. It's a bit
of a different story if they had to drill down to several layers of menu
(which I wouldn't change my opinion that it is still a bad idea) -- but it
sounds like this option is presented right in their face everytime they are
connecting to new networks.

------
molecule
[https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/u...](https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/use-wi-fi-sense-to-get-connected)

 _>... WiFi Sense can do a lot of things for you to get you connected to the
Internet using WiFi, so you don't have to do them on your own. These
include:..._

 _> \- Accepting a WiFi network's terms of use on your behalf..._

That doesn't seem appropriate.

~~~
superuser2
On the contrary, dealing with captive portals is quite annoying, especially
since they just generate browser warnings with HTTPS. You have to go out of
your way to open a plain-HTTP website so that it can be intercepted properly,
just so you can click "I accept" again. Additionally, these things have short
memories - if you're at a coffee shop you frequent, you might be clicking
through the captive portal for the 150th time.

Apple deals with this somewhat by opening a Webkit view of apple.com
(unsecured) and displaying it the user if it's not in fact apple.com. But an
even further level of automation would be great.

Let's be honest, no one reads these things anyway. If you're one of the
handful of people in the world who would decide not to use a WiFi network
because you didn't like its TOS, then you're 1) probably not running Windows
anyway and 2) could turn this feature off.

~~~
themartorana
Yeah but, you're basically agreeing to assume risk. You still get a choice -
you choose to ignore the TOS and click through.

Time and again courts have upheld click-through TOS and EULAs. Ignorance is
rarely an excuse. So if something clicks through a captive portal for you, the
defense of "I didn't know..." isn't going to hold much water.

The only defense might be that Microsoft accepted the terms and they should
accept responsibility for any violations on their behalf. But good luck
getting them to voluntarily indemnify you.

~~~
mikeash
There's a pretty big difference between "it was too long and I didn't read it
so I just clicked Agree at the bottom" and "I had no idea the thing was even
there because Microsoft's software hid it from me."

If there was no reasonable way for you to even know the terms were there at
all, I don't think any court is going to consider them to be binding. That's
why these places show them to you when you try to use their network, instead
of just hiding them in the freezer.

~~~
SomeStupidPoint
Accessing a computer network that is secured by requiring authentication by
bypassing authentication via technical means might be a computer crime.

It's quite possible that using the Microsoft software to bypass a captive
portal without agreeing to the terms will land you in jail for a felony.

Is Microsoft going to indemnify you against being the trial case of that legal
theory?

~~~
smeyer
>It's quite possible that using the Microsoft software to bypass a captive
portal without agreeing to the terms will land you in jail for a felony.

How do you define "quite possible"? I'd estimate that this is exceedingly
unlikely to happen.

------
manigandham
How do features like these even get thought up, planned out, implemented then
released without anyone in such a massive company wondering if there might be
some issues? Or building it as opt-in or at the very least giving easy
settings to disable it.

Automation like this is dangerous, I'm not sure saving 10 seconds is worth
this kind of massive trust and security breach. When I give someone my wifi
password, I know they can just post it on Facebook but at least that's a
conscious decision. Same with accepting EULA, at least that was a choice, even
if I didn't read it. Doing either thing automatically though is just
ridiculous in terms of privacy, security and potential legality so how does a
giant company with lots of smart developers and lawyers decide this is a good
idea?

~~~
lawnchair_larry
From my experience at big companies, plenty of people do bring things up, but
the security minded people rarely have authority.

------
dd9990
"The only way to opt out of this "feature" is to change the name of your SSID
to include _optout at the end"

Google requires you to have "_nomap" at the end of SSIDs to "opt out" of
certain services...

~~~
zzleeper
So you are saying I can't opt out of both? Or will they take XYZ_nomap_optout
?

~~~
Nullabillity
The Microsoft page says it has to _contain_ _optout, not that it has to end
with it.

~~~
OJFord
Presumably for this reason; so XYZ_optout_nomap works. But this is just silly.

~~~
sebastianavina
Imagine SSIDs in a couple of years...

COMCAST56B4_nomap_output_security_reinforce_superhappy_wifienable_security_ALLOW-P^[A-Za-z0-9\\.]+$-_DISALLOW-P^[pet][0-9]$

------
Zekio
you have to select whether you want to share your WiFi with your contacts upon
first time connecting there is a Check box which is by default unchecked.

Edit1: Also, previous connections are by default not shared automatically
either, you have to go to manage known networks and select them and press
share before it gets shared.

Edit2: If people connect through your shared network, then it shouldn't allow
their friends to connect as well. (To my knowledge of this)

~~~
fdahgrthkn
That's true but kind of misses the point. I'm not worried about my machine
using this. Hell, I don't even use Windows. I'm worried about the zillions of
people who do use Windows and who will thoughtlessly enable this because it
seems convenient. They will wreck the security of other people who have done
nothing wrong.

~~~
Zekio
They will only wreck security, because you personally gave them the password,
instead of using this system from the start, change your password upon windows
10 release and you are golden? :)

Edit1: tho i can see the downsides of this, add you neighbor on Facebook and
get free access to their WiFi xD

Edit2: You can select whether, you want to share network with Outlook, Skype
and Facebook friends, so what i wrote in Edit1 could be invalid if you simply
uncheck Facebook.

~~~
fdahgrthkn
"using this system from the start"

I don't use Windows, so I cannot use this system at all.

"add you neighbor on Facebook and get free access to their WiFi"

That's missing the much bigger downside. Give your neighbor your Wi-Fi
password and they can share it with hundreds of their friends automatically.

Microsoft claims users will not be able to find the password and that users
will only be able to access the Internet, but that assumes there are no
security holes. I'm not comfortable putting my network security in the hands
of a company I did not choose to associate with.

~~~
Amezarak
> Give your neighbor your Wi-Fi password and they can share it with hundreds
> of their friends automatically.

Give your neighbor your Wi-Fi password, and they can trumpet it on the
streets, distribute on pamplets, post it on HN, and update their Facebook
status with it.

I am a little shocked at the HN reaction here. I've had a Windows Phone since
January and I've thought the feature was not only useful, but a great idea.
The only benefit for me has been the automatic TOS acceptance though since
nobody else I know has a Windows Phone.

If you're running a "secure" wireless network and don't want anyone else to
use it, well, don't give anybody you don't trust the password, and make sure
they're not running services like Wi-Fi Sense. Generally speaking, the common
man is going to want any of his friends he lets into his house onto his Wi-Fi
anyway.

~~~
opcvx
The problem is that it is _automatic_ , it spreads without confirming anything
and without any deliberate action.

~~~
benjin
The problem (with this post in HN) is that it _isn't_ actually automatic. Your
device being receptive to automatically-shared networks is default-on/opt-out.
Your device automatically _sharing_ a network is default-off/opt-in, as well
as (I think) being on a per-network basis.

~~~
Amezarak
This is correct. None of this is automatic. It's all opt-in.

I don't believe Wi-Fi Sense is on at all by default (I am pretty sure I had to
turn it on), and it explicitly shares _only Wi-Fi networks you select_ , not
all of them. You have to go in to your saved Wi-Fi networks and share each one
individually. You also have to individually check each list of contacts
(Outlook, Skype, Facebook, etc.)

It is absolutely not sharing all your networks automatically with all your
Facebook friends.

Here are screenshots (note I'm 99% sure I turned on Wi-Fi Sense):

[http://i.imgur.com/bzaK2aT.png](http://i.imgur.com/bzaK2aT.png)
[http://i.imgur.com/vnbDkdj.png](http://i.imgur.com/vnbDkdj.png)

I suppose it's ironic the FUD is directed against Microsoft now.

------
NBo7I
From [https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/w...](https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/wi-fi-sense-faq)

> Your contacts don't see your WiFi network password.

> When you share network access, your contacts get Internet access only.

How can they ensure these two?

~~~
MichaelGG
They _could_ require "secure enclave" hardware. But that'd need cooperation
with the NIC, too, eh?

Most likely they mean "we disable the show password option".

~~~
tzs
Based on what I read on one of their FAQs, it is not as good as a secure
enclave, but it is quite a bit better than simply not providing a show
password option.

The password is not stored on the devices of the people you share with. It's
stored on Microsoft servers. When the device someone you have shared with
notices that a network you've shared is available, it gets the key to connect,
then presumably forgets it.

I wonder if it is possible to do better? The idea would be that when setting
up the connection (so, setting up session keys and authenticating) the device
could pass these packet through to Microsoft's server. Microsoft's server
could then calculate the response packets and give them to the device to relay
to the access point. When the connection set up is all done, Microsoft's
server could pass the session key to the device, and subsequent packets would
be handled entirely on the device.

There are two (at least) things that could torpedo this kind of approach. (1)
the protocols might work in such a way that you cannot hand off the
setup/authentication, or they might require frequent enough re-keying that
spotty cell access could prevent keeping wifi working, and (2) the connection
setup and authentication might be handled in firmware that does not provide a
low enough level interface to do the fiddling needed.

~~~
nly
You could extract the handshake nonces and do this easily enough. It's fairly
pointless though because WPA2 uses a weak hash function, so your "contacts"
would still be able to intercept enough to attempt to bruteforce your
password.

Also this entire thing seems dumb. If you need to connect to Microsofts server
before you have wifi then you already have data.

~~~
yuhong
I think it is to deal with data caps. And brute force is always possible if
one has the 4-way handshake and the password is only useful if you are near
enough to actually connect to the network. AFAIK the PSK uses PBKDF2.

------
Aloha
If you set up your network using radius, this becomes a non-issue radius is
not horribly hard to set up either - its also not automatic, the user has to
choose to share the wifi password - which they could do anyhow, as you've
given it to them to connect.

[https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/w...](https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/wi-fi-sense-faq) \- Section: "I'm concerned about sharing
WiFi networks. Can you tell me a little more?"

~~~
zyxley
Radius?

~~~
keeperofdakeys
Radius is an authentication protocol that is quite widely used, including in
WPA-Enterpise. Here there is no fixed password, but a system that allows
multiple users with separate passwords.

By using WPA-Enterprise, this wifi sense feature will likely do nothing.

------
skorux
You share with your contacts, but not their contacts. The networks you share
aren't shared with your contacts' contacts. If your contacts want to share one
of your networks with their contacts, they'd need to know your actual password
and type it in to share the network.

[https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/w...](https://www.windowsphone.com/en-gb/how-
to/wp8/connectivity/wi-fi-sense-faq)

------
dagw
Just as I was starting to get excited about Microsoft actually seeming to
generally 'get it', they go and do something monstrously stupid like this.

~~~
benjin
Alternatively, you could actually go look up and understand how this works and
realize that 80% of this thread is misinformation.

------
angersock
So, isn't this basically a massive distributed attack on wireless security by
Microsoft/Facebook? Similar to what Google's done in the past?

And of course, all this data is open to .gov subpoena, yes?

EDIT:

Oh boy!

 _Some WiFi hotspots ask you to accept the terms of use in a web browser,
provide additional information or do both before you can connect. WiFi Sense
can do these things on your behalf to get you connected quickly._

Yeah, this isn't a fucking trap at all.

------
Animats
This is a lot like what got Google in trouble - mapping all WiFi access points
while collecting StreetView images. Microsoft is just doing it in a
distributed way.

Does all the collected WiFi data go to Microsoft HQ?

~~~
underwater
Google captured and stored traffic from unencrypted WiFi connections. It is
not really similar at all.

------
totalrobe
Looks like this Wifi sharing app that's huge in China:

[http://technode.com/2014/11/17/wifi-hotspot-sharing-
skeleton...](http://technode.com/2014/11/17/wifi-hotspot-sharing-skeleton-key-
falling-shanda/)

------
themartorana
Any decent way to always deny Microsoft devices on our network?

------
systemz
This is wrong and should be stopped. Microsoft is another corporation after
Google which gets and stores our WiFi passwords (android wifi networks
backup).

------
ppuIndd
Free Wi-Fi*

* just friend my business on Facebook

~~~
sehugg
A hotel already asked me to do this once (although they had to manually verify
that I friended)

------
themartorana
I've developed an app that lets you log on to your friends' Windows machines
without having to know the password! Don't worry, it's just Facebook friends.

Someone has to realize how dangerous this is. How would ANY corporation EVER
allow a single Windows 10 machine to connect to their wifi, let alone
contractors, or...

Do they not realize how paranoid network admins are to begin with? Windows XP
forever, I guess.

~~~
lexicality
> _Enterprise networks that use 802.1X can 't be shared._ If you connect to
> one of these enterprise networks at work or somewhere else, those network
> credentials won't be shared with any of your contacts.

------
tdicola
Where are these passwords stored and who has access to them? Can they be
subpoenaed by government and law enforcement?

------
jacalata
Note that this has been a public feature since windows phone 8 was released,
two and a half years ago.

~~~
dagw
It came with WP 8.1, so it's only be around for about year. The real
difference is that hardly anybody uses WP 8.1, whereas there is a very real
chance that Windows 10 will become a popular and widespread OS.

~~~
jacalata
oops, you're right on the release.

------
SomeStupidPoint
After thinking about it for a bit, couldn't a worm with fake Facebook accounts
that are friends-of-friends with a high percentage of the population use this
to spread virtually unimpeded?

I suspect that the API is such that all of the friends of the fake accounts
will relay to the fake accounts all of their respective friends passwords
(given they had connected to said friend's network at least once), and that
two steps should given sufficient coverage in dense urban areas to get worms
that give near total wifi coverage of the area.

Such a worm platform could of course be used to launch a wide range of
attacks, as it has a relatively high concentration and a solid coverage of the
area (for data relaying).

This screams badness at every level: it's relying on the notion of a Facebook
friendship to root security, despite that Facebook friendships have no such
semantic meaning in the context of Facebook.

You were doing so well Microsoft... but this... this is really, really bad, to
the point it might pose an infrastructure risk for cities.

~~~
yuhong
If they derive the PTK on the server from the stored PMK and sending that
instead, this attack would not allow decryption of transmitted packets (other
than group key broadcasts) because of the ANonce generated by the AP on each
connection used in the key derivation. And the PSK uses PBKDF2 to generate the
PMK, making mass cracking expensive.

~~~
SomeStupidPoint
For the usage I was thinking of, it doesn't need to decrypt mass packets, but
rather, join a massive number of networks.

My idea was simply a way to accelerate the spread of a worm through consumer
wifi gear by using the set of fake profiles to always be friends-of-friends
with the owner of the network (and thus friends with someone who has
connected, thus allowing you to connect).

The process would be something like this:

1\. Find a vulnerability in consumer wifi gear, such that insecure default
allow the default config to accept new code from only inside the LAN. (These
types of vulnerabilities with default passowords are common; however, remote
access is often disabled.)

2\. Upload code to one router.

3\. Infected routers look for neighbors who they can connect to the network
of, then upload the attack code once they're masquerading as a device on the
LAN.

4\. Repeat 3.

Normally, the reason that this attack doesn't really work is that there are
simply too few open or insecure LANs of the same hardware type for the attack
to have an effective spread rate, thus it's only a thin weak network and
breaks quickly in the face of customers fixing, upgrading, or simply turning
off their gear.

However, in allowing friends-of-friends to get access to a LAN, Microsoft has
removed this barrier to worms spreading across consumer networking gear for
anyone that can amass a stock set of profiles with decent geographical
coverage, making it a viable way to accelerate the spread of a worm through
networking gear.

Ed: Of course, once the routers themselves are infected, and you have good
geographical coverage, the infected routers can be used as a platform to
launch attacks. Again, the reason that we don't see this in practice is that
it's too hard to get access to all of those LANs because of even the weak
security that exists. Microsoft removed that, making the attack viable if
people can infiltrate the Facebook social graph.

~~~
yuhong
Didn't think of exploiting routers themselves before.

------
Sodel
Isn't this the definition of "unauthorized access", as far as the law is
concerned?

I'd be less uncomfortable if you had to deliberately choose which friends to
share a certain network with. "Share with this person", or something.

~~~
OJFord
You'd think - because presumably this could come about without you ever
signing up to 'WiFi Sense' or any such EULA, if you give one Win10 friend the
password, all his friends have it without you even realising WS exists?

~~~
benjin
>if you give one Win10 friend the password, all his friends have it

Only if he opts _in_ to sharing it.

------
giancarlostoro
So a pedophile with a laptop will just drive up to a neighborhood and login to
download all sorts of porn from your router just because you're running
Windows 10? I apologize for sounding so extreme, but I've heard of this
actually happening[1], but with an open wifi network.

Edit:

[1] : [http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-
chil...](http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-child-
pornography-innocent_n_852996.html)

~~~
userbinator
On the other hand...

[https://www.schneier.com/blog/archives/2008/01/my_open_wirel...](https://www.schneier.com/blog/archives/2008/01/my_open_wireles.html)

(This was 3 years before that. In some ways, it's a bit sad that we've closed
ourselves off in order to avoid what might actually bit pretty small risks...)

------
rmrfrmrf
How convenient!

