Hacker News new | comments | show | ask | jobs | submit login
Windows 10 “WiFi Sense” automatically leaks your wifi password to strangers
204 points by hayksaakian on June 20, 2015 | hide | past | web | favorite | 103 comments
Even if you personally disable it on your own computer, anyone else connecting to your network (example: non-technical friend) will leak your password to all of _their_ facebook friends.

The only way to opt out of this "feature" is to change the name of your SSID to include _optout at the end -- or force EVERY SINGLE PERSON connecting to your network to disable the feature on their PC before connecting.

There is no other way to opt out.

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/use-wi-fi-sense-to-get-connected

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/how-do-i-opt-my-network-out-of-wi-fi-sense

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/wi-fi-sense-faq

http://www.howtogeek.com/219700/what-is-wi-fi-sense-and-why-does-it-want-your-facebook-account/




There's a lot of FUD & frankly inaccurate information floating around here.

When connecting to a password protected router you are given an UNCHECKED BY DEFAULT option to share the password with your friends. What this means is, the user can deliberately share the password they know.

This is just as secure as any other system because once you give a user a password they could share it if they chose. Nothing here is "automatic" no data is being proliferated without user consent. If your employees leak your password this way, then it's the same as leaking passwords otherwise.

Again this not an opt-in-by-default scenario. It requires a user knowing a password to actively choose to share for each router independently.


Even if people opt into it, why should this happen automatically? If one of my friends told every single Facebook friend of theirs the password to my wifi I would have a very strong conversation with them and probably never invite them into my home or even consider them a friend anymore. Just because they _can_ share the password doesn't mean they _should_ share the password.

I don't see why this kind of automatic sharing should be a 'feature' or frankly should exist at all. I would wager it helps almost no-one (given WP8's miniscule adoption numbers) and just serves to stir up controversy like this that makes MS look bad.


This solves the problem of asking people the wifi password whenever you go over to their house. To a lot of people it's just a pain. When you tell your friends your password, just tell them not to share it. Done!

I would wager it helps the windows phone users and doesn't hurt other people. Also it's coming to windows 10 I believe.


No, when you save the credentials of the wifi password locally that solves the problem of having to ask your friend for the password every time you go to their place. There's no need to broadcast the password to every friend to fix that scenario. This is your friend sharing out your credentials to everyone they know automatically--perhaps to people who you don't know or don't want to have the password.

What happens when a jealous ex or stalker that's still a mutual friend suddenly gets access to your wifi network? What about the security implications of MS' servers storing the passwords, and do they disclose whether those passwords can be subpoenaed by law enforcement? This seems like a hornet's nest of nasty privacy and policy issues. It boggles my mind why they think this would be worth doing.


It's not only your friends sharing when you don't want it. It's end users that own the router that want to share it. If you put yourself into your grandmother's shoes it may be less mindboggling. Security is all about securing content to the extent to which it is valuable. Many people would argue that their wifi password is not that valuable and therefore not requiring the greatest amount of security. Some people will find this feature convenient. It's for them and clearly not for you. You are no less insecure than you were previously. If you trust the people you give your wifi password to, then there's no issue.


>solves the problem of asking people the wifi password whenever you go over to their house

Why is this such a difficult task that it even needs to be solved?


It is NOT a pain to tell people the password, just good security hygiene which everybody needs to learn and to do conscientiously. It is no different from using toilet paper after number 2, then flushing and then washing your hands. Want to live in a modern society? Then do your duty.

And if someone thinks it is a pain to always be asking, then they are free to use cellular connectivity or maybe even, sit and talk without damned devices in their hands.


> This solves the problem of asking people the wifi password whenever you go over to their house.

A little bit off-topic, but:

What would be nice is if NFC tags with the WiFi datatype/field would actually work out of the box.

I bought a bunch of NFC stickers online they're pretty cool (and real cheap, 25-50 cents a piece depending on how many you get). You can easily write data into them with an app called "NFC Tagwriter" (by a company called NXP)[0].

You can put roughly the same fields into an NFC tag as you can put into QR-codes: plain text, URL, email address, contact info, etc. But the cool thing is that I haven't seen any phone that came with a QR-scanner app pre-installed (which is I think one of a couple of big reasons why QR-codes aren't really taking off). However, it turns out that any phone with NFC capability can read NFC-tags without any additional software, you just need to enable it in the settings (like Bluetooth or WiFi, except that NFC hardly uses any battery at all because it's so close range).

A curious thing about using NFC is that when enabled, in many cases it does its "thing" without any prompt or confirmation. Plain text immediately pops up a message (that you can't copypaste, share or save, only dismiss). An URL immediately opens your default browser and goes there!! Only prompt you may get (on some phones) is to ask which browser to use (but it often seems to just pick Firefox, for some reason).

So far, best uses I came up with are silly pranks (but that may just be me).

Except the WiFi-network datatype. That one seemed really quite useful (as well as hilarious, like sticking the tag into a bible or such, "to get my WiFi password, put your phone on the bible and swear to not abuse my network").

... if it weren't for the fact that, out of all types of field that just seem to work reasonably well, the WiFi datatype just pops up a message with a MIMEtype-like string, no password, nothing. I tried a whole bunch of my friends' phones (mainly Android, though), and only a single Sony phone seemed to get it, while a very similar but slightly newer Sony phone did not.

On my own phone I can use the NFC Tagwriter app and configure the NFC settings to do the right thing with the WiFi datatype tags, but that puts you in the same place as QR-codes, having to get an app, and even change the settings. It would have been so cool if the WiFi datatype would work as frictionless as NFC tags with plaintext or URL fields on them.

Ah well, maybe next year's technology :)

[0] Sidenote/tip: my Samsung S4 phone is rooted, running Cyanogenmod. A few months ago the NFC Writer app autoupdated and told me it couldn't run on a rooted phone (not the app's fault, but the NFC library it uses). This was easily remedied with the Xposed framework and the "Rootcloak" module. After all I am root, which means I can also tell the app that I am not.


I have some friends in California who use the combination of their kids' names for wifi password. It would seem to be an easy one to remember. But in reality it's only the idea that stays remembered because it's not just names but Russian nicknames formed with suffixes and transliterated into English using inconsistent rules.

California is an awesome place! I'm always happy to visit my friends over there. Manage to do it once or twice every year. So far, wifi password never stayed saved in my phone for one reason or other. Failing to enter it correctly several times and asking for help has been a consistently awkward experience.

So I perfectly understand why this would be a nice feature. The drawbacks? Someone using your access point for something shady? How would they do that, parking on someone else's driveway in a residential district? That's too suspicious and would probably attract more unwanted attention than doing that from your own access point at home.


Few major issues I see:

- Sharing is binary, it's all of the contacts or none. This is not what people really expect when thinking about a feature like this.

- The password really only has to be typed once. I don't have thousands of people coming over and even if I did, they put in the password the first time and it's saved locally. The benefit in skipping those few seconds in exchange for sharing with everyone else doesn't make sense.

- The FAQ also states that any public wifi spots that have been shared will be automatically connected to, including accepting the terms and even sharing some personal info like name, email, etc.

- The way it's worded is dangerous, mainstream users who don't know how this works will just go ahead and click this thinking its so much more convenient (and it is) but it doesnt properly reveal what's happening.


it also doesn't give the standard home user the ability to deny people the ability to share. This is a huge failure on Microsoft's part. Simply connecting to a wifi network should never give you the option to propogate that connection to unlimited number of other users automatically via digital methods unless you are also a network administrator. This is something that only the person with the router password should even be prompted to be able to do if they so choose. It's a violation of security to ask anyone that's connecting if they want to share the connection settings with all of their friends. Like you might as well just mark your network as public at this point if you're allowing anyone to connect with a windows 10 phone.


Actually it IS an opt-in by default because the option is given to the user connecting except when Network Admin has forced their SSID to _optout. So now I have to force a stupid SSID change on my network, something that I don't want to do, just to prevent users of my network from being able to auto-share the connection with everyone they know.


Asking people to change their SSID so the system won't share something they are not supposed to be sharing to begin with is very ridiculous. I really don't understand why this is not opt-in to begin with. Microsoft should be forcing people to put in _optin in their SSID to allow this feature to work if they are so inclined to use an SSID to regulate access. At least it would be semi-tolerable if there was a web form of some sort that I can simply put in BSSID so it gets blacklisted systemwide, but I don't think that's even there.


Agreed. At my house, we have three laptops, a desktop, three tablets and two smart phones. I don't want to have to change the wireless settings of nine devices because of Microsoft.

If this features truly works as stated, it is an incredibly arrogant thing for MS to do.


It doesn't work as stated. Users have to opt to share the password when they connect to wifi router. This checkbox is empty by default meaning you don't share the password by default.


It doesn't make it much different whether that checkpoint is off or not, I basically see two problems with it:

1) Wi-fi access point owner is absent from that decision about sharing the password or not, other than the SSID name (thus, I suggested that Microsoft should have made this ins option basis. This way, at least that it would show that the owner of the AP is WILLING to participate in that.)

2) People do very stupid things. They may not even see a single implication before they "check" it. I've seen a lot of people enabled certain feature "because it sounds useful" without seeing further implication. Especially when they are not that tech-inclined, they may flip that switch "because everyone else's doing it," "that's the way I do in my home," or "I didn't know that's what it meant." I'd know if he/she is sharing my wi-fi password on Facebook by that person writing on their timeline (which I'll pick up my phone and start screaming at that person) but this seems to be much more discreet than that.

Again, it doesn't really matter if that checkbox is checked or not. It's a bit of a different story if they had to drill down to several layers of menu (which I wouldn't change my opinion that it is still a bad idea) -- but it sounds like this option is presented right in their face everytime they are connecting to new networks.


https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/u...

>... WiFi Sense can do a lot of things for you to get you connected to the Internet using WiFi, so you don't have to do them on your own. These include:...

> - Accepting a WiFi network's terms of use on your behalf...

That doesn't seem appropriate.


On the contrary, dealing with captive portals is quite annoying, especially since they just generate browser warnings with HTTPS. You have to go out of your way to open a plain-HTTP website so that it can be intercepted properly, just so you can click "I accept" again. Additionally, these things have short memories - if you're at a coffee shop you frequent, you might be clicking through the captive portal for the 150th time.

Apple deals with this somewhat by opening a Webkit view of apple.com (unsecured) and displaying it the user if it's not in fact apple.com. But an even further level of automation would be great.

Let's be honest, no one reads these things anyway. If you're one of the handful of people in the world who would decide not to use a WiFi network because you didn't like its TOS, then you're 1) probably not running Windows anyway and 2) could turn this feature off.


Yeah but, you're basically agreeing to assume risk. You still get a choice - you choose to ignore the TOS and click through.

Time and again courts have upheld click-through TOS and EULAs. Ignorance is rarely an excuse. So if something clicks through a captive portal for you, the defense of "I didn't know..." isn't going to hold much water.

The only defense might be that Microsoft accepted the terms and they should accept responsibility for any violations on their behalf. But good luck getting them to voluntarily indemnify you.


There's a pretty big difference between "it was too long and I didn't read it so I just clicked Agree at the bottom" and "I had no idea the thing was even there because Microsoft's software hid it from me."

If there was no reasonable way for you to even know the terms were there at all, I don't think any court is going to consider them to be binding. That's why these places show them to you when you try to use their network, instead of just hiding them in the freezer.


Accessing a computer network that is secured by requiring authentication by bypassing authentication via technical means might be a computer crime.

It's quite possible that using the Microsoft software to bypass a captive portal without agreeing to the terms will land you in jail for a felony.

Is Microsoft going to indemnify you against being the trial case of that legal theory?


>It's quite possible that using the Microsoft software to bypass a captive portal without agreeing to the terms will land you in jail for a felony.

How do you define "quite possible"? I'd estimate that this is exceedingly unlikely to happen.


> Time and again courts have upheld click-through TOS and EULAs

In the US perhaps. Most other places have consumer protection laws that require a much higher standard for contracts to be legally binding.


There is a long standing technical solution, though it's not widely implemented, WPA-enterprise. With WPA-enterprise I have my own personal key and I am automatically logged in. In the UK, "The Cloud" service offers this, which is many coffee shops and similar public places.


There is overhead. WPA2 Enterprise does not have a signup mechanism; you'd neee to run that on a separate SSID. Now you have to get people to join the appropriate SSID for what they want. Also unless you have a corporate managed device with the company CA installed, you have to click through scary certificate warnings.


That's the only part that seems kind of cool. It's legally a bit strange, but terms of use on public Wi-Fi can be really annoying, especially when they don't work well. I've had networks refuse to let me on because their terms of use thing is broken.

It isn't as though anyone actually reads the terms of use anyway.


I agree with you on this, I've had same problem when trying to connect to a Hotel Wi-Fi and my browser didn't render their properly because i didn't have Windows XP with IE 7...

Probably the best feature of Wi-Fi Sense.


Only if you've already accepted the terms of use initially, this is fine.

I'd love this feature - connecting to all the open wifi connections around downtown and then letting my phone/laptop log me in through their terms of use acceptance pages (looking at you Tim Horton's) seamlessly.


How do features like these even get thought up, planned out, implemented then released without anyone in such a massive company wondering if there might be some issues? Or building it as opt-in or at the very least giving easy settings to disable it.

Automation like this is dangerous, I'm not sure saving 10 seconds is worth this kind of massive trust and security breach. When I give someone my wifi password, I know they can just post it on Facebook but at least that's a conscious decision. Same with accepting EULA, at least that was a choice, even if I didn't read it. Doing either thing automatically though is just ridiculous in terms of privacy, security and potential legality so how does a giant company with lots of smart developers and lawyers decide this is a good idea?


From my experience at big companies, plenty of people do bring things up, but the security minded people rarely have authority.


"The only way to opt out of this "feature" is to change the name of your SSID to include _optout at the end"

Google requires you to have "_nomap" at the end of SSIDs to "opt out" of certain services...


So you are saying I can't opt out of both? Or will they take XYZ_nomap_optout ?


The Microsoft page says it has to contain _optout, not that it has to end with it.


Presumably for this reason; so XYZ_optout_nomap works. But this is just silly.


Imagine SSIDs in a couple of years...

COMCAST56B4_nomap_output_security_reinforce_superhappy_wifienable_security_ALLOW-P^[A-Za-z0-9\.]+$-_DISALLOW-P^[pet][0-9]$


Probably the former.


So it's becoming the robots.txt of routers?


Why do they do this instead of just ignoring networks with hidden SSIDs?


I believe they also ignore hidden SSIDs, but those come with other problems, so they added a way to opt-out without hiding it.


are you saying that SSIDs should have infinite lengths?


sorry if you don't have a sense of humor as this was clearly not a serious question


you have to select whether you want to share your WiFi with your contacts upon first time connecting there is a Check box which is by default unchecked.

Edit1: Also, previous connections are by default not shared automatically either, you have to go to manage known networks and select them and press share before it gets shared.

Edit2: If people connect through your shared network, then it shouldn't allow their friends to connect as well. (To my knowledge of this)


That's true but kind of misses the point. I'm not worried about my machine using this. Hell, I don't even use Windows. I'm worried about the zillions of people who do use Windows and who will thoughtlessly enable this because it seems convenient. They will wreck the security of other people who have done nothing wrong.


This is why the "guest login" feature on most Wi-Fi routers exists, to prevent untrusted persons (and by untrusted I mean anyone other than yourself and possibly-but-not-always your immediate family) from having access to your entire LAN when all they need is Internet access. Of course it works best when your guest login feature supports time-limited random passwords. Set up properly, guest accounts can make this Wi-Fi Sense bug a non-issue for your own network.

That said, I think Microsoft made a serious blunder here; it's inherently flawed and I can't immediately think of a way for them to fix it without getting rid of its entire raison d'être.


They will only wreck security, because you personally gave them the password, instead of using this system from the start, change your password upon windows 10 release and you are golden? :)

Edit1: tho i can see the downsides of this, add you neighbor on Facebook and get free access to their WiFi xD

Edit2: You can select whether, you want to share network with Outlook, Skype and Facebook friends, so what i wrote in Edit1 could be invalid if you simply uncheck Facebook.


"using this system from the start"

I don't use Windows, so I cannot use this system at all.

"add you neighbor on Facebook and get free access to their WiFi"

That's missing the much bigger downside. Give your neighbor your Wi-Fi password and they can share it with hundreds of their friends automatically.

Microsoft claims users will not be able to find the password and that users will only be able to access the Internet, but that assumes there are no security holes. I'm not comfortable putting my network security in the hands of a company I did not choose to associate with.


> Microsoft claims users will not be able to find the password and that users will only be able to access the Internet, but that assumes there are no security holes.

You don't even need a "security hole": the machine needs to know the key to connect. From there, it's your machine -- you will be able to read it out of memory. Now, this is probably out of reach for most "average users", but for even a moderately capable attacker it provides little protection (and tools automating this will likely become available).

At best, if the Wifi network is using a passphrase it'll only send you the key (which is calculated by applying the PBKDF2-HMAC-SHA1 function to the passphrase using the SSID as a salt for 4,096 iterations), but this still lets the user get on the network and decrypt traffic.


> Give your neighbor your Wi-Fi password and they can share it with hundreds of their friends automatically.

Give your neighbor your Wi-Fi password, and they can trumpet it on the streets, distribute on pamplets, post it on HN, and update their Facebook status with it.

I am a little shocked at the HN reaction here. I've had a Windows Phone since January and I've thought the feature was not only useful, but a great idea. The only benefit for me has been the automatic TOS acceptance though since nobody else I know has a Windows Phone.

If you're running a "secure" wireless network and don't want anyone else to use it, well, don't give anybody you don't trust the password, and make sure they're not running services like Wi-Fi Sense. Generally speaking, the common man is going to want any of his friends he lets into his house onto his Wi-Fi anyway.


The problem is that it is automatic, it spreads without confirming anything and without any deliberate action.


The problem (with this post in HN) is that it _isn't_ actually automatic. Your device being receptive to automatically-shared networks is default-on/opt-out. Your device automatically _sharing_ a network is default-off/opt-in, as well as (I think) being on a per-network basis.


This is correct. None of this is automatic. It's all opt-in.

I don't believe Wi-Fi Sense is on at all by default (I am pretty sure I had to turn it on), and it explicitly shares only Wi-Fi networks you select, not all of them. You have to go in to your saved Wi-Fi networks and share each one individually. You also have to individually check each list of contacts (Outlook, Skype, Facebook, etc.)

It is absolutely not sharing all your networks automatically with all your Facebook friends.

Here are screenshots (note I'm 99% sure I turned on Wi-Fi Sense):

http://i.imgur.com/bzaK2aT.png http://i.imgur.com/vnbDkdj.png

I suppose it's ironic the FUD is directed against Microsoft now.


Router companies should get together with Microsoft and make some kind of Flag you can tick, so your router actively tells you can't share this, without the ridicules name of "_optout" as last part :)


That's one solution. I don't think it's ideal. Not everyone would know to tick that box. I would, but my friends would not and their networks would be vulnerable.

It could also require buying new hardware. Once again, I would know to look for a Wi-Fi Sense-proof router, but my friends would not.

I also don't think we should be expected to solve problems that Microsoft caused. Why should the industry adapt to Windows rather than the other way around?


Maybe instead they could have router makers add a flag to opt in to this insanity. Then if people really thought it was important for their networks, they could ensure they have compatible hardware, and turn it on.


Well, will at least be interesting to see what the future holds for Wi-Fi Sense :)


From https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w...

> Your contacts don't see your WiFi network password.

> When you share network access, your contacts get Internet access only.

How can they ensure these two?


They could require "secure enclave" hardware. But that'd need cooperation with the NIC, too, eh?

Most likely they mean "we disable the show password option".


Based on what I read on one of their FAQs, it is not as good as a secure enclave, but it is quite a bit better than simply not providing a show password option.

The password is not stored on the devices of the people you share with. It's stored on Microsoft servers. When the device someone you have shared with notices that a network you've shared is available, it gets the key to connect, then presumably forgets it.

I wonder if it is possible to do better? The idea would be that when setting up the connection (so, setting up session keys and authenticating) the device could pass these packet through to Microsoft's server. Microsoft's server could then calculate the response packets and give them to the device to relay to the access point. When the connection set up is all done, Microsoft's server could pass the session key to the device, and subsequent packets would be handled entirely on the device.

There are two (at least) things that could torpedo this kind of approach. (1) the protocols might work in such a way that you cannot hand off the setup/authentication, or they might require frequent enough re-keying that spotty cell access could prevent keeping wifi working, and (2) the connection setup and authentication might be handled in firmware that does not provide a low enough level interface to do the fiddling needed.


Reading the 802.11-2012 spec, one could send the ANonce to the server, and the server then could generate a SNonce and construct the PTK from the secret PMK stored on the server. This would be secure because the nonces are supposed to be random. I think group key change also depends only on the PTK. This would still be more secure than open WiFi because it would not possible to decrypt packets to/from from other stations with a different SNonce.


>When the device someone you have shared with notices that a network you've shared is available, it gets the key to connect, then presumably forgets it.

So you still need minimal internet connectivity in the first place In order to ask MS' servers? Suddenly sounds less useful for things that aren't phones.


You could extract the handshake nonces and do this easily enough. It's fairly pointless though because WPA2 uses a weak hash function, so your "contacts" would still be able to intercept enough to attempt to bruteforce your password.

Also this entire thing seems dumb. If you need to connect to Microsofts server before you have wifi then you already have data.


I think it is to deal with data caps. And brute force is always possible if one has the 4-way handshake and the password is only useful if you are near enough to actually connect to the network. AFAIK the PSK uses PBKDF2.


I also think (3) you could craft a known challenge for the microsoft server and rainbow table the response.


Let's assume that they have somehow secretly shipped this "secure enclave" with all machines that will support Win10, and that they have h4xXx0r proof-ed the code to make it impossible to RE the code and implement the protocol directly, presumably we'll still be able to emulate Win10 and have a virtual NIC which spits out the key when it's handed off to it.


You won't be able to emulate the secure enclave, no. That'd sort of defeat the entire point.

It is supposed to be impossible to RE the code for anything useful - the keys are encrypted using the public key of the secure enclave. You'd need to break the chip itself to win, and since Intel knows this, we can assume they'll make it incredibly hard.

Of course, since MS wants this to work on current hardware, not "shipping sometime in the future" we can assume they aren't using Intel SGX. But in theory it's fairly strong DRM.

https://software.intel.com/en-us/blogs/2013/09/26/protecting...


If you set up your network using radius, this becomes a non-issue radius is not horribly hard to set up either - its also not automatic, the user has to choose to share the wifi password - which they could do anyhow, as you've given it to them to connect.

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w... - Section: "I'm concerned about sharing WiFi networks. Can you tell me a little more?"


When home networking equipment start shipping with RADIUS servers you might have a point, but right now all they can do is forward RADIUS authentication requests to your RADIUS authentication server.

RouterOS ships with one. But RouterOS/Mikrotik offers some pretty incredible functionality at a sub-$35 price point. It is very atypical of anything (even in the SMB space).

However RouterOS isn't a "consumer" system by design. In fact you better have solid network knowledge or you'll struggle even as a power user.


Radius?


Radius is an authentication protocol that is quite widely used, including in WPA-Enterpise. Here there is no fixed password, but a system that allows multiple users with separate passwords.

By using WPA-Enterprise, this wifi sense feature will likely do nothing.



You share with your contacts, but not their contacts. The networks you share aren't shared with your contacts' contacts. If your contacts want to share one of your networks with their contacts, they'd need to know your actual password and type it in to share the network.

https://www.windowsphone.com/en-gb/how-to/wp8/connectivity/w...


Just as I was starting to get excited about Microsoft actually seeming to generally 'get it', they go and do something monstrously stupid like this.


Alternatively, you could actually go look up and understand how this works and realize that 80% of this thread is misinformation.


So, isn't this basically a massive distributed attack on wireless security by Microsoft/Facebook? Similar to what Google's done in the past?

And of course, all this data is open to .gov subpoena, yes?

EDIT:

Oh boy!

Some WiFi hotspots ask you to accept the terms of use in a web browser, provide additional information or do both before you can connect. WiFi Sense can do these things on your behalf to get you connected quickly.

Yeah, this isn't a fucking trap at all.


This is a lot like what got Google in trouble - mapping all WiFi access points while collecting StreetView images. Microsoft is just doing it in a distributed way.

Does all the collected WiFi data go to Microsoft HQ?


Google captured and stored traffic from unencrypted WiFi connections. It is not really similar at all.


Could you actually design this feature in a way that didn't share all the raw WIFI passwords with Microsoft? I think it would be pretty difficult.

Bear in mind though that Google probably knows your wifi password if you or a friend syncs their phone's authentication data.

(Google's legal troubles were a separate issue btw)


I don't think it would be too difficult, design-wise.

Have every Win10 installation generate a public/private key pair. Share the public key with MS.

When you share a password with all your contacts, MS can send all of their public keys to you, where you then encrypt the password with them and send the results back to MS. MS can then send the encrypted passwords to the contacts, who can then retrieve the password with their private key.

Something tells me they probably didn't do it this way, but it doesn't sound like a particularly hard goal to achieve if one thought it was important.


Ah, but it's a per-user secret, not per-device. So each user needs a keypair which gets shared across all of their devices, transparently but also in a way that protects the private key from MS. Which sounds an awful lot like the original problem of sharing secret WIFI passwords without MS being able to read them...

I agree that it must be do-able, it's just tricky to make it work transparently and simply so every user benefits.


Looks like this Wifi sharing app that's huge in China:

http://technode.com/2014/11/17/wifi-hotspot-sharing-skeleton...


Any decent way to always deny Microsoft devices on our network?


This is wrong and should be stopped. Microsoft is another corporation after Google which gets and stores our WiFi passwords (android wifi networks backup).


Free Wi-Fi*

* just friend my business on Facebook


A hotel already asked me to do this once (although they had to manually verify that I friended)


I've developed an app that lets you log on to your friends' Windows machines without having to know the password! Don't worry, it's just Facebook friends.

Someone has to realize how dangerous this is. How would ANY corporation EVER allow a single Windows 10 machine to connect to their wifi, let alone contractors, or...

Do they not realize how paranoid network admins are to begin with? Windows XP forever, I guess.


> Enterprise networks that use 802.1X can't be shared. If you connect to one of these enterprise networks at work or somewhere else, those network credentials won't be shared with any of your contacts.


I don't think WPA2 Enterprise with RADIUS is supported.


Where are these passwords stored and who has access to them? Can they be subpoenaed by government and law enforcement?


[deleted]


I don't believe it can go multiple "hops." If you connect it goes to your friends, but it does not go to friends of your friends.

If your friends connect to the network using Wi-Fi Sense, it might spread to their friends. I'm not sure.


it better not go more than one hop, 99% of FB users are only ~5 hops apart.


Note that this has been a public feature since windows phone 8 was released, two and a half years ago.


It came with WP 8.1, so it's only be around for about year. The real difference is that hardly anybody uses WP 8.1, whereas there is a very real chance that Windows 10 will become a popular and widespread OS.


oops, you're right on the release.


After thinking about it for a bit, couldn't a worm with fake Facebook accounts that are friends-of-friends with a high percentage of the population use this to spread virtually unimpeded?

I suspect that the API is such that all of the friends of the fake accounts will relay to the fake accounts all of their respective friends passwords (given they had connected to said friend's network at least once), and that two steps should given sufficient coverage in dense urban areas to get worms that give near total wifi coverage of the area.

Such a worm platform could of course be used to launch a wide range of attacks, as it has a relatively high concentration and a solid coverage of the area (for data relaying).

This screams badness at every level: it's relying on the notion of a Facebook friendship to root security, despite that Facebook friendships have no such semantic meaning in the context of Facebook.

You were doing so well Microsoft... but this... this is really, really bad, to the point it might pose an infrastructure risk for cities.


If they derive the PTK on the server from the stored PMK and sending that instead, this attack would not allow decryption of transmitted packets (other than group key broadcasts) because of the ANonce generated by the AP on each connection used in the key derivation. And the PSK uses PBKDF2 to generate the PMK, making mass cracking expensive.


For the usage I was thinking of, it doesn't need to decrypt mass packets, but rather, join a massive number of networks.

My idea was simply a way to accelerate the spread of a worm through consumer wifi gear by using the set of fake profiles to always be friends-of-friends with the owner of the network (and thus friends with someone who has connected, thus allowing you to connect).

The process would be something like this:

1. Find a vulnerability in consumer wifi gear, such that insecure default allow the default config to accept new code from only inside the LAN. (These types of vulnerabilities with default passowords are common; however, remote access is often disabled.)

2. Upload code to one router.

3. Infected routers look for neighbors who they can connect to the network of, then upload the attack code once they're masquerading as a device on the LAN.

4. Repeat 3.

Normally, the reason that this attack doesn't really work is that there are simply too few open or insecure LANs of the same hardware type for the attack to have an effective spread rate, thus it's only a thin weak network and breaks quickly in the face of customers fixing, upgrading, or simply turning off their gear.

However, in allowing friends-of-friends to get access to a LAN, Microsoft has removed this barrier to worms spreading across consumer networking gear for anyone that can amass a stock set of profiles with decent geographical coverage, making it a viable way to accelerate the spread of a worm through networking gear.

Ed: Of course, once the routers themselves are infected, and you have good geographical coverage, the infected routers can be used as a platform to launch attacks. Again, the reason that we don't see this in practice is that it's too hard to get access to all of those LANs because of even the weak security that exists. Microsoft removed that, making the attack viable if people can infiltrate the Facebook social graph.


Didn't think of exploiting routers themselves before.


Isn't this the definition of "unauthorized access", as far as the law is concerned?

I'd be less uncomfortable if you had to deliberately choose which friends to share a certain network with. "Share with this person", or something.


You'd think - because presumably this could come about without you ever signing up to 'WiFi Sense' or any such EULA, if you give one Win10 friend the password, all his friends have it without you even realising WS exists?


>if you give one Win10 friend the password, all his friends have it

Only if he opts _in_ to sharing it.


So a pedophile with a laptop will just drive up to a neighborhood and login to download all sorts of porn from your router just because you're running Windows 10? I apologize for sounding so extreme, but I've heard of this actually happening[1], but with an open wifi network.

Edit:

[1] : http://www.huffingtonpost.com/2011/04/24/unsecured-wifi-chil...


On the other hand...

https://www.schneier.com/blog/archives/2008/01/my_open_wirel...

(This was 3 years before that. In some ways, it's a bit sad that we've closed ourselves off in order to avoid what might actually bit pretty small risks...)


How convenient!




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: