A Windows Phone feature named Wi-Fi Sense is making the jump to Windows 10. With the increased attention, many people are finding that they don’t like the feature but have no control over it.
Wi-Fi Sense allows you to share network credentials with your Facebook friends to ease their access to your WiFi network. While you can see some convenience that this offers, it fundamentally defeats the purpose of the most common wireless security, the password. Wi-Fi Sense allows you to share your network credentials with your Facebook friends but it also allows those friends to share the network access with their Facebook friends, and so on. Not only does it share access with Facebook friends but also Outlook.com and Skype contacts.
How horribly, horribly insecure. If I gave you access to my network, I did not implicitly give you permission to give that access to everyone in the world.
Image credit: How-To Geek
You can control Wi-Fi Sense settings on Windows 10 under Settings (the new Control Panel), Network & Internet, Wi-Fi, and Manage Wi-Fi Settings. You can disable Wi-Fi Sense and choose to not connect automatically to “networks shared by my contacts” and unshare previously shared networks.
Despite those settings, which do not seem to have corresponding Group Policy settings, the problem is the distributed nature of the default setting. If a friend is over and I give them access to my WiFi, say I verbally tell them the password, they are then in control of sharing out my network credentials to their digital contacts. Even if Microsoft were to respond to the dislike of this feature and remove it from Windows 10 or disable it, the cat is out of the bag and there is nothing saying that a third-party app could not do the same thing. Microsoft is just in a position to make something spread rather quickly with the latest operating system adoption, that they are giving away as a free upgrade for the first year.
On the Defensive
To prevent Wi-Fi Sense from sharing out your network credentials, you can change your wireless network name, the SSID, to end with _optout. Too bad if you want to opt out of Microsoft’s Wi-Fi Sense and Google Map location collection of WiFi, which requires _nomap on the end of your SSID, you will have to choose.
If you would rather not change your SSID name (and then have to reconnect all of your devices), you can use a wireless router/access point that supports multiple SSIDs like the Ubiquiti UniFi. Setup one SSID for your devices to have full access to the network, secured by a WPA2 password, and setup a second SSID for guest access only, still secured by a password, but Internet-only access. This will prevent the guest network from accessing your devices and files. However, your guest SSID network credentials can still be shared out, so it’s not a perfect solution if you’re concerned about somebody using your connection and pushing you towards your data cap.
The next step would be to implement MAC filtering on your wireless connection. This way only devices that you specifically whitelist by their MAC address will be allowed to connect to your network. It’s more tedium to the mix but greatly improves your network security.
Hat tip: How-To Geek