Wi-Fi (non)Sense

Ever told someone a secret only to find out later that they blabbed it to everyone they knew? Irritating, huh?

Ever let someone on your home wireless network only to find out later that all their friends now have access as well whenever they get within range? Not yet, but you will … 

… unless Microsoft rethinks a new feature they included in the latest and greatest release of their flagship OS — Windows 10. 

Generally speaking, the early reviews for Win 10 have been mostly positive. However, there’s one addition that might sound like a good idea on the surface, but once you think it through (which it seems the designers didn’t do), you quickly realize it’s a security nightmare.

The feature is called Wi-Fi Sense and it’s intended to help you overcome the complexity of letting visitors onto your home wireless network by automating the process of sharing the complex, hard to remember, even harder to enter encryption key that grants access. (You do have a complex, hard to remember, even harder to remember key protecting your Wi-Fi, right? Please say “yes.” Good.)

The problem is that it breaks the bounds of any sort of reasonable security standard by oversharing that key with all sorts of people you may not even know — many of whom you would never allow on your private home network.

Graham Cluely has a great description of the problem on his blog that I highly recommend that you read so you will have the details in a clear, understandable way that I couldn’t improve on (so I won’t even try).

Before you dismiss this as something you don’t have to care about because you don’t use Windows 10, think again. All it takes is for you to share your Wi-Fi key with any Windows 10 user who happens to have this (over)sharing feature turned on for them to automatically pass it along to all their friends even without their knowledge.

That’s right. You and all your family could run nothing but Macs or Linux but it only takes one visitor running Win 10 that you give the Wi-Fi key to before you unknowingly have shared this with all of your visitor’s Skype contacts, Outlook contacts, Hotmail contacts and Facebook friends. 

I’m not ready to go so far as to say “friends don’t let friends use Win 10,” but I will say you should think twice — make it three times — before you share you home Wi-Fi with them.

Advertisement

Google probably knows your Wi-Fi password

It’s been an interesting year in the world of IT security and privacy. It turns out that all the world’s spy agencies are, in fact, spying on each other. Shocking, right? OK, so they aren’t just spying on other spies but probably you and me as well to one degree or another. How much do they know? How long have they known it? How is the information being used?

I think the best answer is a quote from Tom Waits that predates this latest controversy but is quite apropos, nevertheless …

“The folks who know the truth aren’t talking. The ones who don’t have a clue, you can’t shut them up.”

In other words, don’t believe everything you hear because the people making the most noise tend to be those with the least actual information. At the risk of falling into that latter category I will suggest that the organizations that might know more about you than the TLAs (Three Letter Agencies) are the ones that we voluntarily give up our personal information to in exchange for free email, social media, cloud storage, navigation services, etc.

Along those lines comes a revelation that sits squarely between the uncomfortable intersection of security and convenience — your wifi passwords. If, for instance, you have an Android device you probably connect it to a wireless LAN on occasion. Unless you enjoy typing in long, complicated passwords on tiny keyboards, you probably opted to let the OS store this info for future use. For further convenience you probably allow Google to back up the settings on your phone since this makes recovery far easier when you get a new one. All very nice but …

This means that Google is storing all those “secret” passwords somewhere in their cloud. Who has access? How well is it secured? How could this information be used/abused? Now the heartburn begins…

I have no idea whether Google does a great job or a poor job of securing this data just like I have no idea how well credit card numbers and other sensitive information is being secured on systems for major retailers but I do know that at least in the case of the latter there have been some major breaches. We might not know about these failures were it not for legislation that requires public disclosure of such incidents and I suspect we wouldn’t necessarily know about similar compromises in social media, email and other Internet-based services.

And don’t make the mistake of thinking that a leak of wifi passwords would only affect a few home networks or that if you choose not to have your info backed up by Google or because you use an iPhone or no phone at all that you will be safe because all it takes is for one user — any user — of any wifi network you use to have saved and backed up this info for it to make everyone on that network at risk. 

Just another reason why you should make sure that you use a good VPN or SSL connection, even when you think you are on a secure wifi network…