Information security is a delicate balance between user convenience and keeping things secure. Too much security makes the systems harder for users and to accommodate user’s ease of use too much would sacrifice keeping the data and systems protected. That’s the balance. Microsoft is about to release their latest version of their flagship product called Windows 10. Quickly recovering from a disastrous Windows 8 launch, Windows 10 is focusing on the users rather than the devices.
One of the several new features is called Wi-Fi Sense. Wi-Fi Sense was introduced in the Windows Phone but since no one uses a Windows phone unless they have to no one noticed it. Windows 10 is going to give it to the masses and security experts, like myself, are very uncomfortable about what it does and allows users to do. From the FAQ the part of Wi-Fi Sense that has everyone on edge is this –
Let you exchange Wi-Fi network access with your Facebook friends, Outlook.com contacts, or Skype contacts to give and get Internet access without seeing each other’s Wi-Fi network passwords
This is the balance between security and user convenience that is tipping to the users putting their own security at risk. Reading through the FAQ and documentation on Wi-Fi Sense the only benefit I can see from this ability is so users don’t have to give their users a complex password. Making it as simple as possible to get on a wi-fi hotspot. Users have been using Wi-Fi passcodes for years, they can keep doing so.
The sharing is not done locally but over the Internet. The wireless password is sent to Microsoft servers then the sharing happens through ‘the cloud’. The end user doesn’t see the password. One question that hasn’t been answered is how does Microsoft protect the storage of your home wireless passcode? How is it transmitted? How is this a security feature improvement? I can’t say it is. The only protection here is that you need to be in physical proximity to the wireless network to get on the network.
I could see this being one more phishing attempt vector for people to get others to share their Wi-Fi via Facebook without understanding what they are really doing. People give away their usernames and passwords everyday, a push button security sharing method is just asking for it to be abused. It also adds one more management layer for the users that the simplicity is intended for, which are generally not security experts.
Currently you have security through obscurity in the complex verbal exchange of a 10 or 20+ character passcode to protect networks. You aren’t going to mistakenly share that with someone without realizing what exactly you are doing. Push a button to give access to your wireless network and bandwidth removes that mental step and take the users farther away from awareness of responsibility of their technology.
Microsoft may have gotten this one wrong and tilted things too far away from security in order to make it too easy for the users.
End of Line.
Binary Blogger has spent 20 years in the Information Security space currently providing security solutions and evangelism to clients. From early web application programming, system administration, senior management to enterprise consulting I provide practical security analysis and solutions to help companies and individuals figure out HOW to be secure every day.