When social networking collides with wireless networking, it makes a lot of noise.
That's what Microsoft is discovering this week, as critics take aim at a controversial new Windows 10 feature called Wi-Fi Sense. (For an explanation of what the feature does and how it works, see this earlier post.)
The level of alarmism I'm hearing over this feature is truly, well, alarming. I completely understand the concerns over this feature, because its basic design seems counterintuitive. But I've looked at it very carefully and I see it as a solid, net improvement to wireless networking.
Yes, the availability of Wi-Fi Sense should make everyone think about wireless security. But the funny thing about the barrage of coverage of this feature is that it's finally forcing people to think about the tradeoffs we make every day between convenience and security--especiallywhen connecting to wireless networks.
Microsoft isn't the first company trying to expand wireless coverage worldwide by making it possible for its customers to turn personal wireless routers into more readily accessible hotspots.
The Electronic Frontier Foundation has been pushing for years for a much more sweeping plan, called the Open Wireless Movement, which is intended "to build technologies that will let users open their wireless networks without compromising their security or sacrificing bandwidth." Mozilla is one of its partners.
Comcast has had its variation on this theme, a feature called the "Neighborhood Hotspot initiative," for more than two years. In Australia, Telstra has something similar, with the theme "share a little, get a lot."
Crowdsourcing Wi-Fi isn't insecure if it's done right. The problems are the same as with websites that require authentication. Shared passwords make phishing and social engineering possible in both places.
There are plenty of easy things you can and should do to ensure that your business and personal wireless networks are secure from outside attackers. Oddly enough, if you adopt these best practices, you effectively eliminate any of the perceived risks from Wi-Fi Sense as well.
I have that full list later in this article, but to understand the "why" behind the "what to do," you need to look at how Wi-Fi Sense fits into the bigger wireless networking picture.
Why does the Wi-Fi Sense feature exist?
In all the focus on the "share your wireless network with your friends" feature, everyone seems to be missing the biggest benefit of Wi-Fi Sense.
With this feature, you can connect automatically to what Microsoft calls "suggested hotspots."
I can see you recoiling in horror now. "Connect automatically to an open wireless network? That sounds terribly insecure."
You certainly should avoid connecting to open networks you know nothing about. But if the only networks to which you automatically connect are those that are known to be safe, then the net effect is to improve your security.
With Wi-Fi Sense, Microsoft keeps a list of open networks that are known to be safe and reliable, like the official hotspots found in airports and shopping malls and hotel lobbies and increasingly in public areas in cities. When I'm in a new place with Wi-Fi Sense turned on, my Windows 10 device never sees those fake hotspots run by bad guys; it connects automatically to the one that is known to be safe and reliable.
That's a good thing. If it becomes widespread and is copied (or better yet, evolves into a standard), it makes the Internet a safer place.
This is exactly the sort of thing that Microsoft has a lot of experience with, having run its very effective SmartScreen service to block malicious software and web sites for many years.
If I open my Windows 10 laptop in an airport while I'm waiting for my next flight, I don't manually have to scroll through the list of open networks and try to guess which one is the official access point and which ones are honeypots trying to lure me into an unsafe connection so bad guys can attack my system.
And then there's the other Wi-Fi Sense feature, the "share my network" thing. The more we use mobile devices, the more data we use. In our increasingly networked world, we expect Wi-Fi to be available all the time.
Running a wireless access point with WPA2 security means choosing and using complex passphrases for encryption. For some people, the hassle of those complex passwords is so great, especially when they want to share access to their network, that they say, "Screw this, I'll just run a completely open and insecure network." That's a very bad thing.
What Wi-Fi Sense does is give consumers a safe way to share wireless access without sharing Wi-Fi secrets. The fact that it's limited to Windows 10 at this point is its biggest weak spot. If only Facebook and Apple and Google and Microsoft could cooperate on an open protocol for wireless sharing...
But the biggest objection here is that someone else can share access to my network without my permission. Fair enough. But that's the inherent problem with shared passwords, which is why they're adequate for home networks and not so great for business networks.
What's the realistic threat assessment?
Imagine you have a small business, too small to effectively set up a secure business-class wireless network based on the 802.1x standard. Instead, you're using a consumer-grade router and WPA2 security.
I visit your office and tell the person at the reception desk I need access to Wi-Fi so I can do a few things before my meeting with your VP. Your receptionist gives me the WPA2 passphrase, I enter it in the Wi-Fi connection box on my Windows 10 laptop, and for some reason, I go out of my way to click the option to share the network with my contacts. Notice that it is not selected by default.
At this point, those who feel that Wi-Fi Sense is a security risk paint a scenario that sounds horrifying: Everyone I know can automatically connect to your network.
In theory, that's true. But it doesn't factor in the proximity-based nature of Wi-Fi.
Yes, if I select that option, people in my Outlook.com or Skype contacts (as well as my Facebook friends if I opt in to this feature) will be able to securely sign in to your wireless network, but only if they are actually in your lobby.
I might have hundreds of contacts and Facebook friends, but the only way they can access your network is if they are already in the building (or, if you have a really strong Wi-Fi signal, in the parking lot).
So, how is that going to happen? And why?
My friends and family and business contacts are scattered around the country and even around the world. If one of my contacts is in your lobby, it's probably because she is there to do business with you, and the reason she is in my contacts list is because all of us share a business relationship.
Is my deadbeat cousin from Reno who spends all his time playing Facebook games going to camp out in your lobby as if it's a Starbucks? Is one of my Skype buddies going to cruise into your parking lot and steal your Wi-Fi?
Not likely, because they don't even know you exist.
There's no master list of networks I've shared using Wi-Fi Sense. My hundreds or even thousands of contacts have no way of knowing they don't have to ask your receptionist for the Wi-Fi key if they are waiting in your lobby.
At any rate, this scenario wouldn't happen in the real world, because as your visitor I didn't click the check box to share your network. Why would I go out of my way to do that?
And even if I did, how is that configuration going to hurt you? That's the threat assessment you have to make.
What you can do
As I've tried to make clear, I don't see any realistic scenarios where this feature poses a threat. (I remember a colleague, back around the launch of Windows Vista, who was convinced that the new voice recognition feature was going to be a security nightmare. People could walk by your machine and format drive C: just by yelling commands! But I digress...)
Regardless of how you feel about Wi-Fi Sense, there are common sense measures you can and should take to secure your wireless network. I assume that:
- You have already enabled WPA2 security with a strong passphrase.
- If you regularly have visitors and you don't want to permit sharing of your wireless network, you've already added _optout to your SSID using the instructions in this FAQ.
- You've disabled remote administration of your router and replaced the default password with a strong one.
Here's what to do next.
1. Treat your Wi-Fi password as if it were the key to your home or office.
Hand out your Wi-Fi password only to trusted individuals.
That's not just me talking. That's the advice of every major security source, including Google. Here's what the official Google blog had to say two years ago in a post titled "Securing Your WiFi Network." After encouraging you to create a strong password, they advise
If you're in a private space such as your home, it's OK to write this password down so you can remember it, and keep it somewhere safe so you don't lose it. You might also need it handy in case your friends come to visit and want to connect to the Internet via your network. Just like you wouldn't give a stranger a key to your house, you should only give your WiFi password to people you trust. [emphasis added]
You should also, of course, train your employees not to share your company's Wi-Fi password. But what about visitors and guests?
2. Ask visitors and guests not to write down or share Wi-Fi passwords.
Every modern device, regardless of operating system, is capable of saving Wi-Fi credentials in encrypted form. When someone shows up at your home or office, they might ask for your Wi-Fi password. Ask them not to write it down or share it. Train your reception staff to include that admonition when giving the user the passphrase If they're worthy of your trust, they'll respect that wish.
And if you can't trust your visitors not to share it, go one tiny step further: When they request access to your Wi-Fi network, ask them to open the connection interface and hand their device to you so you can type the passphrase yourself. In your office, this is something your reception staff can do. Naturally, you've trained them not to share credentials with other people, so they're not going to check that box in Windows 10.
Your guests will be able to access your account, but they won't be able to see the saved passphrase, which means they can't share access with anyone else.
3. Set up a guest network, separate from your business network.
You're not letting your guests use your Wi-Fi access point to sign in to the same network where your business files are located, are you?
If you answered yes, please stop doing that. Every modern router has the capability to create a guest network, isolated from your business network. If your router doesn't offer that capability, it's time to replace it.
4. Change your Wi-Fi passwords regularly.
Anyone who is concerned about the security of any networked asset should change its passwords at regular intervals. For a small business that is using consumer-grade hardware, you might decide to change the password for the company's internal wireless network every few months.
For wireless networks in an office, change the guest password every Friday afternoon. If some jerk using Windows 10 inconsiderately shares your account with his contacts, the shared, encrypted credentials will stop working after a few days.