Windows 10 uses your bandwidth to help strangers download updates

Windows Update

Have you updated your computer to Windows 10 yet?

If so, one hopes you're aware of one of its less well-known features - that could mean that your internet bandwidth and data plan is being used to help complete strangers download their updates.

If you weren't aware - consider this a public service announcement.

In some ways, Windows Update Delivery Optimisation (WUDO) sounds really cool:

Windows Update Delivery Optimization lets you get Windows updates and Windows Store apps from sources in addition to Microsoft. This can help you get updates and apps more quickly if you have a limited or unreliable Internet connection. And if you own more than one PC, it can reduce the amount of Internet bandwidth needed to keep all of your PCs up-to-date.

In other words, it sounds pretty neat. Chances are that you may have more than one PC in your household, and why should they all have to drag an update down in its entirety from the internet?

But here's the next bit:

Delivery Optimization also sends updates and apps from your PC to other PCs on your local network or PCs on the Internet.

Yes, you read that right. WUDO doesn't just look for computers on your internal network, but - just as if you were downloading a torrent of a Hollywood movie - it will try to find other computers on the internet which are running Windows 10, and try to get parts of the download from them too.

And, of course, it could be your Windows 10 PC that is giving a helping hand to those complete strangers' PCs by *uploading* the data that they are looking for.

If you are an altruistic fellow, you might have no problem with this at all. But if your internet connectivity is metered or capped with a data plan, then you may be unhappy at the thought of it being gobbled up just to make Microsoft's job of distributing updates easier.

Naturally, as seems to be the way of the world these days, you don't opt in to WUDO. Microsoft has already turned it on by default for you.

Fortunately, you can change the settings if you're not happy with how Microsoft has decided it should use your internet connection:

Windows 10 setting

  1. Go to Start, then Settings > Update & security > Windows Update, and then select Advanced options.
  2. On the Advanced options page, select Choose how updates are delivered. From there you can use the toggle to turn Delivery Optimization off (you will still be able to get updates and apps from Windows Update and from the Windows Store), or disable WUDO's default setting of potentially downloading updates from, and offering them to, PCs anywhere else on the internet.

Microsoft says that WUDO won't use metered or capped internet connections to download/upload updates, but that's only the case if you have *told* Windows 10 that a particular internet connection is metered.

Have you done that? Of course, you haven't. Wouldn't it have been better if Microsoft had made you go through that process of telling it which internet connections it could use for this feature *before* turning it on by default?

Regardless, of whether your data connection is metered or not, you may still object to the idea of it being used to upload fragments of updates to strangers on the internet. It should be your choice what data travels across your internet connection, not a decision made by Microsoft without your approval.

Update settingIn Microsoft's FAQ on the feature, it reassures users that they should not have to worry about unknown PCs providing its updates to your computer as it "uses information obtained securely from Microsoft to validate the authenticity of files downloaded to your PC. Delivery Optimization also checks the authenticity of each part of an update or app that it downloads from other PCs before installing it."

Furthermore, according to the company, WUDO cannot access the personal files you store on your PC (which obviously you wouldn't want being uploaded to the hard drives of strangers).

Let's hope that they've done their job properly, and malicious hackers never find a way to trick the system. I mean, it would be terrible if malicious hackers were able to somehow exploit a weakness in the Windows Update system to spread an attack (as, ahem, they managed a few years ago with the Flame malware).

Was Microsoft right to enable this setting by default in Windows 10? Leave a comment with your thoughts below.

Tags: , , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , , ,

35 Responses

  1. rar

    August 4, 2015 at 10:14 am #

    Microsoft has an excellent track record of delivering features perfectly without any possibility of misuse along with Adobe, Oracle Java etc.

    I'm eagerly waiting for a WUDO VOODOO or such nicely named disclosure where you can trick it into doing anything you want or getting anything you want.

    • Graham Cluley in reply to rar.

      August 4, 2015 at 10:16 am #

      WUDO VOODOO. The vulnerability's logo practically draws itself. Let's hope it never happens.

    • Coyote in reply to rar.

      August 4, 2015 at 5:15 pm #

      Excellent idea with a great (as cleverness is) name.

      Thanks for that. I hope that when someone does bother to abuse this feature, they call it wudo voodoo.

    • Pete in reply to rar.

      August 5, 2015 at 2:53 pm #

      “It's not every day that you see the stupidest thing you've ever seen.” – Mike Nelson, MST3K

      I wrote that comment on another forum last week in connection with Microsoft's breathtaking stupidity in creating the Windows 10 “feature” that shares its users’ Wi-Fi password with their contacts in Outlook and Skype…and makes it opt-out into the bargain.

      A couple of days before that, Graham's GCHQ article on Microsoft’s inclusion of automatic software update warned me that the folks in Redmond were already stumbling badly with Windows 10. And now here comes the news about this boneheaded “WUDO VOODOO” vulnerability (…good one, rar.)

      Alas, it seems that once again Microsoft has been badly bonked with the stupid stick.

  2. Kevin

    August 4, 2015 at 10:16 am #

    Absolutely not! this is shocking… as you say, only a matter of time before this becomes yet another weakness. I've been on the insider programme and just upgraded to RTM. I'm going back to Ubuntu now :)

  3. Jeremy Clulow

    August 4, 2015 at 10:39 am #

    So Windows 10 includes a bittorrent client. Bram Cohen will very amused I’m sure. I can't wait for it to be hacked so that it grabs pirated films or downloads malware. We’ll all be pirates then! The recent revelation that Microsoft has the right and ability (it's in the EULA) to access the contents of private folders on Windows 10 makes me so so glad I moved my office to Linux 3 years ago.

    • Coyote in reply to Jeremy Clulow.

      August 4, 2015 at 5:20 pm #

      "I can't wait for it to be hacked so that it grabs pirated films or downloads malware. We’ll all be pirates then!"

      That was my immediate thought when I saw the title of the article. And indeed I can't wait for it either. In fact, I hope it happens just because it is so amusing to me. Of course, we can't forget that many pirates spend a lot of money on media; unfortunately, the RIAA (et al.) won't thank Microsoft if all Windows 10 users become pirates, but they would instead try to implement further methods to make it harder for customers to view/listen to the media they BUY. Then again… That seems to be something they regularly do, anyway.

  4. Doug

    August 4, 2015 at 10:44 am #

    Hear we go again! Yet another reason for delaying a while before I upgrade,as this is a "feature" which common sense says should change. It will surely be particularly unpopular in France, where I live, as Broadband upload speeds here are around half what you get in the UK, so if your PC is uploading a Windows update to other people your connection will be very badly affected.

    • Coyote in reply to Doug.

      August 4, 2015 at 5:35 pm #

      "your connection will be very badly affected."

      This is an important point that many don't understand and Microsoft is obviously included:

      When you download something from a server (say), then that server is uploading to you. The reverse is true, too (and when you're connected to a host – TCP three-way handshake – you typically send data also.. and it all adds up). But if someone is downloading from [you] at a rate your connection can't easily handle (see below), your connection will be saturated and be very slow. So not only should Microsoft make this an opt-in (but don't because of laziness, arrogance and stupidity) but they should also have a maximum bandwidth to use. The latter point means it should be opt-in even more so, because connections vary drastically.

      This especially goes for asynchronous connections (where upstream is slower still).

    • My1 in reply to Doug.

      July 5, 2016 at 11:45 am #

      you can be happy that you have half the upload. here in germany the upspeed is a TENTH of the DL speed, often lower, I have 32Mbit down and 2 up, although it seems to have become a bit better with VDSL.

  5. Simon

    August 4, 2015 at 10:47 am #

    Overall a good idea….. If you opt in! I agree with your comment, this is the individuals connection and it is up to them what data travels across it. This is irrelevant whether the connection is metered or not. Certainly should be off as default – however if this was the case, who would do this when there is nothing really to gain at the individual level (hence their decision to switch on I'm sure)

  6. Nick Ioannou

    August 4, 2015 at 11:00 am #

    Once again the 'bubble' that Microsoft techies live in is so far from the reality of their users. Upload speeds are dire for a lot of people, so this needed to something people opt into.

  7. Fraser

    August 4, 2015 at 11:43 am #

    expecting the windows theme on piratebay next!

  8. Karthik

    August 4, 2015 at 11:45 am #

    Doing a cost-benefit assessment, wonder if this is really worth it! The benefit from this feature to all involved – Microsoft, those who need the update and those who provide the update – is minimal.

  9. Adam

    August 4, 2015 at 12:51 pm #

    It has done all the groundwork to make the world's largest ever botnet.

  10. Catherine Jefferson

    August 4, 2015 at 1:24 pm #

    Microsoft's security FAILs on Windows 10 are so many and so severe that I've decided to upgrade my Windows computers — to Linux! I'll keep one of the older laptops on Windows 7 for the rare occasion when I need to run something on it.

  11. Elsie Coote

    August 4, 2015 at 2:18 pm #

    Absolutely not, this is a shocking revelation and one i intend to remedy A.S.A.P !!!

  12. Kevin

    August 4, 2015 at 2:32 pm #

    I'm actually looking forward to going back to Ubuntu. No BS licence agreements or the sense of greater foul play… Microsoft are going to lose even more friends with this move.

    Also quite amusing that they can't even successfully give it away – for free – when the impose such infringing terms on it's usage/their access to your hardware.

    Thanks MS for teaching the world exactly how not to do something!

  13. Graham Cotterill

    August 4, 2015 at 3:39 pm #

    In response to the release of Microsofts Windows 10 O/S
    After carrying out the drawn out install program I was finally ready to receive the last 'Finish'
    Spending the next few hours sorting out how I wanted the layout to look, I came to a quiet surprising conclusion…..I liked it!
    Yes there were several glitches but these were soon dealt with after scratching about in the 'Settings' system. At this stage in its life the O/S is standing up well.
    I used an analogy the Sports Car companies practice, they don't spend millions designing a super car and just put it on the road expecting all to be well? Win 10 is in the same boat….needs time to settle and good people like ourselves to iron out the potential glitches.

  14. David L

    August 4, 2015 at 4:37 pm #

    Any time a company says they are doing something for the users benefit,rest assured that it will benefit the company only,and or more than the user!

    Can anyone here think that these new features are things users actually asked for? NOT !

  15. Coyote

    August 4, 2015 at 5:09 pm #

    Yet people still say Microsoft has improved. Perhaps they have in some ways, but they clearly haven't improved enough.

    "Microsoft says that WUDO won't use metered or capped internet connections to download/upload updates, but that's only the case if you have *told* Windows 10 that a particular internet connection is metered."

    Except it is opt-out. Apparently they are just as stupid as they have always been.

    "as it 'uses information obtained securely from Microsoft to validate the authenticity of files downloaded to your PC.'"

    How assuring it is that they finally decided to verify updates. I was wrong it seems; they have improved (but this should have been the case always)!

    "Furthermore, according to the company, WUDO cannot access the personal files you store on your PC (which obviously you wouldn't want being uploaded to the hard drives of strangers)."

    For now. But that doesn't mean it can't be manipulated. It isn't IF but WHEN.

    Well done, Microsoft, for wasting customer's resources to spare your own resources (and who knows what else)! Well done!

  16. harriram

    August 4, 2015 at 7:09 pm #

    The reason microsoft needs to validate connected computers is to TRY and thwart piracy of Windows 10.
    For me, an operating system should be as transparent as the engine in a car. All the features necessary should have no bearing of what's under the hood. If Microsoft were to give away windows 10, and charge a fee for the addons, I'd be more willing to support their efforts.
    I could type my document and complete my budget spreadsheet using Chrome and free software, so why am i paying microsoft for software that in their own words may not work for any purpose.

    The best operating system :A Browser sitting on top of a hardware abstraction layer. universal calls for I/O to the hardware to prevent crashes. Microsoft's goal for Windows 10 is to be a universal OS, hence moves for running on various platforms including Raspberry Pi 2 and on "internet of things". They've never gotten Windows right, and never will.

  17. Ken Hughes

    August 4, 2015 at 7:19 pm #

    Experienced my first crash this morning since upgrading to 10 on 7/29. I had nothing open, was simply modifying the Start Menu tiles groups when I was forced to unplug the power. Once I finally was able to get back in, I suspected an automatic update was probably engaged, and I appear to be right, three installed today. I changed the setting to Notify to Schedule Restart after finding the old Windows Updates control panel is no more and you have to go to the Settings "panel" (still two "Control Panels", argh). While there, I noticed this terrible feature I was opted in on, disabled it.

  18. Doug Alder

    August 4, 2015 at 10:53 pm #

    Well that decides it for me – I'll just leave all my laptops on 8.1 with a classic start menu script installed so I don't have to deal with that awful Start Menu. I tried to update two laptops this past weekend and one, a 3 year old HP dual core, failed – and reverted back to 8.1 and won't let me try again (which I won't now try again ) and the other a 1 year old Toshiba with a quad core AMD actually upgraded but Windows can't find the serial number the OEM burned into the system and so the install will #FAIL in 30 days. This OS is definitely not ready for prime time or anything above Beta. One of my co-workers had his fail and revert because it lacked the drivers for his relatively new ACER laptop.

  19. twowheeltravels

    August 5, 2015 at 1:37 am #

    What the heck is Microsoft thinking???? Crazy idea

  20. Mike Erivera

    August 5, 2015 at 1:46 am #

    I would like to thank you Graham for another excellent and informative article (And there are a lot of them!!!).
    I have been a member of the Windows 10 Insider program since January '15 and gone through a lot of Win 10 builds until the final release 10240 (which is the RTM version). This WUDO feature of MS really gives security pro the creeps because of the "giving out" of data from your pc! Yes its just "Windows Update" as they claim but what ifs….scary. I did turn this feature off (REALLY ITS OFF) when my machine running on TPV is at home where my internet connection is slow (Not metered, BUT slow bandwidth) I don't want it to interfere with my home broadband. BUT in my work this is feature is a must to limit downloads, but opting for the LAN PCs only.

    Thanks again Graham!

  21. andrea

    August 6, 2015 at 12:48 pm #

    My Windows 10 is downloading as I type and I found your info really enlightening..I bookmarked the page to follow your instructions when I install 10…I don't even pretend to be a real pc person but I do understand the explanation you provided and will immediately correct my settings…thanks !

  22. harriram

    August 9, 2015 at 4:47 pm #

    So I called it. Less than a week after making my comment, I saw microsoft is in fact going to charge for addons to the basic os. Finally a more provocative business model. Something to keep us thinking and simply pay for what we want from MS. Yaaaay !!
    Wait a minute. Microsoft just burst their own bubble. Apparently there are a number of security flaws and reliability concerns regarding the OS.
    And in November, XBOX One users will have a new operating system in the system rollout. Microsoft continues to play on the nerves of the general public. Maybe if microsoft embraced the Linux kernel as their hardware platform for device operations and interaction with system processes, we may have a viable solution. Microsoft can then license their interface to the Linux communitiy, users get the stability of Linux, ease of use of MS interface (if that would only stop being a moving target) and further license addons to the OS as they're doing right now.
    Goodbye crash and burn, hello productivity.

  23. Robert G.

    August 17, 2015 at 8:02 pm #

    I'm surprised no one has brought this up: One of the richest companies in the world (Microsoft) is enabling file sharing to save a few bucks on bandwidth? They can certainly afford to scale up their servers to directly provide all the updates anybody could ever want.

    I also agree that it's only a matter of time before somebody hacks the Microsoft BitTorrent server.

  24. matt

    August 21, 2015 at 8:44 am #

    Gotta say thanks for this forum. Made mistake of allowing windows 10 into my life. Computer and internet bogged down so quick a rabbit would loose the race to a snail. I reset the safety features as described computer went to working normally immediately. It's a cool way to share information in idea only very frustrating in reality to trouble shoot existing problems while down loading new software. Boo to windows developers. I lost 2 days of sleep trying to figure this out and Microsoft is not being forthcoming with the possible issues.

  25. Anonymous

    August 25, 2015 at 1:53 pm #

    Windows 10 has turned into a huge disappointed, I think I'll be sailing away from the SS Microsoft going forward, guess it's Linux from here on out.

  26. azhar ali buttar

    August 25, 2015 at 2:00 pm #

    First two hours after upgrading from windows 8 to windows 10 took almost 100% of my uploading bandwidth and I was not able to browse anything even. I thought there is some problem with my internet connection of some settings with the configuration of the windows but it was just uploading of the windows updates to other computer. its a new feature but it must be shared with everyone.
    http://www.windowstechupdates.com/how-to-stop-windows-10-from-uploading-updates-to-other-computers-over-the-internet/

  27. Steve Garth

    October 11, 2015 at 12:02 pm #

    Microsoft are totally out of order here. Yes, they can alter the windows software on your machine because they own it and you are only licenced to run it, but a class action against them should clearly show that when agreeing to their EULA, 100% of users, in that moment, clearly "accept" the "contract" with them, ONLY as it is pertaining to the OS in question at the time! Not to the downloading of some future OS, which is demonstrably NOT just an "Upgrade to the good old existing", but in actual fact, a MAJOR change to the original "contact" you had with them. In this case, the original contract is self evidently, in the "spirit of the law", no longer valid. From this point onwards, anything MS now does on you "PERSONAL" computer, is out of agreement, and therefore actually illegal! Likewise to their unauthorised WUDO bandwidth use, which you are paying for! The whole point here, is that MS has not asked first! They have acted first, assuming it will be "allright".
    Well I'll be buggered if it is allright with me! It is very very wrong and they will be hearing from my Lawyers via a class action. Anyone interested?.

  28. Kimberly Raboin

    June 14, 2016 at 7:27 pm #

    I did what they said and changed my settings and they are still gobbling up my bandwidth! I live in the middle of nowhere and work from home on my computer doing medical transcription and I cannot afford to have this happen, it is costing me a fortune! Is there anything else I can do? I cannot work just to pay my hotspot bill. I was one of the ones who they very nicely just shut my computer down and loaded 10 for me without my permission. Thanks Microsoft. Crooks!

  29. Sooran

    February 6, 2017 at 4:38 pm #

    Hi Graham. I actually had changed/disabled the settings you mentioned on the advanced update setting, but still see this "From Microsoft download/upload host" running and using 90% of my internet bandwidth. Or have I misunderstood the subject?

Leave a Reply