Windows 10: Microsoft assumes your consent in sharing your Wi-Fi, even if you don't use Windows 10

Why not opt in?

Imagine this scenario.

A friend visits your house, and wishes to use your Wi-Fi.

You tell your friend your Wi-Fi password in confidence. They type it into their laptop, which has recently been upgraded to Windows 10.

Your friend's laptop can now use your Wi-Fi connection, and you're fine with that. After all, they're your friend. You don't believe they are going to abuse the privilege.

If you've chosen a complex, lengthy password like 7sAp{oMEmGD#YT)MzGdTLQM9C then chances are that your friend is not going to be able to remember your Wi-Fi password, even if they wanted to break your confidence.

So far, so good.

But there's some bad news.

And that bad news is that your friend has Windows 10 installed on their laptop. And Windows 10 has a password-sharing feature called Wi-Fi Sense enabled by default.

Requiring just a click and the password being re-entered by your friend, Wi-Fi Sense allows your friend's Skype and Outlook/Hotmail contacts (if they use Windows 10 or Windows 10 Mobile) to also log onto your Wi-Fi network, without you having to share your password with them. Access can also be shared with your friend's Facebook friends if they choose to allow that.

In other words, complete strangers could now use your Wi-Fi without your permission.

Thanks for nothing Microsoft.

Oh, and your Wi-Fi password? That has been uploaded to a Microsoft server.

Extract from Microsoft FAQ on Wi-Fi Sense

Extract from Microsoft's Windows 10 FAQ on Wi-Fi Sense

So, your friend's friends and contacts can access your Wi-Fi, and the password is now stored on Microsoft's server.

You never gave permission for the password to be shared with your friend's contacts, or to be uploaded to Microsoft's servers.

Inevitably, some people (me amongst them) aren't happy about this.

Microsoft's answer? If you don't want Wi-Fi Sense to scoop up your password when you share it with a friend, and then share it with that friend's friends and contacts you have to rename your Wi-Fi network.

Yes, that's right. Even though you may not use Windows 10, and may not have ever spent a single buck on a Microsoft product, the onus is on you to change the SSID of your Wi-Fi network, by including by including _optout somewhere in the wireless network's name.

So, if you don't want the scenario I describe above to happen to you, you need to change the name of your Wi-Fi network and (of course) change the settings of any devices that you currently allow to legitimately connect to that wireless network, such as your Wi-Fi-enabled TV.

Never mind that many people won't have the first clue about how to change the SSID settings of their Wi-Fi router.

Wi-Fi SenseIt seems to me that those owning Wi-Fi hotspots should have been required to "opt-in", *not* opt-out, of having Microsoft mess around with who could access their wireless network.

You'd expect this kind of bad behaviour from Facebook or Google (in fact, Google already did it with its controversial StreetView Wi-Fi mapping a few years ago)- it's disappointing to see Microsoft up to the same shoddy tricks.

In a nutshell, the onus should not be on Wi-Fi owners to change the names of their networks if they don't want to be part of Microsoft's Wi-Fi Sense shenanigans. Instead, the onus should be on Microsoft to convince us that there are good reasons why we might want to join in.

The reason why they've done it the way they have is because Microsoft knows that many people wouldn't be keen on the idea.

Tags: , , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Vanja Svajcer, and Carole Theriault.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, , ,

Leave a reply

22 Comments on "Windows 10: Microsoft assumes your consent in sharing your Wi-Fi, even if you don't use Windows 10"

Notify of
avatar
Sort by:   newest | oldest | most voted
Methods
Visitor
Methods

A bit of FUD Mr. Cluley, I would recommend using something, actually putting eyes on it before writing. Usually helps to understand. First of all, the OPTION TO SHARE is enabled by default, it doesn't auto share networks and only to Outlook.com and Skype contacts. If you want the option to share with Facebook, you have to deep dive into the settings and enable it. Then, in this scenario, your friend who has enabled sharing to Facebook gets a password from you and has to choose to share that network with their friends after they enter the credentials, that DOES NOT happen by default.

If they did do all of that, assumingly by mistake (which is crazy), then one of their friends has to grab one of their Windows 10 devices and come to your house (assuming they know where you live) and yes then gain limited access to your network with no access to the devices on the network. And the password is not what's being handed out, this is an encrypted paisley. Point is, none of that happens by default. Your friend has to choose to share your network.

Mike E Delta
Visitor
Mike E Delta

I also have to re-iterate, there is an article by Ed Bott that clears up a lot of the misconception with this feature…yes the "Connect to networks shared by my contacts" options may be enabled by default but the actual networks themselves are 100% NOT shared until you specifically select and enable the sharing. So this is by no means whatsoever happening until you the user say so, even after that it really is very easy to disable and even make the network forgotten by each machine. The necessity to be actively on top of your security is still very real and everyone should always be looking out but this was never a case of invasion by Microsoft, as if this were the early 2000's and they were lackadaisical about security. Also, despite whatever allegations anyone has made because of the Snowden thing a couple of years ago, Microsoft is seriously not so foolish as to be on the wrong side of the privacy argument. For whatever anyone says, they actually are more on our side and don't need our stuff as much as Google does, but even Google isn't that dumb. They will go toe-to-toe w/ the Fed because when it comes to business, they need their customers MORE than they need Johnny Law.

Coyote
Visitor
Coyote

"For whatever anyone says, they actually are more on our side and don't need our stuff as much as Google does, but even Google isn't that dumb."

Yes they are. This has been shown time and again. The problem is they want it their way as much as possible and as often as possible. They prioritise themselves above others (on things besides profit/success of the company) so maybe they aren't stupid so much as arrogant. But that isn't all that appealing either.

pissoff
Visitor
pissoff

will here is a brilliant idea from an average joe, go to your router and block all mac address except your family computer, if your friend wants to used the wifi then add their mac address to the router tada job done :D

Jon Fukumoto
Visitor
Jon Fukumoto

Doing MAC filtering IS NOT meant to secure a wireless router because MAC addresses can be spoofed by using readily available software on the Internet which can temporarily change the MAC address on any network device. If you really want to keep people out, use WPA2 with a strong password and turn off WPS if your home router has it.

Adam
Visitor
Adam

Just disable SSID broadcast, and vehemently deny you even have WiFi when your friends ask. Then look them dead in the face as you fire up Kodi and ask what they want to watch.

i0n3l
Visitor
i0n3l

Arf….

If you let the auth by WPA PSK and do a MAC check for only trusted computer yes BUT if you disable wpa and just check MAC adress, you are powned because i monitor your AP to see what MAC are trusted and associated whit your AccessPoint, i change my MAC for one of your AP trusted one and just have to click connect on your ssid, your AP thinks my computer is yours and im in.

Dont rely on MAC adresses only.

John Law
Visitor
John Law

I have got WIn10 installed – to see what privacy mess is being brought upon us. And quite frankly – it seems rather intrusive indeed. Been putting settings "off" for a full night, delving into the culprits of Win10.

That is not to say – ALL is wrong here. BUT beware: this Win10 upgrade seems much more to be about mass-data-acquiring-on-users , comparable and perhaps even beyond Google. IT IS ALL ABOUT THE MONEY, GUYS ! Just take a look at the feel-good-advertising-opt-in-video put up by MS and it makes you puke (if not just for the music in the background :o)

@Mike E Delta:
"Also, despite whatever allegations anyone has made because of the Snowden thing a couple of years ago, Microsoft is seriously not so foolish as to be on the wrong side of the privacy argument. For whatever anyone says, they actually are more on our side and don't need our stuff as much as Google does, but even Google isn't that dumb. They will go toe-to-toe w/ the Fed because when it comes to business, they need their customers MORE than they need Johnny Law."

NO WAY – this is simply about big bucks – meanwhile leaving Win users with a devastation on privacy.

In all: the Wifi-Sense stuff is INTRUSIVE indeed to anyone. I don't freakin' care whether I'd be a Win10 , Win 8 or Linux Ubuntu user. I just do not want my systems to be intruded without my consent. PERIOD! .

I am no conspiracy kind of person – but ehmmm… the net is slowly but consistently closing on all of us, people… Now guess who has access (OH YEAH – DON'T BE FOOLED!!!) to these oh-so-securely-encrypted Wifi-Sense passwords? Yes, that is a nice quizz…

Let me tell you: there are three letters to it – and I'll give you two of those:
N…
S….
??? …..

The net is closing.
We're on the brink of all becoming lemmings.

Sorry to see.

gadget37
Visitor
gadget37

What no-one seems to have mentioned is that most home wifi networks are open, this means not only do friends-of-friends-of-friends on Skype now have access to your bandwidth, they also have access to all your computers, servers, routers etc. on your internal network. Really insecure! You are right that Microsoft should disable this. If you give out your router password, the circle knowing that should be restricted to those you know personally. I guess we are now going to have to change WiFi passwords on a monthly basis as well… sigh…

Alfons
Visitor
Alfons

Knowing that all wifi password will be stored in Microsoft Server, then it is another risk factor. Perhaps somebody can make use of Wifi passwords profile out of it :).

David
Visitor
David

So why do *I* need to change my SSID to _optout? Why can't I make it _optin if I want to participate?

Am I going to have to change my email address to bill_gates_optout@microsoft.com?

What else am I going to have to add _optout to?

Me
Visitor
Me

Or just don't let friends attach to your network if they have a Windows machine. Tell them to pair with their cellphone if they need to access email.

This might sound rude, but rude seems to be necessary to preserve privacy these days. I blocked incoming Gmail a few years back when I learned that Google captures contacts and text from people who respond to emails sent by people with Gmail accounts. In other words, Google uses your emails to Gmail users to build a profile on you regardless of whether you use their products or not (I don't … DuckDuckGo & my own domain & Vimeo instead of Youtube & definitely no G+).

I told all my friends that if they wanted to email with me, they had to do it with non Gmail accounts. Period. No exceptions. (acutally and non-Yahoo email accounts too – same reason)

There are a few people I no longer trade emails with. Trust me, it's no big loss. If they want to go have a beer with me, they pick up the phone. It has had zero impact on my professional and social life. That's what I think most people miss… this constant-connection BS is just that. BS. You don't need Google or Yahoo or Microsoft or Apple or any other tech company. They are all 100% and very easily expendable. If they misbehave, you can slice them off and throw them away more easily than you would think. Try it some time. You might be surprised.

Brian Milnes
Visitor
Brian Milnes

Hi Graham,
Can you check out this statement, made elsewhere?
(after striking out "shared by default") "My bad – Win10 shares your saved Wi-Fi passwords with other devices signed into your Microsoft account by default, but not through Wi-Fi Sense"
Clarification would be good…
Thanks
Brian

Robert Kok
Visitor
Robert Kok

Brilliant. Google already requires _nomap at the end of a SSID to opt out from their location services and now Microsoft requires _optout. So my SSID will look like _optout_nomap and guest_optout_nomap for my guest network.

wpDiscuz