Windows 10 may share your Wi-Fi password with Facebook

31 Jul 2015 | Author: | No comments yet »

Here’s How Windows 10 Could Kill Passwords Forever.

Windows 10—bear with me—has shipped, but this column isn’t about the new operating system, which has received generally positive reviews from our friends at PCWorld and elsewhere. Starting this week, Microsoft is offering most Windows 7 and Windows 8 users a free upgrade to the software giant’s latest operating system — Windows 10.

Microsoft’s Windows 10 software has only been available in its final form for a few hours – but experts have already warned of a major security risk in the software.When Microsoft’s Windows 10 launches Wednesday, a lucky few users will be greeted at the login screen by a cartoon eyeball that appears to want to lock eyes with its owner. When Wi-Fi Sense is enabled, anyone you have in your Skype, Outlook or Hotmail contacts lists — and any of your Facebook friends — can be granted access to your Wi-Fi network as long as they’re within range.

However, experts say the feature actually automatically shares your wifi passwords with all Outlook, Skype and Facebook contacts who also use Windows 10. ‘Wi-Fi Sense automatically connects you to Wi-Fi around you to help you save your cellular data and give you more Internet connectivity options,’ Microsoft says. ‘It can do a lot things for you to get you connected to the Internet using Wi-Fi, so you don’t have to. Wi-Fi Sense allows Windows 10 users to connect automatically to open Wi-Fi networks, as well as to share access to Wi-Fi networks for which they have passwords. Microsoft added this feature to save users’ time and hassle, but as independent security blogger Brian Krebs put it, some security experts see it as “a disaster waiting to happen.” Krebs and others worry about the potential for strangers or untrustworthy friends being given access to users’ home Wi-Fi networks. The Windows team calls this snappy new login feature “Hello.” “It’s our way of saying goodbye to passwords,” says Chaitanya Sareen, Microsoft’s principal program manager on Windows. The former isn’t controversial at all: iOS allows carriers to set up automatic connections to networks they run or partner with as of several releases ago.

Microsoft has tried to reassure them by pointing out that you have to agree to enable Wi-Fi Sense every time you join a new network, that those people to whom you grant network access can’t pass along that access to yet more people, and that the feature doesn’t share an actual password, but rather an encrypted version of it. Judging by Sareen’s recent demonstration to TIME, the feature is even more seamless than the iPhone’s thumb scanner — you don’t even have to lift a finger to use it. “It’s actually using different dark and light shadows on the contours of my face,” says Sareen. “If it was pitch dark it would still sign me in.” That’s because Hello works with Intel’s Real Sense 3-D camera, which bathes the user’s face in infrared light, penetrating facial hair and dim lighting conditions.

Despite the safeguards, the issue is nonetheless dangerous for those users, and there are many of them, who agree to everything their computers ask of them. Microsoft is also introducing a new web browser – Edge – to replace Internet Explorer, while the firm’s voice assistant Cortana will also move to desktop computers for the first time. Here’s how it works: In Win 10’s (reborn, thoughtully revised) Start menu, click or tap Settings, select “Network & Internet,” select “Wi-Fi,” and scroll down and choose “Manage Wi-Fi settings.” The defaults on this screen don’t share your saved passwords with anybody.

The much-loved Start menu, which was removed in Windows 8 to much public outcry, is also making a return in the new software, as the US-firm looks to modernise and appeal to a new range of customers. They only allow your device to connect to “suggested open hotspots” or those “shared by my contacts.” “Suggested,” a Microsoft tech note explains, means no-password-required hotspots that the company has vetted with “crowdsourced information based on what your PC and other participating customers’ PCs tell us about those networks.” That note also correctly reminds readers that on an open network, it’s easy for others to eavesdrop on your traffic unless you confine your Internet use to encrypted sites and apps. The company says your contacts will only be able to share your network access, and that Wi-Fi Sense will block those users from accessing any other shared resources on your network, including computers, file shares or other devices. At no point will it ever lift off into the cloud, according to Sareen. “Even if a hacker got [the data], you could still not reverse engineer my face, my fingerprint or my iris.” Should those security claims stand the test of time, biometric logins could offer a more secure alternative to passwords, which are often still shockingly easy to crack. As I noted here last week, that also requires those sites to use modern encryption, and browsers besides Chrome don’t yet offer much warning of its absence.

But these words of assurance probably ring hollow for anyone who’s been paying attention to security trends over the past few years: given the myriad ways in which social networks and associated applications share and intertwine personal connections and contacts, it’s doubtful that most people are aware of who exactly all of their social network followers really are from one day to the next. “That sounds wise — but we’re not convinced how it will be practically enforced: if a computer is connected to a protected Wi-Fi network, it must know the key. Windows users who have registered their interest will be notified once Windows 10 becomes available to them, with the roll out beginning in the early hours of Wednesday morning, and set to be staggered over the coming days.

The most commonly used password among victims of cybertheft alternates between “password” and “123456,” according to cybersecurity firm SplashData. The system doesn’t share “enterprise” flavors (such as the dominant WPA2 Enterprise), which require individual user certificates or user-and-password logins. It has new features, a streamlined Web browser called Edge and a desktop version of Cortana, the online assistant that is Microsoft’s answer to Google Now and Apple’s Siri. Most people have many contacts or Facebook friends whom they barely know — would you really trust your Wi-Fi password with your second cousin’s boyfriend, or that guy in the neighborhood who once fixed your toilet? When you select a WiFi network to share, Microsoft’s note says, “the password is sent over an encrypted connection and is stored in an encrypted file on a Microsoft server.” It’s then synced down to your contacts’ computers over another encrypted link–meaning your pals never actually see those passwords.

Security expert Brian Krebs teed off on this, arguing that it could allow your WiFi password to go slightly viral if you tell a friend that login and they then share it. I should point out that Wi-Fi networks which use the centralised 802.1x Wi-Fi authentication — and these are generally tech-savvy large organisations — won’t have their Wi-Fi credentials shared by this new feature. Microsoft says it’s prodding hardware manufacturers to broaden the selection of devices equipped with 3D cameras, though the price of the technology may prove prohibitively expensive to budget shoppers. Microsoft’s solution for those concerned requires users to change the name (a.k.a. “SSID”) of their Wi-Fi network to include the text “_optout” somewhere in the network name (for example, “oldnetworknamehere_optout”). Wi-Fi Sense has of course been a part of the latest Windows Phone for some time, yet it’s been less of a concern previously because Windows Phone has nowhere near the market share of mobile devices powered by Google’s Android or Apple’s iOS.

Personally, we’re going to ask that people never enable Wi-Fi Share if they bring a Windows 10 laptop or tablet — or a handset running Windows Phone 8, which also has the feature — into our house. Microsoft notes, “Your contacts don’t get to see your password, and you don’t get to see theirs,” and while that’s true, the password does need to be decrypted within Windows 10. Microsoft only allows first-degree sharing—the person connecting to a network can share only with their friends, and those contacts cannot share in turn with others.

If you do use this feature, my advice would be to restrict WiFi sharing to the smallest circle possible and consider carefully which networks to share and for how long. Adding wireless logins for nearby coffee shops or restaurants can help visiting friends at no risk, while doing the same for your own home’s network might best be limited to times when you have guests over. Colleague Ed Bott put the kibosh on that.) This prevents an actual network effect, in which sharing a network would quickly cascade across six degrees (whether Kevin Bacon is involved or not), so that every Windows 10 user would have access within a few weeks to every shared network by any Windows 10 user.

Microsoft, in turn, could relieve concerns over this option by highlighting shared networks in the Wi-Fi Sense window and letting you share WiFi networks with only designated contacts. Windows 10 also puts in a kind of local firewall for users who access a network through Wi-Fi Sense, which is very similar to the Guest network feature added to Apple base stations a few years ago. Locally available resources—like computers, home-sensing devices, printers, and the like—can’t be reached because Windows doesn’t provide network routes to them. Open Settings from the Start menu, select “System” and then “Apps & features,” and you’ll see your current apps listed by their disk footprint instead of alphabetically–any space hogs will stick out. (The “Storage” heading under “System” also helps by providing the sort of comprehensive overview of space usage that formerly required adding third-party apps.) You can then switch back to an alphabetical sort or show your apps by their install date, though it would also help to see which ones were last updated or last used.

For every network you join, you’ll be asked if you want to share it with your friends/social networks.” To my way of reading that, if I’m running Windows 10 in the default configuration and a contact of mine connects to my Wi-Fi network and say yes to sharing, Windows shares access to that network: The contact gets access automatically, because I’m running Windows 10 and we’re social media contacts. There’s another way to avoid this: Buy a wireless router that allows the creation of a guest network that has Internet access, but no access to other devices on the network. Starting in iOS 7.0.3 and OS X 10.9, enabling iCloud Keychain copies Wi-Fi passwords among all devices that use the same iCloud login and likewise have the keychain feature enabled. Even though it’s synced via iCloud, Apple lacks the pieces necessary to decrypt those items. (This is distinct from photos, contacts, and the like that can also be viewed at iCloud.com, which by necessity Apple has to decrypt to show to you.) Microsoft provides a couple different opt out methods. An AirPort base station user can make this configuration change by launching AirPort Utility, selecting the base station, and clicking Edit (enter its password if prompted).

Obviously, changing a network’s password will prevent the shared version from working until the sharing user updates the connection, if they’re even given the new password.

Here you can write a commentary on the recording "Windows 10 may share your Wi-Fi password with Facebook".

* Required fields
Twitter-news
Our partners
Follow us
Contact us
Our contacts

dima911@gmail.com

ICQ: 423360519

About this site