Surprise! Windows 10 loves to spread your WiFi password

Windows 10's Wi-FiSense feature has a security risk, which will actively share WiFi passwords with users' contacts, posing a threat to network security. These contacts include users' Outlook.com contacts, Skype contacts, and Facebook friends (users need to actively enable it).

Microsoft launched the Wi-FiSense feature to make it easier for users to use wireless networks: if you walk into a WiFi network and your friend knows the password of the network, if you both use Wi-FiSense, you can also log in to the network directly. But convenience may also bring security risks. Although Wi-Fi Sense will not show the plain text password to your family, friends or acquaintances, if the other party also runs Wi-FiSense, they can access your WiFi network.

These passwords are stored on Microsoft's servers and will be copied to the corresponding devices when the conditions are met, but Microsoft doesn't let you see them. How successful the Wi-FiSense feature will be is still unknown.

Microsoft wrote in the FAQ section of Wi-FiSense: "For the network you want to share, its login password will be sent to Microsoft over an encrypted connection and stored as an encrypted file on Microsoft servers. In the future, when your friends use Wi-FiSense and are in the coverage area of ​​the WiFi network, the system will send a secure connection to your contact's phone."

Microsoft also added that Wi-FiSense only provides Internet access and prohibits others from connecting to other content on the wireless LAN. This sounds smart, but it may be difficult to implement. If a computer is connected to a protected WiFi network, then its key must be known. If the computer knows the key, then the user or hacker can find the key in the computer, log in to the network, and gain full access.

In theory, if an outsider wants to use your company's WiFi network, they only need to become friends with one or two employees of your company, and then enter the network coverage area, and they can use it at will.

In fact, Windows Phone based on Windows 8.1 already supports this feature. If you enter the password on your Lumia phone, it means you don't have to enter it on your laptop again, because you are your friend. Given the limited market share of Windows Phone, its threat is not very big at present.

However, if all laptops within the corporate WiFi network coverage are installed with Windows 10, the security risk is huge. In addition, if you allow WiFiSense to obtain your Facebook contacts, Microsoft will also obtain your Facebook friends list and provide them with the WiFi password.

To address the security vulnerability, Microsoft recommends that users add their WiFi network names (SSIDs) to a block list to prevent Wi-Fi Sense from obtaining relevant information.

In Windows 10, Microsoft turns on Wi-Fi Sense by default and shares the WiFi password with contacts, unless the user actively sets it up when connecting for the first time. Although turning off Wi-Fi Sense will cause some trouble to users, it can improve network security.

As a winner of Toutiao's Qingyun Plan and Baijiahao's Bai+ Plan, the 2019 Baidu Digital Author of the Year, the Baijiahao's Most Popular Author in the Technology Field, the 2019 Sogou Technology and Culture Author, and the 2021 Baijiahao Quarterly Influential Creator, he has won many awards, including the 2013 Sohu Best Industry Media Person, the 2015 China New Media Entrepreneurship Competition Beijing Third Place, the 2015 Guangmang Experience Award, the 2015 China New Media Entrepreneurship Competition Finals Third Place, and the 2018 Baidu Dynamic Annual Powerful Celebrity.