Microsoft officially launched its new Windows 10 operating system last night, offering free upgrades to current Windows 7 and 8 users who make the switch within the next year.
Before the rollout, Microsoft trumpteted the various new security features that Windows 10 would offer, so it's arguably ironic that the operating system comes pre-installed with a security flaw touted as a connectivity advantage: a feature called Wi-Fi Sense which, unless you deliberately opt out of the default setting, automatically shares your Wi-Fi network password with all of your contacts in Outlook, Hotmail, and Skype. (You can also share your network password with Facebook “friends,” but that's not automatic; it requires you to opt in.)
More specifically, it doesn't actually hand out your password to your contacts; it “merely” shares an encrypted version of your password and stores it on Microsoft's servers, thus allowing anyone in your contact list to use your Wi-Fi network when they visit you at home, or merely happen to be in range of it. Or maybe when they're breaking into your house.
Wi-Fi Sense's FAQ page claims to offer “answers to some questions you might have about Wi-Fi Sense.” Unfortunately, it does not answer the question “Where the hell did Microsoft get the idea that if I exchange an email with someone, this means I want that someone to have access to my home Wi-Fi network?”
According to Microsoft, the only way to opt out of Wi-Fi Sense is by changing the name of the network to include the phrase _optout (note the underscore symbol before the word). Microsoft offered as an example the name mynetwork_optout. However, Microsoft also says that “It can take several days for your network to be added to the opted-out list for Wi-Fi Sense. If you want to stop your network from being shared sooner than that, you can change your Wi-Fi network password. For more information about how to do that, check the documentation for your router or access point.”
Don't forget that if you change your Wi-Fi network name, you and everyone in your household will then have to re-connect your devices to the newly named network.
"Disaster waiting to happen"
Security expert Brian Krebs, who called the automatic password-sharing “a disaster waiting to happen,” noted that, although Wi-Fi Sense has been a feature on Windows Phone for quite awhile, that was “less of a concern” because Windows Phone has only a tiny share of the mobile device market, which is largely dominated by Android and Apple iOS. However, “embedding this feature in an upgrade version of Windows makes it a serious concern for much of the planet.”
If you intend an upgrade to Windows 10 but have not yet done so, make sure you change the name of your Wi-Fi network to include _optout before you make the upgrade. Krebs also recommends that “While you’re at it, consider keeping Google off your Wi-Fi network as well. It’s unclear whether the Wi-Fi Sense opt-out kludge will also let users opt-out of having their wireless network name indexed by Google, which requires the inclusion of the phrase “_nomap” in the Wi-Fi network name.”