Wi-Fi Sharing in Windows 10–Facts or Hysteria?

With the release of Windows 10, one of the subjects of concern is the new Wi-Fi Sharing process. It looks like there has been a bit of hysteria and/or exaggeration about this issue.

The Chaos Manor Advisors discussed this a few weeks ago, when the first article about this appeared in The Register. The general consensus is that on first look, this may be a ‘bad thing’. But a lot of the hype about this seems to be just that, hype. And some misunderstanding of the whole process. It appears that one might want to ‘read past the headlines’ on this issue.

Chaos Manor Advisor Peter Glaskowsky reports on his testing of Microsoft’s Wi-Fi Sharing process in a late beta release of Windows 10.

I’ve been talking about Wi-Fi sense without the benefit of having used it, since I have only one Windows 10 machine and that one is a 2U server with no wireless in it.

But yesterday I realized that I could attach one of my USB Wi-Fi dongles. (A blinding flash of the obvious.)

This is as pure a test as I can imagine of the default Wi-Fi Sense settings, since this machine has literally never had a wireless capability before now, and Windows 10 was the first version of Windows ever installed on it.

So, the results:

When I installed the Wi-Fi adapter (a TP-Link TL-WN722N, one of the nicer ones of this type since it has a proper RP-SMA antenna connector), it became available essentially instantly. Windows 10 said nothing about installing a driver.

I went into the new-style Settings (not the old Control panel), then Network & Internet, then Wi-Fi on the left sidebar (which had not been there before), then Manage Wi-Fi settings in the main window. This sequence brings up the main Wi-Fi Sense settings dialog.

The “Connect to suggested open hotspots” option was on, allowing the machine to connect to well-known public hotspot systems like Boingo. I think this is generally fine, but I don’t know whether there is robust protection against someone setting up a bogus hotspot that appears to be part of the Boingo network. Since I don’t need it, at the conclusion of this testing, I turned it off. In the meantime, I left it alone.

The setting of primary concern to everyone is “Connect to networks shared by my contacts”, and that one was OFF by default.

Turning it ON experimentally brought up the three sharing options: Outlook contacts, Skype contacts, and Facebook friends. All three of these were OFF.

I turned on the Skype contacts option.

I then started the process to connect to my home Wi-Fi network by pulling open the network submenu in the task bar and clicking on my SSID.

This brought up the usual “Enter the network security key” field and a new one: “Share networking with my contacts.” That option was OFF even though I had turned on the share-with-contacts and Skype sharing options.

In other words, the defaults for the sharing method of primary concern in these web articles are ALL OFF. As off as off can be.

I abandoned the connection process without entering the security key, then turned off the share-with-contacts option in the Wi-Fi Sense settings and started the connection process again.
This time the connection box didn’t even have the “Share networking with my contacts” option.
I re-enabled the share-with-contacts and Skype options, and actually did go through with the connection process, including checking the sharing option.

Interestingly, the system did not give me any choice about which contacts to share it with. I went back into the Wi-Fi Sense settings… and the Manage known networks section said that my network was “Not shared.” How curious, but it saved me a few steps in the procedure I was going through, since my next thing was to share a network that had previously been connected but not shared to see what happens.

I clicked the Share button.

Even though I had already entered the network security key, it asked for the key again. This is exactly the right thing to do. This is how Windows 10 prevents a friend from sharing your security key if you personally type the security key into their device rather than, for example, reading it to them to enter manually.

I completed the sharing process and verified that it “stuck” this time.

Then I disabled the share-with-contacts option in Wi-Fi Sense, and then re-enabled it.
When I went back into “Manage known networks,” my network showed as “Not shared.”

So that’s the whole deal, I think. By default, Wi-Fi Sense operates, at least on my machine, as of today, on Build 10162, exactly as Microsoft says it does. Sharing only happens when you click a bunch of extra buttons to enable it, and stops when you deselect any of those options.
Every share-with-contacts option defaults to OFF, and it DOES protect against a Wi-Fi security key being shared by someone who doesn’t actually know it.

I hope that is the end of this matter for now, at least until we find someone reliable (that is, not a writer for The Register) who has a machine that works differently.

Or until Microsoft provides additional information on the various security aspects (how is the security key protected, how is local network access prevented, does Microsoft have a way to learn your password, does Microsoft have a way to review your Facebook contacts list, etc.).

Or until Microsoft adds what I think is the essential feature for sharing a Wi-Fi security key securely: sharing it with only one individually specified person at a time, without giving Microsoft a way to see the key.

Comments and questions welcome, of course.

The Chaos Manor Advisors discussed this issue a bit today (29 July 2015), especially after Brian Krebs wrote about this (see here). We shared that link to the article with the Advisors.

Eric said:

    So Krebs went ahead and wrote this without doing even the same brief testing Peter did weeks ago. This is how hysterias grow.

Peter added

In spite of the hysteria, I believe it is already fully opt-in.

The only, only, only thing that defaults to “on” is that the service is enabled. Every time a user adds a new Wi-Fi network, the dialog box specifically asks whether to share it with contacts or not, and which contacts to share it with from the three available options (Outlook/Facebook/Skype). All four of those questions, at least on my machine with a clean install, defaulted to OFF.

If the service itself is turned off, none of those sharing questions will be asked.

Now, if someone has turned on the service and shared a network, maybe it defaults to enable sharing the next time; I didn’t test that.

I think this business Krebs raises (and the Register raised) about how a friend could share your Wi-Fi credentials without your permission is just nonsense. That still takes a deliberate effort. If you have a friend who would do that, you need new friends.

This may be a bit of hysteria, as Peter stated. Although sharing your Wi-Fi password is generally not a good thing (especially for the paranoid?), it would appear to us that the actual risk is quite low, based on some limited testing by the Advisors.

We’d be interested in your opinion on this. You can share in the comments below. If you are inclined, you can send us more detailed information that we might use in a future post here at Chaos Manor Reviews. See this page on the submission guidelines for Chaos Manor Reviews.