Windows 10 Will Share Your Wifi With Your Contacts

The Register points out that by default Windows 10 will upload an encrypted version of your wifi password to Microsoft and anyone in your contacts will be able to use your wifi. Now, that’s a nice feature and lots of people might find it useful — but it should really be opt-in rather than opt-out, even though that would drastically reduce the take-up. Windows Phone has apparently been doing this for some time, but no one has noticed, because no one actually uses Windows Phone.

By default, your Outlook.com and Skype contacts will be able to use your wifi, assuming they’re also using Windows 10. If you opt in, then so will your Facebook friends.

The feature is called Wi-Fi Sense, and it’s relatively hard to opt-out — you have to change the name of your wifi network to have “_optout” on the end. I think I’d rather opt out by not installing Windows 10, and not giving my wifi password to anyone who is running Windows 10.

Even worse, it’s not just your network that’s shared (Windows doesn’t know which network is yours, after all); it’s any password-protected wifi network you connect to. So you’re potentially sharing the passwords of your employer, friends and family, not just your own password.

Edited: It appears that The Register is being needlessly alarmist. It’s hardly the first time, and I should have checked more thoroughly.

Arstechnica has a more sensible version of the story. Wi-fi sense is opt-in in Windows 10, and you have to opt in for each network. However, you should still be careful — for example, Gmail adds everyone you email to your address book, so if you since your Gmail address book with your Outlook.com contacts, then everyone you’ve ever emailed will be able to use any wifi network that you’ve chosen to share. And certainly don’t share your employer’s wifi network.

Welcome

Information security is one of the biggest issues of our time, affecting both individuals and society as a whole. It seems like every day there’s another news story about websites being hacked or critical software vulnerabilities. As more of our lives and our infrastructure go online, things will only get worse.

And yet most of us are being asked to make decisions, both individually about our own security and collectively about society as a whole that we’re not equipped to make. Security is about trade-offs, and you can’t choose the balance between usability and security, or between cost and security, unless you understand the implications of your choices. On this blog, I hope to provide enough information that my readers can make better-informed decisions.

And it’s called Opinionated Information Security for a reason. I don’t take a neutral point-of-view, as supposedly found in Wikipedia articles. I have opinions, and I plan to share them. I hope that I will give you enough information that you can have opinions of your own, whether or not they’re the same as mine.

I’m a Mac OS X and iOS user myself, and will inevitably be better-informed on those operating systems than on Windows or Android. But I’ll try to include the basics for all consumer operating systems. If you’re using Linux, or any other Unix variant (except OS X, iOS and Android) then I’ll assume you have a higher degree of technical knowledge.

Stagefright Android Vulnerability

This looks like a bad one. An attacker can execute their own code on many Android phones simply by sending an MMS message, and in some cases you don’t even have to view the message to be infected. And the whole Android software update ecosystem is a complete mess, so very many phones will never get patched for it. At the time of writing it seems like there are almost no fixes available from handset suppliers, although the vulnerability was discovered and reported (by Joshua Drake at Zimperium zLabs) in April.

There’s not much you can do about other than waiting for your supplier to release a fix. It’s worth changing the settings in apps like Messenger and Hangouts that can receive MMS messages to not “automatically receive MMS messages”. If your Android version uses Messenger for SMS messages, you can block messages from people you don’t know, but of course that could block messages that you want to receive.

If you’re on an old handset — and that may mean only a few months old — you may never get a fix. I would certainly avoid opening messages that you’re not expecting from anyone you don’t know, but it seems that may not be enough on at least some phones — the bug is much harder to exploit on iOS versions 4.1 and later, so they’re potentially less affected. If your Android version is so old that it’s 2.1 or earlier, then you’re not affected at all.

It’s this kind of thing that frankly makes me question whether anyone should be buying an Android phone, except for a Nexus or another phone made by Google themselves. The manufacturers don’t regard themselves as software companies, and so don’t pay enough attention to software issues and getting updates out to users, especially users on handsets that aren’t being manufactured any more.

More later, when we have clearer details of exactly who is affected and how bad it is.

Edited to add: Here is the original blog post announcing the vulnerability.