Windows' WiFi Sense is a useful feature misunderstood by the media
Earlier this week The Register published a story about WiFi Sense, saying the feature "smells like a security risk". The publication is making a huge deal out of it, even though the way it works has been known ever since Microsoft introduced it in the Windows Phone 8.1 preview builds more than a year ago. So it is not news today, and acting like there is something noteworthy to say about it at this point seems disingenuous to me and, quite frankly, clickbait.
For those who are not familiar with it, WiFi Sense is a feature that allows Windows Phone 8.1 -- and Windows 10 -- users to easily share access to Wi-Fi passwords with their contacts and friends. In this day and age, if Apple or Google introduced such a feature the media would go crazy. But, no. Microsoft is criticized for trying to make things easy for its users. How silly is that? Some of the things The Register says about Wi-Fi Sense reveal no proper knowledge of the feature.
Wi-Fi Sense is enabled out-of-the-box on both Windows Phone 8.1 and Windows 10. I know this because I have used both operating systems -- the former more so than the latter -- and have gone through their setup process more than once. But here is the trick -- this feature can be disabled at the setup stage, if users want to do so.
Even if users chose to leave it on, they can always disable it under the Wi-Fi settings menu, simply by unticking the "Share WiFi networks I Select" option. As you may realize, you can also keep that feature enabled and manually disable it for individual Wi-Fi networks. This is really, really "dangerous" stuff here, people.
The Register's security concerns hinge on hackers being able to see the password and tricking business users/employees into befriending them so they can get access to corporate Wi-Fi networks. While the former is a possibility, indeed, is it also likely to happen? Well, so far, and this feature has been officially available for a year now, there have been no reports of successful -- or unsuccessful -- attempts to hack it. It is fair to say that it is very secure.
What about business environments? Well, things are less complicated, in fact. A Microsoft field engineer has told me that the feature can be disabled by IT administrators at the enrollment phase. So, if a company's IT department knows a thing or two about Windows Phone 8.1 (and Windows 10), it will be able to make an informed decision over whether to keep WiFi Sense enabled or not for employees. But even if it remains enabled...
As Microsoft clearly says on the WiFi Sense FAQ page, "Enterprise networks that use 802.1X can't be shared. If you connect to one of these enterprise networks at work or somewhere else, those network credentials won't be shared with any of your contacts". The Register must have missed this one somehow.
The Register does say that Wi-Fi networks with "_optout" at the end of their SSID will not register under WiFi Sense, so there is one more option to isolate a network from the feature.
But what about the average home user? Well, according to Microsoft, "When you share network access, your contacts get Internet access only. For example, if you share your home Wi-Fi network, your contacts won't have access to other computers, devices, or files stored on your home network". And they will also stop nagging you about your Wi-Fi password. Is that not a bonus?
And what about that Wi-Fi password? Will they be able to see what it is? The answer is "No". "Your contacts don't see your Wi-Fi network password. For networks you choose to share access to, the password is sent over an encrypted connection and stored in an encrypted file on a Microsoft server, and then sent over a secure connection to your contacts' phone if they use Wi-Fi Sense and they're in range of the Wi-Fi network you shared. Your contacts don't get to see your password, and you don't get to see theirs".
Practically speaking, someone who is in your circle of WiFi Sense contacts and friends would have to be physically close to your Wi-Fi network to go online using the shared credentials. That is possible, indeed, but, if they cannot do anything else, what's the real damage here?
As Windows 10 gains more users, this feature will certainly get more attention from both sides of the table. Users and IT administrators will want to protect themselves, while hackers will want to gain access to restricted data. But, while the risk will always be there, as is always the case with daring tech products, as the above show there is no need to fear monger Windows users. But what else can one do on a summer day when pageviews are down?