The Microsoft WiFi Sense Security Hole

Written by Rajat Bhargava on August 6, 2015

Share This Article

Note: WiFi Sense was a new feature built into the first Windows 10 update in 2015. However, in the Summer of 2016 this feature was disabled in the Windows 10 Anniversary update.

WiFi Sense allowed you to share your WiFi connection passwords with your friends and colleagues. The idea was that if somebody came to your home, you could just share the connection with them without having to share the password. In fact, you were able to share your WiFi connections with any of your contacts including those in Outlook, Skype, and even Facebook.

According to an article by Blair Hanley Frank, Microsoft had started its WiFi Sense technology with its Windows Mobile phone operating system  and then included it for systems with Windows 10. While Microsoft portrayed this technology as a convenience and security feature, it is easy to imagine a few scenarios where WiFi Sense would have been dangerous.

Security Risks with Microsoft Wifi Sense

Security Risks with WiFi Sense

One scenario that could have been particularly dangerous would have been sharing your work WiFi connection. IT admins spend a great deal of time trying to lock down all of their Internet connections. In fact, you might see IT admins walking around with WiFi scanners and checking for rogue access points or unsanctioned WiFi access points.

Some organizations will rotate their SSID and passphrase on a regular basis to ensure that only the people that should have access do indeed have access. Unfortunately, Microsoft’s WiFi Sense could have circumvented all of this work, by making it possible to share the password with a user’s contact database.

Convenience often comes at a cost. Any IT admin could tell you that the ability to easily get WiFi is a risky convenience, for organizations of any size. Whether your organization is trying to minimize the effect of WiFi Sense or you just want to secure your WiFi network, there is a simple solution to address both of these scenarios.

Fixing Wifi Security Holes

WiFi Sense Security

Many WiFi networks are accessible by simply using an SSID and passphrase especially those of small-to-medium sized organizations. In today’s era, where digital assets are king, that’s not enough security. Each person accessing the network should be uniquely authenticated. That way IT admins know exactly who is on their network and who should have access.

Accomplishing unique access doesn’t need to be overly difficult. There are two ways to ensure that every user on your network is uniquely authenticated.

Backend your WiFi Access Points through LDAP

Most business class WiFi access points will allow you to integrate with LDAP. You’ll simply point the WAP to your LDAP server. When a user logs on to the WiFi network, they will be prompted through a Web page for their credentials. They enter their credentials and they have access to the network.

Integrate your WAP Infrastructure to your Directory Services through RADIUS

Your directory contains unique usernames and passwords. By connecting that to your WAPs through RADIUS, every person now needs credentials to access the network. Your users will enter their credentials once and then they will be logged on each time.

Both of these methods eliminate the need for sharing an SSID and corresponding passphrase. The user will still need to have credentials to log on.

How to Do It

You might be thinking, “Thanks for the advice. Now how do I actually implement it?”

A simple way to execute this is to leverage JumpCloud’s Directory-as-a-Service solution. JumpCloud’s DaaS provides a hosted cloud-based directory service and allows your WiFi access points to connect to the directory via LDAP or RADIUS. Further, JumpCloud can provide the RADIUS server to ensure that the only piece of hardware or software you have on-premises is your WAPs.

Rest Easy with WiFi Security

In an era of social sharing, some things just shouldn’t be shared. But, as an IT admin, you can’t always control what your users do, so put a system in place that protects your organization. Give JumpCloud’s Directory-as-a-Service and corresponding RADIUS and LDAP integration a try. Your first 10 users are free.

Beyond the WiFi Sense security hole, leveraging RADIUS or LDAP to backend your WiFi infrastructure is an important security practice. It ensures that you know exactly who has access to your network and allows you to tightly control that.

Continue Learning with our Newsletter