Microsoft Turns Off Wi-Fi Sense After Risk RevealedResearcher Demonstrates a Dangerous Attack Scenario
Remember Microsoft's Wi-Fi Sense? The Windows 10 feature shared encrypted passwords to Wi-Fi networks with user's Skype and Outlook contacts. The idea was that friends could then easily connect to other networks without needing login details. But it raised privacy and security concerns.
Microsoft killed the password-sharing feature last year, ostensibly because it was difficult to maintain and not many people were using it. That wasn't the end of Wi-Fi Sense, however, and it's still in Windows. Now, a security researcher has found that Wi-Fi Sense could potentially be a helpful partner in a wireless attack.
"There are no software flaws in Wi-Fi Sense. Rather, its intended function actually poses security risks."
Wi-Fi Sense sends information to Microsoft about Wi-Fi networks that are not password protected. When a Windows user comes into range of a series of open networks, say, at an airport, the computer will automatically connect to whichever one Microsoft has determined is the highest-quality access point.
The automatic connection feature was interesting to George Chatzisofroniou, a security engineer at Census Labs in Greece. Chatzisofroniou suspected that Wi-Fi Sense might help with an attack that aims to get a computer to connect to a malicious access point.
Connecting to a fake access point poses all kinds of privacy and security risks. The attacker who controls it has visibility on all data traffic. It's also possible to mount phishing attacks that try to trick people into divulging information, such as passwords.
Two years ago, Chatzisofroniou released Wifiphisher, a popular open-source Linux tool for mounting Wi-Fi attacks. Wifiphisher can boot a computer off a wireless network. But it can't force a computer to automatically connect to its fake access point. Users needed to be tricked somehow into clicking and connecting.
The automatic connection feature is "what was missing," he says. "We always needed the user interaction."
Enter Wi-Fi Sense, which solved Chatzisofroniou's problem.
In an attack he calls Lure10, he found it is possible to trick Wi-Fi Sense into believing it is connecting to a known network when it's actually connecting to a rogue access point. What's ironic is that Wi-Fi Sense undermines defenses in Windows to prevent automatic connections to rogue access points without warning (the KARMA attack).
Computers on home and open public networks don't authenticate Wi-Fi hotspots. So a computer can't distinguish between a legitimate network named Router1 versus a malicious one by the same name.
Chatzisofroniou says Wifiphisher can create a spoofed network with the same name as one indexed by Wi-Fi Sense. And "if I have a stronger signal, you will automatically connect to me rather than the right Wi-Fi Sense network," he says.
There is a minor location-based security control in Windows, but Chatzisofroniou says he's able to overcome it. Wi-Fi Sense tags the location of routers in its database. If a computer sees Router1 in Dubai's airport rather when it should be in Sydney's, it won't connect automatically.
He gets around that by tricking Windows location service into believing the computer is somewhere else. If Chatzisofroniou begins broadcasting signals for Wi-Fi networks in a neighborhood along with one Wi-Fi Sense tagged network that exists in the same neighborhood, the computer will think it's in that remote location and automatically connect to his rogue access point.
What's worrying is Microsoft shipped Windows 10 and Windows Phone 8.1 over the last two years with Wi-Fi Sense turned on by default. "I believe that maybe the bad guys are using this exploit," Chatzisofroniou says.
Chatzisofroniou says he's now wrapped Lure10 into Wifiphisher. He presented his findings recently at the Hack in the Box security conference in Amsterdam.
There are no software flaws in Wi-Fi Sense. Rather, its intended function actually poses security risks. Until recently, the company's reaction to the findings has been dismissive. Microsoft told Chatzisofroniou that the attack was an acceptable risk. It acknowledged his technique for fooling Windows location service was new but said it had no plans to patch.
It now appears company has had a change of heart. When I initially contacted Microsoft, a spokesman said the company had no comment.
But then a second representative said the ability to automatically connect to open hotspots has been turned off by default. That change came in the Windows 10 "Creators Update," which was released earlier this month. Microsoft wouldn't confirm if the change came as a result of Chatzisofroniou's research.
Over the past week, Chatzisofroniou says he's noticed other subtle changes. Microsoft has removed all references to Wi-Fi Sense on its privacy page. Also, networks tagged as Wi-Fi Sense within Windows are now just referred to as Wi-Fi Hotspots.
More broadly, it's questionable why Microsoft bothered to develop Wi-Fi Sense in the first place. Wireless networks are more plentiful and reliable than ever before, and it's not onerous to switch from one open network to another if performance issues arise.
Turning Wi-Fi Sense off by default was clearly overdue, but the feature still poses risks if it gets switched on by mistake. Given that this is the second time in as many years that privacy and security issues have been found, Microsoft would be best to completely dump Wi-Fi Sense.