Wi-Fi Sense is a Terrible Idea

Over at Forbes, Yael Grauer writes that you shouldn’t freak out over Windows 10’s Wi-Fi Sense password-sharing feature. Freaking out over anything in technology is rarely a good idea, but Wi-Fi sense isn’t a particularly good idea, and Microsoft should never have built it.

First, a brief crash course on how Wi-Fi security works. When you join a regular, password-protected Wi-Fi network, your phone or computer doesn’t directly send your password to the access point. Rather, the password is hashed with the SSID (the name of the network) by applying SHA1 a large number of times iteratively in order to create a cryptographic key, called the Pairwise Master Key (PMK for short). This key is then used to mutually authenticate the client and the access point, so that each side knows the other possesses the same key, and from this process a session key is derived that protects data communication for that client on the network. The end result is that your access to the network is secured without ever actually sending your password or the PMK itself over the air, where it could be intercepted by a third party.

Microsoft’s Wi-Fi sense feature allows you to share access to your home networks with individuals you connect to on social networks. They claim that it does not share your password, so it’s most likely the case that they’re sharing the PMK. Because there’s no plausible way to encrypt this process from end to end (or even cryptographically authenticate the client you’re sharing to), Microsoft has to obtain the PMK in the clear in order to make this feature work.

Yael’s argument is that this is no worse than sharing your Wi-Fi password with somebody else directly. If the only threat you’re concerned about is your friends sharing the password further with other people, that’s probably true; since your friends never learn your password with Wi-Fi Sense, they can’t do that. However, it’s a bit like comparing handing a friend a flash drive with all your files to uploading all you files to Dropbox and sharing a single file with a link. Looking only at the intended recipient’s access fails to account for the risk introduced by the third party that’s now involved in the process.

We live in an era of automated attacks on individuals based on data exfiltrated from massive databases. Sometimes those attacks from foreign actors (as in the case of the OPM breach), and other times those attacks are carried out by our own government. Anyone who is building a high-value database now has to consider the implications of that, including likely resistance to state-level attackers.

Suppose an attacker gains access to Microsoft’s database of Wi-Fi network PMKs. These are hashes of the password, stored with the network name, so it takes computational effort to reverse these or find a collision. However, most users’ passwords are utterly terrible, and most people reuse passwords across multiple services. Combined with other hacked databases, an attacker can quickly pick off the weak passwords and then start using them on other services. Using a strong, unique password mitigates this, but generally speaking the users who do so are also the most savvy users who could just as easily buy and install a router capable of providing a separate guest network.

Even if Microsoft can successfully defend this database against all attackers - which seems implausible given the current state of software security - there is at least one attacker who is in a privileged position to access the entire database without needing to compromise it. Per the third-party doctrine, the US government can obtain access to this database without a warrant. With just a National Security Letter, the government would be able to obtain a huge database of Wi-Fi network master keys.

These master keys can be used to build a Wi-Fi equivalent of the Stingray cellular network spoofer, which is already widely used by the government without individual warrants. Your phone or computer periodically sends out active probe requests identifying every access point you have saved on your device. Because the master key is the only secret used for mutual authentication of the client and access point, this information can be used by an interception device to spoof the access point, causing all IP traffic to be captured. Even worse, Windows laptops are usually configured to trust saved Wi-Fi networks unconditionally, opening the firewall to local traffic on the network and greatly increasing the attack surface of the device. Because the government holds that key protections of the 4th amendment do not apply in much of the country, such a Stingray-like device could be deployed at airports and in most major cities, further enabling mass surveillance.

As an individual, these concerns might not matter to you, and you may think you have nothing to hide. That is your choice. Companies that create products have a different set of concerns to grapple with. When building a feature like this, the risks need to be accounted for across all users. Ultimately, the only way to win this game is not to play. Rather than building yet another lucrative database of users’ sensitive information, Microsoft should have sought solutions that do not reveal any information to third parties. Their failure to do so is a failure of both moral and technical imagination.