Tuesday, June 30, 2015

Wi-Fi Sense: How Microsoft Has Effectively Broken Wi-Fi Security


Originally debuted in smartphones running Windows Phone 8.1, Wi-Fi Sense is a standard feature of the upcoming Windows 10 operating system.  It is designed to automatically connect Windows 10 devices to "shared Wi-Fi networks".    The idea is that it automatically shares your Wi-Fi SSIDs and passphrases between friends over social media, eliminating the need for communicating them the "old fashioned way" and typing in the passphrases by hand.

While this may sound attractive enough to technophobes, it is in actual fact an extremely dangerous and irresponsible system that effectively breaks the security of all existing Wi-Fi networks relying upon WPA2 Personal (i.e. passphrase) security.

Here is the fundamental problem:  the decision of what is a "shared Wi-Fi network" relies upon the operator of a Windows 10 device connected to the network, not the owner or administrator of the Wi-Fi network   Thus, any Windows 10 client device, even one with a legitimate connection to your network, such as a member of your household, or an employee of your small/medium business, becomes a vector to sharing that security information across social media.

The really disturbing part:  as network administrators, there is virtually nothing we can do to prevent it (more on that below).

I would go so far as to classify Wi-Fi Sense an entire new category of phishing attack.  It isn't actually a problem with the 802.11 standard itself, per se.   Rather, it is a coordinated effort by one external entity (i.e Microsoft) to use distributed nodes (ie.. the network devices running Windows 10) to gather and spread Wi-Fi security information over social media, generally without even the direct knowledge or informed awareness and consent of the user or the network owner / administrator. 

How Wi-Fi Sense Works

The information in this section is based on an article on howtogeek.com.  

Wi-Fi Sense shares Wi-Fi login information (i.e. SSIDs and passphrases) with their friends, specifically their contacts on Outlook.com  and Skype, as well as optionally Facebook.  Similarly, when enabled, the network information from friends is shared with you, so that your Windows 10 device can (and will) automatically connect to Wi-Fi networks shared by your friends.

When a Windows 10 user connects to a Wi-Fi network, they'll get a "Share network with my contacts" check box. 


Presumably, the box is unchecked by default.  However, if the user checks the box, then the SSID and passphrase are uploaded to Microsoft's servers and shared with your social media contacts.  If someone connects to your shared network with their Windows 10 device, they similarly can choose to share the connection details with all of their friends, and so forth.  


Ramifications

The security ramifications are readily obvious.   The following two examples will illustrate the main issues for network administrators.

(1) Home network:  Most home networks use consumer-grade wireless routers, which are only capable of providing either an open (no encryption) or WPA2-Personal (i.e. passphrase) encryption.  Multiple SSIDs and client isolation are generally not standard features, though some consumer-grade wireless devices do come with the ability to set up a separate "guest network" for visitors.    When your teenage son connects to your home network on the Windows 10 laptop he uses for school, the SSID and passphrase are shared with all of his Facebook friends.  When his friends come over with their Windows 10 laptops, instead of connecting on to your guest network, they are connected to your main home network and have full access to everything else you may have on your network, including your PC with your financial and health records, multimedia applications, smart-home appliances, etc.


(2)  SMB network:  A network in a small / medium business (e.g. small office, restaruant, retail outlet, hotel, etc.) may use either consumer-grade or enterprise grade equipment, and will typically have multiple SSIDs, one for public access (i.e. visitors, customers, hotel guests, etc.) and one for private staff access for operations.  The public access network may or may not use a WPA2 passphrase (I generally recommend against - see my blog post on VLANs), but the staff network typically uses a WPA2 passphrase.   Note that a staff network may include financial and operational data, as well as credit card transactions, requiring PCI-DSS compliance, and patient health records in medical professional offices and assisted living facilities, requiring HIPAA compliance.  An employee with a legitimate need to connect to the staff network may inadvertently share that SSID and passphrase over social media via Wi-Fi Sense.  Any friend coming to the place of business connects automatically to the staff network and shares those credentials via Wi-Fi Sense with their friends.  Now, not only is the network compromised in terms of PCI-DSS and/or HIPAA compliance, but financial and operational records are also exposed to anyone with an indirect social media connection.

While I write this from the perspective of a network designer and administrator, there is also a notable vulnerability for the Windows 10 clients themselves.   A malicious user can set up a malicious Wi-Fi network designed for a man-in-the-middle attack in a public venue and distribute the credentials via social media.  Anyone connecting to that malicious Wi-Fi network will further spread the credentials.  Since Windows 10 clients are designed to automatically connect to networks shared over social media, a client device could connect to the malicious Wi-Fi network without even realizing it, leaving their devices and data subject to sniffing and attack.

Microsoft also claims that a user is isolated on a shared network from other devices on the LAN.   In order to do this completely effectively, the client isolation settings on the AP, along with appropriately defined ACL rules on your Layer 2 managed LAN switch, need to be set appropriately.  Rather, this isolation is illusory, created by the OS itself.  In Windows, when you normally connect to a Wi-Fi network, it asks whether the network is "Home", "Work", or "Public".  If "Public", then Windows sets up some internal firewall rules to block incoming ping and other traffic from the LAN.  This is only for inbound traffic, however:  from the PC you can still see and access all other devices on the LAN.  So nobody can hack you on the LAN, but you are still free to hack anyone else on the LAN.  As a network administrator, this does not meet the definition of "client isolation", as now I am trusting the security of my network to the cluelessness of users who, as an administrator, I never invited to connect to my network in the first place!

What Can Be Done To Prevent This?

Unfortunately, there isn't much in the way of practical solutions at this time.   Here are the options, such as they are:

(1) Opt Out:   Microsoft has "generously" given network operators the ability to opt out of having their networks shared.  To opt out, you need to append the characters "_optout" to the end of your SSID.   Let that sink in:  You need to actively change your SSIDs on your networks to opt out of a feature you didn't implement or ask for.  If you have an SMB network consisting of multiple access points, you need to change the SSID on all of them.  Also when you change the SSID, you need to touch all of the legitimate devices on your network to make sure they now connect to the new SSID.   If that isn't painful enough, Microsoft is also vague on what opting out actually entails:   it is not clear whether the SSID and passphrase data will simply not be collected by Microsoft, or if the data is collected but there's a flag in their database indicating that it shouldn't be shared.  The latter option is unfortunately more likely and significantly less secure, since Microsoft is still collecting your data without your permission, and you rely upon Microsoft to ensure that your Wi-Fi network information is never shared, even accidentally due to a mistake in their 100% guaranteed bug free code.

(2) Implement WPA2 Enterprise Security:   Larger businesses and enterprises typically implement WPA2 Enterprise, which requires using 802.1x with a RADIUS server.   It is true that WPA2 Enterprise is not subject to the security issues created by Wi-Fi Sense.  That said, most small businesses have neither the money, the time, nor the IT acumen to properly configure all of the pieces of WPA2 Enterprise and keep it maintained properly.   Thus, WPA2 Enterprise is an unrealistic solution for private home and most SMB networks.  The whole point of WPA2 Personal was to provide secure Wi-Fi connectivity for consumer and SMB networks. [Update:  Use of PPSK (personalized pre-shared key) has been suggested, where every device gets its own WPA2 Passphrase.  Since PPSK not part of 802.11 standard, only 3-4 AP vendors support PPSK.  Furthermore, client devices still need to be registered, either manually or via automated software download to device, which is logistically infeasible in most SMB environments.]

(3) Ban Windows 10 Devices from Your Network:  While I find this option viscerally appealing, it is eminently impractical.  Large businesses can sometimes maintain control over what devices connect to their staff network, but even in that space the "bring your own device" (BYOD) trend has been accelerating for several years and shows no signs of abating.  In private home and SMB networks, BYOD has been the norm since long before the term "BYOD" was coined.  Furthermore, as Windows 10 gains inevitable traction in the marketplace, it will be impossible to prevent these devices from connecting to your network - like all things Microsoft, eventually you won't be able to buy new PCs or laptops without Windows 10 on it, pre-installed for your convenience.   It's true that Wi-Fi Sense has been around for about a year on Windows Phone 8.1, but hasn't been much of a security issue so far because those devices have virtually no market share.

(4) Beacon Information Element:  One of the solutions being discussed amongst the professional Wi-Fi community is having the AP beacon (an advertisement message sent out by an AP every ~100 ms for each SSID) include an additional information element that tells client devices to either "opt in" or "opt out" of Wi-Fi Sense.   While technically this is doable, it is an impractical fix, at least in the short term, for numerous reasons:
  •  Microsoft and the Wi-Fi community would first have to develop a standard on what this information element looks like, and Microsoft would need to agree to respect it.
  • Microsoft would have to patch all Windows 10 devices and NIC drivers to recognize and properly act upon the information element. [Correction:  Existing NIC drivers can handle an additional Information Element and pass it up via existing mechansims.  Microsoft would still need to tell Windows 10 OS how to interpret such an Information Element.]
  • Every single consumer and enterprise AP manufacturer would need to provide a firmware update for every single (active) model of AP to provide information element. 
  • If your Wi-Fi network is older and has APs that are beyond the manufacturer's end of life (EOL), don't expect any patches from the manufacturer.  The APs and network will need to be physically upgraded.   
  • Every Wi-Fi network that you want to secure would need to have its firmware upgraded across all of its APs, and the new setting to enable this information element enabled appropriately.
This is an enormous and costly undertaking, the scope of which compares to when WEP was cracked in 2001 and patched in 2003.  Considering that there are thousands of times more Wi-Fi networks deployed in 2015 as in 2003, and the scope starts becoming overwhelming.

(5) Convince Microsoft to remove this ill-conceived feature from Windows 10.  Yeah, I don't know how to go about doing that either.  However, that doesn't mean that we shouldn't try.  How:  writing blogs like this, preaching the message on social media, and delaying my transitions to Windows 10 as long as possible.  Perhaps if enough of us in the professional Wi-Fi community perform a concerted and organized effort, we can bring sufficient pressure to bear, but I'm not optimistic.

2 comments:

  1. Thanks for sharing this, it's a very useful article. From what I read, those who connect to your wireless network receive 'Internet-Only' access. How this is implemented I don't know, but supposedly it is not possible to access local resources when connecting using a shared wireless profile.

    "When you share network access, your contacts get Internet access only. For example, if you share your home Wi-Fi network, your contacts won't have access to other computers, devices, or files stored on your home network."

    http://www.windowsphone.com/en-us/how-to/wp8/connectivity/wi-fi-sense-faq

    ReplyDelete
  2. I've added this to the post, as it is a really good point. Response is as follows:

    Microsoft also claims that a user is isolated on a shared network from other devices on the LAN. In order to do this completely effectively, the client isolation settings on the AP, along with appropriately defined ACL rules on your Layer 2 managed LAN switch, need to be set appropriately. Rather, this isolation is illusory, created by the OS itself. In Windows, when you normally connect to a Wi-Fi network, it asks whether the network is "Home", "Work", or "Public". If "Public", then Windows sets up some internal firewall rules to block incoming ping and other traffic from the LAN. This is only for inbound traffic, however: from the PC you can still see and access all other devices on the LAN. So nobody can hack you on the LAN, but you are still free to hack anyone else on the LAN. As a network administrator, this does not meet the definition of "client isolation", as now I am trusting the security of my network to the cluelessness of users who, as an administrator, I never invited to connect to my network in the first place!

    ReplyDelete