Well, actually Apple is doing something similar, and it's opt-in.
If you have a contact, they are in their settings, and they're nearby and they can see your wifi network, a prompt will appear on your phone which asks if you would like to share wifi credentials with them.
There's some foolery going on to stop it popping up if you're using the device normally, like you have to be in settings or the home screen - or recently unlock your phone or something... But it's very explicitly: opt-in.
It's opt in for the person with the option to share network credentials.
It's not opt-in for the owner of the network, who should really have a say in the matter.
I do use this feature from time to time, but it's typically on networks where either I'm the owner, or the owner's given me permission to share the creds.
This also opens up an attack surface (which I got to experience firsthand on a burner device at DEF CON 31), where someone spoofs an Apple device requesting network creds. The attack itself involves spamming share requests and catching you off guard, causing you to hit OK, or you just hit OK out of notification fatigue.
> It's not opt-in for the owner of the network, who should really have a say in the matter.
Why? It’s literally just a shortcut for asking for the password from someone who already has it and then having it read it out loud or texted. If the owner of the network doesn’t want that happening they need to explain that in either case.
It reminds me a bit of how Waze or Google Maps would end up using access roads as shortcuts with navigation. You let a couple of people use it because you know them. They might tell a few others. Then big tech just sees it as "other people use it, so I'll use it". And now you have no control over your road anymore.
It’s a shortcut that deprives the network owner of agency. As the person running the network, should you not have some degree of control over who gets to join your network, be it fully open, fully closed, or anywhere in between?
> It’s a shortcut that deprives the network owner of agency.
It doesn’t, they have exactly as much agency as they would if the shortcut didn’t exist.
> As the person running the network, should you not have some degree of control over who gets to join your network, be it fully open, fully closed, or anywhere in between?
If you want more control than a shareable password provides, it’s on you to implement something other than a shareable password. A feature that merely helps people share passwords doesn’t change that.
If you need control over who joins your network, implement 802.1x or a captive portal or something. If you just use a WPA key, people will always share them, you can't stop them, there are literally crowdsourced online databases of "free internet" WiFi keys
> where someone spoofs an Apple device requesting network creds
How does this work? Isn't there any verification done through iCloud or something? I don't expect my phone to know about all my contacts' iphone identifiers.
I just tried this the other day with my cousin's wife whose phone number I don't have stored in my contacts and it didn't offer to share the wifi password until we both added each other's number.
Sharing your host's WiFi password with all your contacts should never get a wide adoption. It should never be an option anyway.
It shows Microsoft's astonishing ignorance of security.