Is QR code access to work wireless wi-fi a security risk?

[Android Central Question]

I recently noticed when I joined my work wi-fi on my Galaxy s9 (personal phone-not company phone) a QR screen popped up with the option to have another device connect to the wi-fi without entering the password. Isn't this a security risk to have such easy access to a business's wireless network?

 

[B. Diddy]

Welcome to Android Central! Is it a guest wi-fi network, or the main internal wi-fi network for the company?

Please register on this forum, which will allow you to engage in discussion more easily, as well as post images. https://forums.androidcentral.com/ask-question/409154-join-android-central-community.html

 

[Crystalblueii]

It is the main wi-fi. Our IT person is not too happy to have this QR option appear on employees phones. Once the phone has the stored password a QR code is automatically generated. The phone that displays the code can now be passed around to be scanned and anyone who has scanned the code gets in the wifi network-no password needed. Important note: the "host" phone has to be within the wi-fi coverage area; and that device has previously stored and remembered the wireless network password.

 

[B. Diddy]

Looks like it's a native Samsung feature: https://www.sammobile.com/2019/08/0...networks-using-qr-code-on-one-ui-android-pie/

 

[Crystalblueii]

Now how is an IT person supposed to counter that? Ban cell phones within the office environment? That's not practical or productive. What are other business's doing to keep a main business wi-fi network secure with this feature?

 

[hallux]

So, your IT team allows personal cell phones not registered in some company device management system to be connected to the company WiFi? Sounds like it's high time for some stronger IT security policies. Allowing non-managed devices (computer or phone) onto the internal company network is, in itself, a security risk regardless of there being a feature such as you're concerned about.

 

[B. Diddy]

So, your IT team allows personal cell phones not registered in some company device management system to be connected to the company WiFi? Sounds like it's high time for some stronger IT security policies. Allowing non-managed devices (computer or phone) onto the internal company network is, in itself, a security risk regardless of there being a feature such as you're concerned about.

This is an excellent point.

 

[ManiacJoe]

Connecting to the company wifi is not all that big a deal.
MDM software is usually required for connecting to the company file servers and email servers.

 

[hallux]

Connecting to the company wifi is not all that big a deal.
MDM software is usually required for connecting to the company file servers and email servers.

Except the MDM software can also be used to enforce policies that could prevent that feared feature from working. Shoot - it can be used to disable the camera if they want.

The company I support will only managed iOS devices and company-owned PCs to connect to the internal WiFi, they don't even allow managed Android devices to connect to the internal WiFi network.

 

[ManiacJoe]

Oh, yes. The restrictions that MDM software allows to be put on phones can reach the "crazy" levels, beyond what is actually needed.