Order of the Bath

The BT broadband offering has a popular feature which allows you to access the internet from your mobile devices even when away from home. When everyone installs their Wi-Fi routers the process simultaneously sets up another Wi-Fi SSID called “BT Fon” (or sometimes “BT Openzone”, and I have seen both at once). With agreement (I think) these are configured so any BT user can sign in to them using their home account details and gain access to the internet via your connection. For privacy, identity and accounting this is kept entirely separate from the home owner’s connection and the only cost to them is a possible bandwidth reduction caused by the extra load. In practice this is a small price to pay for the ability of friends and relations to gain internet access without knowing your security code. You may get a few passers by briefly tapping your connection but they are not going to do it persistently because they have to be BT broadband customers themselves which they are paying for. It may be more of a problem if you live next to a park or café but not too serious.

This all sounds good—you are providing a service for others and in return they provide a service to you when you need it. There are millions of customers and hence millions of potential free Wi-Fi hotspots for you to use. There is security, in the form of an account and password, to verify identity which protects BT’s and the home owner’s interests.

What there is not is any security to protect the mobile user. The catch is that the Wi-Fi hot spot is only identified by it’s name (“BT Fon” or “BT Openzone”)—but anyone can create an SSID called that! So you don’t know if you are connecting to a real BT service or a fake one. This is true with any Wi-Fi hotspot of course, but much more insidious for these because of their ubiquity. There is a sign on process the first time you use one (and even that can be faked) but it is not required for subsequent connections as it is done automatically. For smart phone users it is potentially even more serious. As is pointed out in this Guardian article from April, phones sometimes connect even while in your pocket. O₂ iPhones are configured to do this by default because of a partnership between O₂ and BT.

BT have known about this problem for some time but have so far declined to do anything about it or even let anyone know. This is disappointing considering that their security team is one of the most respected in the industry.

This entry was posted on 1 Nov 2011 at 14:34 by Rick and is filed under Security, Technical. You can follow any responses to this entry through the RSS 2.0 feed. Both comments and pings are currently closed.