cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
3,142 Views
Message 1 of 9

BTWiFi Security Vulnerability

Go to solution

I use a BTWIFI hotspot regularly when I'm away for work. In order to log in, I have to send my credentials unencrypted across the unsecured wifi connection.

There doesn't currently seem to be a way to set wifi login credentials that are different to your main account credentials,  and neither does there appear to be any way of securing your account with 2 factor authentication. So, effectively,  anyone on the same BTWIFI network could intercept my credentials and access my main BT account and there's absolutely nothing I can do about it.

To make this glaring security flaw even worse (not that it could really get much worse), the short DHCP lease time means I have to send my credentials repeatedly every couple of hours or so.

Is there any chance BT could possibly give people the opportunity to plug this vulnerability? Having different credentials for BTWifi vs BT account would be a good start. Hashing the password or having 2FA on BT accounts would also be a step in the right direction. 

 

0 Ratings
Reply
8 REPLIES 8
3,126 Views
Message 2 of 9

Re: BTWiFi Security Vulnerability

Go to solution

See link about 2FA 

https://www.bt.com/help/security/two-step-authentication

Use the BTWifi app and you only need to enter your log on details once and the app will do it there after.

See link re BTWifi security

https://www.btwifi.co.uk/help/security/

EDIT: see also this link and in particular

"BT Wi-fi uses sophisticated 128-bit public key encryption during login to protect transfer of your data. Account traffic is encrypted and your account is password protected".

https://www.btwifi.com/includes/components/connection-help/broadband.jsp

3,089 Views
Message 3 of 9

Re: BTWiFi Security Vulnerability

Go to solution

Thanks for the links. That definitely helps, although the system is still really insecure by default.

However, having tried to activate 2fa, I now seem so have reached a dead end where all the options are greyed out. (Tried it on two different devices with the same result).

Any ideas how to progress beyond this screen?

Screenshot_20220904-120256-855.png

0 Ratings
Reply
3,071 Views
Message 4 of 9

Re: BTWiFi Security Vulnerability

Go to solution

All Public Wifi Hotspots are "insecure".  If they were secure they would not be Public Hotspots. What is secure however is your log on details when you are logging on.

You should practice good security when using a public hotspot by ensuring your sharing features are turned off on your devices. You do not send any private and personal details over the Internet. Do not use any bank accounts etc and if possible use a VPN.

As regards setting up 2FA. It may be because you are using MyBT on a mobile device. I used a laptop and web browser to set it up. I found setting it up no problem and on checking just now I can edit it with out issue and all works in the way I would expect it to.  

Try using a web browser in "desktop" mode to see if it lets you set it up.

 

0 Ratings
Reply
3,047 Views
Message 5 of 9

Re: BTWiFi Security Vulnerability

Go to solution
3,037 Views
Message 6 of 9

Re: BTWiFi Security Vulnerability

Go to solution

@gg30340 I know the hotspot itself is unsecured, and I do understand why. Nevertheless, some public hotspots at least send the password as a hash, but the one I'm using seems  to send it as plain text. (I can't check right now because I'm not on site, but I did query the source code and it appears to send a plain text 'post' request with the username and password in it. You can replicate it with a one-line cURL command).

As for actually using the hotspot,  I encrypt everything over Tailscale and send it via my home network, so no worries there!

0 Ratings
Reply
3,034 Views
Message 7 of 9

Re: BTWiFi Security Vulnerability

Go to solution

I should just add, the hotspot I'm using is not a regular btwifi hotspot - it's a site-specific 'partnership' one. Maybe it's a different setup to a truly public one? Either way, I couldn't see any evidence of password encryption. 

0 Ratings
Reply
2,994 Views
Message 8 of 9

Re: BTWiFi Security Vulnerability

Go to solution

If you are concerned after having read through the links I posted including the one about your username and password being encrypted when you log on,  I would suggest that to allay your fears that you stop using BTWifi and any other public hotspots and perhaps consider using your mobile phone and if need be set that up as your own personal hotspot so that you can connect a laptop or other device to that.

2,929 Views
Message 9 of 9

Re: BTWiFi Security Vulnerability

Go to solution

Ok, I've made sense of it now, having had another look at the login page.

The initial 'welcome' page uses http, but the credentials are passed by https from a different page accessible by a link, and are therefore encrypted.

Thanks for the useful links!

0 Ratings
Reply