cancel
Showing results for 
Search instead for 
Did you mean: 
T-i-g-g-e-r
Newbie
11,698 Views
Message 1 of 12

How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

The "BTOpenzone-H" SSID is popping up all over the place as the HHs are updated with the latest firmware but I'm left asking myself the most basic of questions as follows:

 

Q/ How do I know if a "BTOpenzone-H" or "BTOpenzone" SSID is coming from an offical BT hotspot source (i.e. a HH or town centre hotspot) of if that SSID is from someone imitating a BTOpenzone-H/BTOpenzone wifi hotspot?

 

It strikes me that literally anyone could configure a wireless access point to broadcast with an SSID of "BTOpenzone-H" or "BTOpenzone" and route incoming traffic to a web server that mimics the BT login page and then capture the BT Openzone login details and capture the login/access tokens used by iPhones and Android devices when they make connections to email accounts e.t.c. This could all be run from a single laptop and taken anywhere to capture login information.

 

Can anyone tell me how to distinguish a real BTOpenzone/BTOpenzone-H hotspot from an evil twin?

 

Regards, C

 

 

 

 

 

Tags (1)
11 REPLIES 11
jimmehr
Aspiring Expert
11,559 Views
Message 2 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

Its a safe SSID,
the -H indicates if its a homehub not the dedicated access point for the openzone service
0 Ratings
Distinguished Sage
Distinguished Sage
11,557 Views
Message 3 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?


@T-i-g-g-e-r wrote:

It strikes me that literally anyone could configure a wireless access point to broadcast with an SSID of "BTOpenzone-H" or "BTOpenzone" and route incoming traffic to a web server that mimics the BT login page and then capture the BT Openzone login details and capture the login/access tokens used by iPhones and Android devices when they make connections to email accounts e.t.c. This could all be run from a single laptop and taken anywhere to capture login information.


 

 



BTOpenzone provide a free VPN client which can be run on a computer, and provides a secure encrypted connection.

 

There is a whole section dealing with security here http://www.btopenzone.com/help/security/index.jsp

 

Login details are via a secure page and use a non-standard port, so any re-direction would be be difficult.

 

0 Ratings
T-i-g-g-e-r
Newbie
11,529 Views
Message 4 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

> Keith Beddoe

 

The VPN client is probably the only way to protect your data once you're logged in but it's the login process and login page that's the problem.

 

> Login details are via a secure page and use a non-standard port, so any re-direction would be be difficult

 

That link you gave says "To help make sure you receive a safe and reliable service, BT encrypts your account details when you log-in (for both BT Openzone and BT FON)." That will mean they'll be encrypted if you have actually accessed a BT hotspot and are on a BT provided login page.

 

My concerns are much more fundamental.

 

Say I connect to an SSID called "BTOpenzone-H" or "BTFON" or "BTOpenzone" and land on a web page that looks like BT's login page and has a welcome message that says one of the following:

 

"Welcome to this BTFon hotspot"
"Welcome to this BTOpenzone hotspot"
e.t.c.

 

Things aren't encrypted at that stage and all a person (and their device) has to confirm if the hotspot is genuine or not seems to be the SSID name (which isn't much confirmation since it can be easily imitated) and the design of the login page (which can be easily imitated).

 

How do I actually know I've connected to an SSID provided by BT and how do I know I'm looking at a web page provided by BT?

 

Since anyone could give a hotspot an SSID that BT use for Openzone and anyone remotely techical can easily route incoming internet traffic from devices connected to that hotspot to their own fake web server they could easily display a landing page that imitates the exact look of the BT Openzone login page including the messages you'd expect to see with all the graphics you'd expect to see together with the expected boxes where one would usually enter login credentials.

 

You'd then be entering your login details on a fake page and your credentials could be captured.

 

Using an app on your phone, tablet or laptop doesn't make things better as the app would have the same problem and it couldn't know if the hotspot is genuine or not.

 

If we're use such a BT service then we (as users) need absolute confidence that we're connecting to a hot spot provided by BT. At the moment I cannot see how I can possibly tell whether a hot spot is valid or fake and simply reading the heading on the landing page isn't a good enough security check.

Once you've logged in you can then use a VPN client but if you've logged in through a fake page it's way too late.

 

Regards, C

IanC
Recognised Expert
11,494 Views
Message 5 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

It is encrypted at the login stage (assuming you've landed at a proper login page)

 

If you're not happy logging in to a secure (AES128 encrypted) site that offers a certificate, issued by Verisign to Britsih Telecommunications PLC (common name www.btopenzone.com) with a verifiable serial number, MD5 & SHA fingerprint, then the only real option for you is to not use Fon.

T-i-g-g-e-r
Newbie
11,459 Views
Message 6 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

The fundamental issue remains the "(assuming you've landed at a proper login page)" bit. If I could be certain I'd landed on a BT page I'd have no problem with the security of the login.

 

To date I'm not getting any answers on the "How I can be certain that I'm connected to an SSID provided by BT?" question. I'm basically being told I just need to trust it's OK on the basis that it's called "BT Openzone-H" e.t.c. and that it's unlikely that someone has set up a fake hotspot in the location where I'm attempting to connect to BT Openzone.

 

That's not good enough for me.

 

> then the only real option for you is to not use Fon.

 

I think that is the answer. Until the industry gives users a way to verify a hotpsot is real (as opposed to fake) the safest option is to avoid open networks such as BT Openzone altogether. Right now I believe it's not possible for me to be certain that I've connected to an SSID provided by BT. That means, for me, it's simply not safe enough to use for fear of connecting to an evil twin (fake) hotspot, however remote that chance might be. Considering a fake hotspot can easily be run from a portable device (e.g. laptop or even a smart phone), the more public the open network the higher the chance there'll be a fake hotspot in the vicinity.

 

Using an APP provided by BT (or other reputable network supplier) might be safer but, to be honest, I can't see how an APP could distinguish a fake SSID from a real SSID in the same way I can't.

 

I would still appreciate anyone with an insight into this area commenting if they can give me something that will allow me to confirm the authenticity of a hotspot.

 

Thanks for all the posts so far but I think my decision has to be not to connect. It's simply not safe enough.

 

Regards, C

 

 

 

IanC
Recognised Expert
11,445 Views
Message 7 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

@T-i-g-g-e-r wrote:

The fundamental issue remains the "(assuming you've landed at a proper login page)" bit. If I could be certain I'd landed on a BT page I'd have no problem with the security of the login.

 

I thought I'd already covered that 😞

 

Does the landing page (before you've logged in to anything) present a certificate ?  Do you trust that certificate ?

 

(Only you can answer those questions)

 

To date I'm not getting any answers on the "How I can be certain that I'm connected to an SSID provided by BT?" question.

 

You're won't get any answers, because you can't be certain.

 

I'm basically being told I just need to trust it's OK on the basis that it's called "BT Openzone-H" e.t.c. and that it's unlikely that someone has set up a fake hotspot in the location where I'm attempting to connect to BT Openzone.

 

Not by me...

 

At this point, assuming that you've hit a landing page that you're comfortable with, you have a HTTPS connection that you've yet to send anything sensitive over. If you do decide to send your sensitive details etc over that connection, all traffic between your browser and the website are encrypted. In which case, the question really becomes "do you trust SSL/TLS and/or your browsers implementation of it?"

 

I don't see that your knowing that a hotspot was an official one, provided by BT, would provide any additional reassurance. 

  

That's not good enough for me.

 

That's your choice, and not one that I'd scoff at.

 

> then the only real option for you is to not use Fon.

 

I think that is the answer. Until the industry gives users a way to verify a hotpsot is real (as opposed to fake) the safest option is to avoid open networks such as BT Openzone altogether. Right now I believe it's not possible for me to be certain that I've connected to an SSID provided by BT. That means, for me, it's simply not safe enough to use for fear of connecting to an evil twin (fake) hotspot, however remote that chance might be. Considering a fake hotspot can easily be run from a portable device (e.g. laptop or even a smart phone), the more public the open network the higher the chance there'll be a fake hotspot in the vicinity.

 

Using an APP provided by BT (or other reputable network supplier) might be safer but, to be honest, I can't see how an APP could distinguish a fake SSID from a real SSID in the same way I can't.

 

Personally, I think the "authenticity" of the hotspot is an irrelevance compared to the authenticty of the site that you're communicating with.  But that's a judgement call that I've made, based on my own circumstances, perceived threat model, and the sensitivity of the information being passed.

 

YMMV, of course.

 

 

Distinguished Sage
11,392 Views
Message 8 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

I agree with IanC the chances of a dodgy website is far higher than that of a dodgy FON or OPENZONE site and if you are unsure of a fon or open zone site then really the entire WWW is suspect in your eyes i would give up using it completely
0 Ratings
djlnr
Newbie
8,972 Views
Message 9 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

Use a wifi scanner, more productive if use on a smart mobile device, so now you should have a wifi scanner that can see wifi around and show us basic info like Channel, MAC address, and Security type. Now paying attention to MAC addresses you see only trust the btopenzone or Fon ect with matching MAC addresses if you see a generic bthonehub name MAC address matches the Fon and openzone then its more likely to be official. This doesn't solve but if you remember this and dnt put or save personal things into your public folder or windows media player typical media folders you could be hacked
0 Ratings
paul30003
Newbie
8,049 Views
Message 10 of 12

Re: How do I know if a "BTOpenzone-H" SSID is safe and provided by BT?

Anyone with technical backgrounds could setup a fake webserver to captcher usernames and passwords.  They could even have the traffic routed through the same non standard port that is used for BT login servers.  Even connections to this server could be SSL encrypted.  one thing that cannot be faked though, is BT's certificate.  If want to verify the login page, I would first connect to a known genuine hotspot and view the certificate, in FIREFOX this can be viewed by clicking the BT icon to the lefthand side of the address bar.  copy the certificate fingerprint and save it to a text file.  If you want to check a login page on another hotspot in the future, you can compaire this fingerprint to validate that the server is genuine.

 

0 Ratings