neilalexander.dev

Secure auto-login to BT Wi-Fi hotspots

27 February 2017 by Neil Alexander

Updated 17th January 2019

Merging their partnership with FON with their own commercial BT Openzone Wi-Fi network, BT now provide a large-scale Wi-Fi service in the United Kingdom under the name “BT Wi-Fi”. With this, BT Broadband (and one-off paying) customers are able to access BT Wi-Fi not just from commercial locations but also from households with the BT Wi-Fi service broadcasting from their BT Home Hubs. 

However, the BT Wi-Fi service has it’s downsides. If you are using a computer and you connect to the “BTWiFi-with-FON” SSID, then there is no wireless encryption (like WPA) of any kind between your device and the hotspot. This means that your traffic, if not encrypted through some other means, is susceptible to eavesdropping by a nearby adversary. This can put you and your data/passwords at risk. This is actually a common problem with many public Wi-Fi hotspots, and an issue that not many users are educated on. Be cautious of any unsecured networks, kids!

Secondly, and somewhat unrelated, the service will not “remember” you and will expect you to log back in each time you roam to a new hotspot or after having been away from a given hotspot for a period of time. This can become somewhat tedious if you are a frequent user of the service.

It is possible, however, to securely connect to the BT Wi-Fi service using a WPA-encrypted wireless connection, and to be automatically logged in at the same time, by making use of an alternative wireless SSID currently used only by iOS devices with the BT Wi-Fi app installed. This article explores the working parts of the authenticated login and how to configure it on other devices.

Introducing 802.1X

802.1X is an authentication mechanism for network access points. There are both wireless and wired variants, and both support a number of authentication mechanisms, including certificate-based, SIM-based and integrated Windows logon, amongst others. The commonly adopted wireless variant is known as “WPA/WPA2 Enterprise”.

The “BTWifi-X” SSID broadcasted by BT Home Hubs is a “WPA2 Enterprise”-enabled SSID. It supports authentication using EAP-TTLS, which is effectively certificate-based authentication in combination with a username and password. This means that, once authenticated, any traffic between the client device and the hotspot is encrypted. Furthermore, the username and password supplied in the profile allow the device to prove it’s identity to the BT Wi-Fi service automatically, allowing automatic login.

It is this “BTWifi-X” SSID that we are interested in.

Obtaining the Configuration Profile

iOS devices are able to take advantage of the secure “BTWifi-X” SSID by installing a configuration profile from the BT Wi-Fi app from the App Store, or more accurately, from a webpage linked from the BT Wi-Fi app. The Configuration Profile is a “mobileconfig” file, specifically for iOS devices, which contains all of the relevant settings to make a secure connection. It includes the BT Wi-Fi security certificates, and your automatic login credentials. In order to continue, you will need to retrieve one of these profiles.

These instructions assume that you have reasonable technical know-how, access to an iOS device and that you are a BT Broadband account holder. You can borrow an iOS device temporarily to complete these steps, and you do not need to be in range of a BT Wi-Fi hotspot to acquire the profile. 

  1. Install and open the BT Wi-Fi app, and go into the “More” tab.

  2. Select “Settings” and then tap “Install connection profile”.

  3. Enter your BT email address and password, tap “Install connection profile”. You must log in with your email address here instead of your username, or otherwise the “Install connection profile” option will not be shown.

  4. Wait until you are redirected into Safari.

  5. Once the device has jumped to Safari, cancel the prompt to install the profile on your device and then copy the URL from the address bar.

  6. Send the link to your computer (by email, instant message or some other medium) and open the page in your web browser. The link may expire after some time so aim to do this quickly.

  7. Open the page’s source using your browser’s developer tools and find the direct link to download the “mobileconfig” hidden in the <script> section of the HTML.

  8. Upon navigating to this URL, you should be prompted to download the “mobileconfig” file. Save it to your computer and open it in the text editor of your choice.

  9. If you borrowed an iOS device to complete these steps, then from this point forward, you no longer need it and can uninstall the BT Wi-Fi app.

PLEASE NOTE that this “mobileconfig” file uniquely identifies you, and contains your authentication credentials. Do not share any part of your “mobileconfig” with anyone else. Please see the Important Warning at the bottom of this article for more information.

Configuring the 802.1.X connection on macOS

If you just want to enable the automatic login to BT Wi-Fi from your macOS computer, then you need not dissect the Configuration Profile. Instead, just double-click the “mobileconfig” from Finder, agree to install the profile and the “BTWifi-X” wireless network will be configured automatically. 

Dissecting the Configuration Profile

If you want to configure automatic login from another device that does not run iOS or macOS, then you will need to extract the relevant information from the “mobileconfig” file.

The Configuration Profile is actually an XML document. It is signed and more than likely contains some garbage-looking characters at the beginning and end of the document, but these are actually certificates and signatures. The relevant and interesting section is the readable XML in the middle of the file.

There are two sections that are relevant. The first is the section that contains your (unique) automatic login username and password, as shown below:

<key>TTLSInnerAuthentication</key>
<string>PAP</string>
<key>UserName</key>
<string>8021x:BTRCon/newprof/XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX:XXX-XXX</string>
<key>UserPassword</key>
<string>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</string>

Make a note of the username, which starts with 8021x:BTRcon/ and ends with some variation of your BT username. Also make a note of the password, which is a random string of numbers and letters.

The second section is the section that contains the generic (non-unique) BT 802.1X certificate, which is used as a “trusted certificate” to prove that the hotspot you are connecting to really belongs to BT Wi-Fi:

<key>PayloadCertificateFileName</key>
<string>BTwifi-X_DigicertRootCA.pem</string>
<key>PayloadContent</key>
<data>
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
</data>

If you are well-versed on certificates, extract the Base64 certificate data from the “mobileconfig” file and transform it into a correctly-formatted certificate file and name it “BTwifi-X_DigicertRootCA.pem”.

Otherwise, if you prefer convenience and you are happy to trust this website as a source, feel free to click here to download the BT Wi-Fi trust certificate.

Configuring the 802.1X connection on Windows

In order to enable the automatic BT Wi-Fi login from a Windows machine, you need to manually create the wireless profile.

To start with, you will need to add the BT 802.1X certificate to your trusted certificate store:

  1. Double-click the “BTwifi-X_DigicertRootCA.pem” file in Windows Explorer.

  2. The certificate will be shown. Verify that it is issued to “DigiCert Global Root CA” and that it is issued by “DigiCert Inc”.

  3. If you downloaded the certificate from above and you wish to perform a further check on the certificate, then go into the Details tab and check that the Signature is “08 3B E0 56 90 42 46 B1 A1 75 6A C9 59 91 C7 4A”.

  4. On the “General” tab, click the “Install Certificate…” button.

  5. In “Store Location”, select “Local Machine” and click “Next”. You may be presented with a UAC privilege prompt. Confirm that you wish to continue.

  6. When asked, select “Place all certificates in the following store”.

  7. Click “Browse”, and select “Trusted Root Certification Authorities”.

  8. Click “OK”.

  9. Click “Next”, and then “Finish” to confirm.

Now that you have the BT 802.1X certificate installed and trusted, you can now configure the wireless profile to connect to “BTWifi-X” hotspots: 

  1. Go into “Control Panel”, and then into “Network & Sharing Center”.

  2. Click “Set up a new connection or network”.

  3. When prompted, select “Manually connect to a wireless network” and then click “Next”.

  4. In “Network Name”, enter: BTWifi-X

  5. In “Security Type”, select “WPA2-Enterprise”.

  6. Make sure that “Start this connection automatically” is checked, and click “Next”.

  7. When prompted, click “Change connection settings”.

  8. In the “Security” tab, under “Choose a network authentication method”, select “Microsoft: EAP-TTLS”.

  9. Click the “Settings” button next to “Microsoft: EAP-TTLS”.

  10. Under “Connect to these servers”, enter: 8021x.bt.com

  11. Under “Trusted Root Certification Authorities”, place a checkbox next to “8021x.bt.com”.

  12. On the same dialog box, uncheck “Enable identity privacy” so that it is disabled.

  13. Make sure that “Unencrypted password (PAP)” is selected under “Select a non-EAP method for authentication”.

  14. Click “OK” to return back to the “BTWifi-X Wireless Network Properties” dialog.

  15. Click the “Advanced settings” button.

  16. Place a check in the box next to “Specify authentication mode”, and then select “User authentication” in the drop-down box.

  17. Click the “Save Credentials” button.

  18. When prompted, enter the full username and password that you extracted from the “mobileconfig” file above. The username starts with 8021x:BTRcon/ and ends with some variation of your BT username.

  19. Click “OK”, and then click “OK” twice more to close each dialog box. Finally, click “Close”.

You should now be able to connect to “BTWifi-X” from the wireless networks list. 

Configuring the 802.1X connection on other platforms

I am unable to provide specific instructions for other platforms, such as Android, but the following configuration settings should be of use to power users wishing to configure this on their devices:

Important Warning

This bit really is important. Please read it.

Each BT Wi-Fi Configuration Profile UNIQUELY IDENTIFIES YOU, and contains specific authentication credentials linked to your BT Wi-Fi account. DO NOT SHARE your Configuration Profile, or any details from it, with anyone else.

You are NOT ANONYMOUS when using the BT Wi-Fi service. If the service is abused, BT will be able to identify that the abuse is coming from your BT Wi-Fi identity and your service will likely be terminated by BT. You have been warned. Just don’t do it.

You perform the above actions ENTIRELY AT YOUR OWN RISK. I am not affiliated with BT in any way, and do not take any responsibility for anything that may happen as a result of following the above instructions.