Nokia and the accusation of MITM attack

Pierluigi Paganini January 14, 2013

The charge is heavy, according to some experts, Nokia analyzes user’s traffic officially to increase performance compressing data on some of its mobile devices. According many experts the popular company is responsible of the hijacking of user’s traffic on its servers, that is the case for the Nokia Asha models, for this reason on internet is circulated the news of a “Man In The Middle” attack against its clients.

The Finnish company has admitted that it decrypts secure data that passes through HTTPS connections to apply a further compression that allows speed up the communications, but what does it mean?

The access to HTTPS traffic exposes user’s data such as banking credentials, email account credentials and other sensible information, a clear violation of privacy without user having been informed.

The sensational discovery has been proposed by researcher Gaurang Pandya who proved that browser traffic from his Nokia (Series 40) “Asha” mobile was redirected through the servers od Nokia company. He documented the discovery in a first blog post and finally published the result of his research in another post having an eloquent title “Nokia’s MITM on HTTPS traffic from their phone

NokiaTraffic

Obviously Nokia has immediately tried to reassure its clients, Nokia says that there is nothing to worry about.

“We take the privacy and security of our consumers and their data very seriously. The proxy servers do not store the content of web pages visited by our users or any information they enter into them. Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”

Following the conclusion of the researcher:

“From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse. Up on checking privacy statement in Nokia’s website following can be found.”

The research on  January 11th,2013 provided a further update that showed a meaningful change in the behavior of his device after an update:

Update of 11th January,2013

Just upgraded my Nokia browser, the version now is 2.3.0.0.48, and as expected there is a change in HTTPS behaviour. There is a good news and a bad news. The good news is with this browser,they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server. Details are given below.

This time again we had browsed https://www.google.com, and found that again DNS requests are sent for Nokia/Ovi servers and this time it was “cloud13.xpress.nokia.com”. Up on receiving DNS reply, a HTTP tunnel is eshtablished between Mobile device and their cloud server and HTTPS traffic is tunneled over that HTTP tunnel.

He also thanks Nokia officials for quickly responding to the issue and “getting it fixed on priority” showing company commitment towards privacy of their mobile customers.

The case fell silent and the approach of the researcher has changed, but what happened is very serious and  raise some questions

  • Nokia always show transparency in its choices and is committed to respecting the privacy of the user. What really happened this time? May have been naive choice?
  • How does Nokia manage these information, who does ensure that they are not disclosed even by mistake or as a result of an attack as already happened to other companies in the past?

Exactly one year ago Nokia was cited,  with RIM and Apple, to have provided to the Indian government, particularly its militia, a backdoor that provides the ability to control each mobile device.

There were found some Indian Military internal documents that refer to a project called RINOA SUR, where the world RINOA stay for RIM, Nokia and Apple. The project is related to a platform used to spy on the USCC—the US-China Economic and Security Review Commission.

The documents contain portions of emails sent by members of the USCC regarding the successfully usage of the RINOA SUR, and the Indian Navy has shown interest in the same. The documents suggest that RIM, NOKIA and Apple were required to providing backdoor access.

At this point I think they are justifiable concerns of users, Governments are increasing the level of monitoring and more transparence on their operate is desirable. Whatever the reasons behind the choice of solution implemented by Nokia it is essential that users of its mobile devices are made aware of potential effects and consequences in terms of security.

What would happen if a group of state-sponsored hackers or hacktivists compromise Nokia servers? Do you think it is so absurd?

I leave you with an extract of the privacy policy for browser published by Nokia:

“The URLs of such sites which you access with the Nokia Browser are stored by Nokia.” However, it does point out that: “Your browsing is not associated to any personally identifiable information and we do not collect any usernames or passwords or any related information on your purchase transactions, such as your credit card number during your browsing sessions.”

Pierluigi Paganini

 



you might also like

leave a comment