Nokia Admits Decrypting User Data But Denies Man-in-the-Middle Attacks
Nokia says it does decrypt some customer information over HTTPS traffic, but isn’t spying on people
Nokia has rejected claims it might be spying on users’ encrypted Internet traffic, but admitted it is intercepting and temporarily decrypting HTTPS connections for the benefit of customers.
A security professional alleged Nokia was carrying out so-called man-in-the-middle attacks on its own users. Gaurang Pandya, currently infrastructure security architect at Unisys Global Services India, said in December he saw traffic being diverted from his Nokia Asha phone through to Nokia-owned proxy servers.
Pandya wanted to know if SSL-protected traffic was being diverted through Nokia servers too. Yesterday, in a blog post, Pandya said Nokia was intercepting HTTPS traffic and could have been snooping on users’ content, as he had determined by looking at DNS requests and SSL certificates using Nokia’s mobile browser.
“When checked, the DNS request was sent for ‘cloud13.browser.ovi.com’ which is same host where we had seen even HTTP traffic being sent,” he wrote.
“It is evident … that even HTTPS requests are also getting redirected to Nokia/Ovi servers, which raises a question about [the] certificate that [is] being received from Nokia’s servers and [the] trusted list of certificates in Nokia [phones].
Having checked the trusted certificates list in the phone, the researcher found Nokia had pre-configured the device to trust certificates sent from its servers. “Which is the reason why there are no security alerts being shown during this man-in-the-middle attack by Nokia,” he added.
“From the tests that were preformed, it is evident that Nokia is performing man-in-the-middle attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”
Nokia said it was diverting user connections through its own proxy servers as part of the traffic compression feature of its browser, designed to make services speedier. It was not looking at any encrypted content, even though it did temporarily decrypt some information. This could still be defined as a man-in-the-middle attack, although Nokia says no data is being viewed by its staff.
“The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value out of their data plans,” a spokesperson said, in an email sent to TechWeekEurope.
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them. When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.
“Nokia has implemented appropriate organisational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
Nokia said it would review the information provided in the mobile client “in case this can be improved”.
Other browser makers do compression using their own servers – Opera, for instance, is vocal about it.
Opera told TechWeekEurope HTTPS traffic over the Mini browser does go through its own data centres unencrypted. “The encrypted SSL session is established between the Mini server and target web server,” a spokesperson explained. “However, because the connection from the mobile client to the server is also encrypted, there is no place except in our data centre where user data are transmitted unencrypted. If you need full end-to-end encryption, you should use a full web browser such as Opera Mobile.”
It comes down to a question of trust on the user side and of transparency on the vendor side. Users have to have faith their browser maker won’t be snooping on their unencrypted traffic, whilst vendors are being asked to be more upfront about what compression features mean for privacy.
What do you know about online security? Try our quiz and find out!