dslreports logo
 story category
Nokia Accused of Hijacking, Decrypting User Data
Nokia Admits Doing it But Promises They Won't Peek
Security analyst Gaurang Pandya this week proclaimed that Nokia has been hijacking Internet traffic of Nokia phone users, technically providing the company with access to all user Internet browsing activity. According to the researcher, Nokia is effectively conducting a "man in the middle attack" on its users, intercepting and temporarily decrypting HTTPS connections, giving Nokia access to all manner of protected communications. Said Pandya of Nokia's practices:
quote:
Click for full size
"From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature."
Nokia has since responded to the claims in a statement, acknowledging that the company does decrypt data, but only in order to speed up user browsing through compression:
quote:
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner. "Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate."
In other words, Nokia admits to doing it but believes you should trust them not to peek at any of the data. In addition to intercepting and decrypting this traffic, Nokia failed to adequately inform users (in fine print or otherwise) that this was happening. While this is an ugly PR mess for Nokia, it's being overshadowed by the news that Nokia isn't doing as poorly as many had expected, thanks in large part to the sale of 4.4 million Lumia phones during the fourth quarter of 2012.
view:
topics flat nest 

anon523
@mich.net

anon523

Anon

Wow

Just spying on some http traffic is bad, but this takes it to a whole new level. It just amazes me that a company who is trying to increase their market share would also do something that could pull the rug out from underneath them.

So we just decrypted your bank traffic and made sure to store that info on our servers, but we promise we're not going to use that data....

JackKane
@covad.net

JackKane

Anon

Re: Wow

Is Opera Mini not doing exactly the same thing? Opera uses its servers as proxies to compress and speed up pages, and it would have to do "man in the middle" if it is to accelerate https traffic.

I'm not saying that this is "good", but this has been happening for a while and even if you put it in the fine print most people won't understand the meaning of this. No company will say upfront that "we can see your credit card numbers but won't look at them", even the ones with best intentions.

BTW, Opera Mobile uses acceleration features too and probably has to do the same thing when data goes through their servers.

MovieLover76
join:2009-09-11
Cherry Hill, NJ
(Software) pfSense
Asus RT-AC68
Asus RT-AC66

1 recommendation

MovieLover76

Member

Re: Wow

Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.

Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

FFH5
Premium Member
join:2002-03-03
Tavistock NJ

FFH5

Premium Member

Re: Wow

said by MovieLover76:

Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.

Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

Opera doesn't accelerate https traffic.
cramer
Premium Member
join:2007-04-10
Raleigh, NC
Westell 6100
Cisco PIX 501

cramer to MovieLover76

Premium Member

to MovieLover76
Accelerate HTTPS traffic? If by "accelerate" you mean form network connections faster, then off-loading the entire SSL handshake from the phone would be a very good starting point. (but then, the *phone* isn't doing https) If you mean compression, then the only way to do it is via decrypting the stream -- the encrypted bit stream is NOT compressible. But unless you are going to actively MODIFY the content (re-encode jpg's with lower quality, etc.) (which is an illegal wiretap), you're wasting your time as pretty much *every* web server in existence is already compressing it's output.

Also, to "man in the middle" an HTTPS connection, you not only need to be in the middle, you also have to be at the origin... the ssl certificate contains a name, and when it doesn't match the name you used to get there, the browser throws up a warning. The only way around this is to, well, be the browser ("don't look be hind that curtain"), or... install a local trusted "*" wildcard certificate. (which is how we've done it at work for nearly a decade -- 'tho it's not been used in years.)

Selenia
Gentoo Convert
Premium Member
join:2006-09-22
Fort Smith, AR

Selenia to MovieLover76

Premium Member

to MovieLover76
said by MovieLover76:

Opera Mobile to my knowledge does not decrypt https traffic, only http traffic is accelerated, that's pretty standard for software designed to accelerate browsing.

Some idiot at Nokia, probably a executive who has no clue insisted they find a way to accelerate https traffic.

Opera Mini, not Opera Mobile. 2 different beasts. Opera Mobile does the rendering on the device and uses http compression to attempt to speed it up on slower connections. Opera Mini renders all visited sites on their servers, including https. Then a compressed form of the rendered page is sent to the browser, sort of an image with the links overlaid(which is how it renders full pages even on low end java feature phones that are normally incapable). Opera does sufficiently warn about the security implications of this, telling you that https traffic between your phone and their servers is not secured, and not to use it on an unencrypted connection or insecure network. Nokia does the same thing but probably did not want to reveal the trade secret behind the acceleration.
rradina
join:2000-08-08
Chesterfield, MO

rradina to anon523

Member

to anon523
Regardless of whether or not they look at the data, how can they guarantee their proxy servers are beyond compromise? What happens when an underpaid, overworked employee accepts a cash payment to compromise one of the servers for crooks?

IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.
Crookshanks
join:2008-02-04
Binghamton, NY

Crookshanks

Member

Re: Wow

said by rradina:

IMO -- this deals a huge blow to my confidence in HTTPS. I certainly didn't even know this was possible. I always assumed HTTPS was private between the browser software and the content site.

Unless your browser is totally brain dead (possible), or the would-be hacker has compromised a root security certificate (highly unlikely), you will get a certificate error if someone is attempting to perform a man-in-the-middle attack.

Those errors pop up for a reason! Don't ignore them.
rradina
join:2000-08-08
Chesterfield, MO

rradina

Member

Re: Wow

Read the article. They have added trusted certificates of their own that their browser trusts. It doesn't pop-up any message on the phone.
Crookshanks
join:2008-02-04
Binghamton, NY

Crookshanks

Member

Re: Wow

I assumed as such, but it does not change the validity of what I said. See the "brain dead" disclaimer.

If you don't trust your software all bets are off. A normal browser would not behave in this fashion. Nokia has opened up a nasty can of worms here, both from a liability, and precedent standpoint. I doubt many other companies would be foolish enough to follow in their footsteps, and if they do I'd imagine we'll see legislation against this behavior in the not too distant future. There are too many well monied stakeholders (banks) who will be horrified by this.

bobjohnson
Premium Member
join:2007-02-03
Spartanburg, SC

bobjohnson to Crookshanks

Premium Member

to Crookshanks
said by Crookshanks:

Unless your browser is totally brain dead (possible)

Mobile IE9 is brain dead!
8744675
join:2000-10-10
Decatur, GA

8744675 to anon523

Member

to anon523
It's called illegal wiretapping...plain and simple!

jjoshua
Premium Member
join:2001-06-01
Scotch Plains, NJ

jjoshua

Premium Member

Huh?

Why does any phone traffic go through nokia servers?

AnonPerson
join:2000-08-26
Lexington, KY

AnonPerson

Member

Re: Huh?

That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it.

sk1939
Premium Member
join:2010-10-23
Frederick, MD
ARRIS SB8200
Ubiquiti UDM-Pro
Juniper SRX320

sk1939

Premium Member

Re: Huh?

said by AnonPerson:

That is my question as well. The phone should simply be the link between you and the internet. Nokia should have no part in it.

A lot of companies do it or are doing it in order to "speed up" how fast web pages display on a screen. It's much faster to render the page on a server and send it to the phone than have the phone do it. All of the major cell providers use a similar system, as does Apple I'm sure.

MovieLover76
join:2009-09-11
Cherry Hill, NJ
(Software) pfSense
Asus RT-AC68
Asus RT-AC66

MovieLover76

Member

Re: Huh?

But most systems, do not decrypt https traffic, they only optimize http traffic.

You shouldn't trade security for a few seconds on a page load.
and it definitely shouldn't be done by default.

Nokia should be slammed for this. They literally hack your https traffic on a regular basis. No matter what Nokia PR tries to claim, this is a security risk.

I'm very glad I don't own anything from Nokia.
rradina
join:2000-08-08
Chesterfield, MO

1 edit

rradina

Member

Re: Huh?

I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.

EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:

Handset Model: Nokia Asha 302
OS Version: 14.78 (31-08-12), RM-813
Browsers Tested On: Nokia Browser (2.2.0.0.31)
OS Type: Series 40 (S40)

sk1939
Premium Member
join:2010-10-23
Frederick, MD
ARRIS SB8200
Ubiquiti UDM-Pro
Juniper SRX320

sk1939

Premium Member

Re: Huh?

said by rradina:

I agree. Compressing clear-text HTTP traffic to increase effective data transfer speeds is one thing but doing it with HTTPS (which unless decrypted, isn't going to compress much if at all) is beyond belief. I didn't even know that was possible and I think Microsoft also owes us an explanation as to how WP8 even allows Nokia to configure the OS to allow this.

EDIT: Apparently this isn't occuring on WP8 phones. It looks like it's Nokia's feature phones:

Handset Model: Nokia Asha 302
OS Version: 14.78 (31-08-12), RM-813
Browsers Tested On: Nokia Browser (2.2.0.0.31)
OS Type: Series 40 (S40)

Which makes sense given their lower processing power compared to a single, dual, or quad core smart phone like the Lumia series.

Metatron2008
You're it
Premium Member
join:2008-09-02
united state

Metatron2008 to jjoshua

Premium Member

to jjoshua
They are probably doing it for more directed advertisement then anybody else

Anonymous88
Premium Member
join:2004-06-01
IA

Anonymous88

Premium Member

Really?

Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.
patcat88
join:2002-04-05
Jamaica, NY

patcat88

Member

Re: Really?

Lawsuit dismissed with prejudice. Nokia says they won't store it, but of course they will store it with a legal request from the authorities.
Skippy25
join:2000-09-13
Hazelwood, MO

Skippy25 to Anonymous88

Member

to Anonymous88
And the company will pay out millions and will learn it's less.

Which is how the system should work and I have no issue with that.
MaynardKrebs
We did it. We heaved Steve. Yipee.
Premium Member
join:2009-06-17

MaynardKrebs to Anonymous88

Premium Member

to Anonymous88
said by Anonymous88:

Class action lawsuit in 3...2...1 You'll get your check for $5 while some lawyers will get millions.

That, in a nutshell, is why you should have gone to law school.

newview
Ex .. Ex .. Exactly
Premium Member
join:2001-10-01
Parsonsburg, MD

newview

Premium Member

Nokia just shot themselves in the foot

Any company that does something nefarious to begin with .. and then asks to be forgiven because "it's in the subscriber's best interest" needs to suffer dire consequences ... like huge numbers of subscribers jumping ship.
Expand your moderator at work

skeechan
Ai Otsukaholic
Premium Member
join:2012-01-26
AA169|170

1 edit

skeechan to newview

Premium Member

to newview

Re: Nokia just shot themselves in the foot

There are no shortage of Google zealots that stay with them like frequently beaten wives.

Anonalittle
@centurytel.net

Anonalittle

Anon

nokia servers

Unless it goes to Nokia servers and "then" funneled to the nsa/cia servers.....someone got alittle greedy.........

skeechan
Ai Otsukaholic
Premium Member
join:2012-01-26
AA169|170

skeechan

Premium Member

Seems this is criminal

Until Title 18 2511 it seems to be illegal to intercept communications in this manner, since it is not a "...necessary incident to the rendition of his service...", meaning it is not necessary to intercept and decrypt the communications in order to provide the cell service.

»www.law.cornell.edu/usco ··· /18/2511
Kearnstd
Space Elf
Premium Member
join:2002-01-22
Mullica Hill, NJ

Kearnstd

Premium Member

Re: Seems this is criminal

And that is only here in the US. They likely will run into issues in the EU not only for similar laws to this one, but the stricter privacy laws over there too.

unless this interception is strictly in phones for the USDM.
brianiscool
join:2000-08-16
Tampa, FL

brianiscool

Member

Spy

Last phone I had from Nokia cost $10 and it didn't even have the internet. Enjoy your spying ! I find their products to be terrible. I switch to LG now that is a real phone!

•••

jmn1207
Premium Member
join:2000-07-19
Sterling, VA

jmn1207

Premium Member

Bank Data?

What are they decrypting? Is it RC4 128-bit? Most banks now use this level of encryption at a minimum. I realize this is an older encryption method and there are more secure options available, but is Nokia able to break this level of authentication on the fly as a middle man?

••••••••
MTU
Premium Member
join:2005-02-15
San Luis Obispo, CA

MTU

Premium Member

User Data

Are there those who actually still believe that their data is sacrosanct? Especially as regards cellphone data.

David
Premium Member
join:2002-05-30
Granite City, IL

David

Premium Member

doesn't iAds

do the same thing? Seems like it to me.
ConstantineM
join:2011-09-02
San Jose, CA

ConstantineM

Member

Re: doesn't iAds

Do you even know what you're talking about? What does iAds have to do with anything?

David
Premium Member
join:2002-05-30
Granite City, IL

1 edit

David

Premium Member

I think this was a doublepost I saw the famous "404 gateway not found" and the "ngix" on bbr when I posted.

My guess is it posted 2x.
David

David

Premium Member

spy and snoop the same way?

If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well.
ConstantineM
join:2011-09-02
San Jose, CA

ConstantineM

Member

Re: doesn't iAds

said by David:

If so, it doesn't seem to affect apple much. I am sure Google is completely innocent from sniffing via the droid platform as well.

Apple and Google don't need to, David. AT&T does it for them.

And, besides, no https traffic gets intercepted either by Apple or by Google.
ConstantineM

ConstantineM

Member

Wow! Not only do they spy on your https traffic, but they even use invalid certificates, and so ANYONE ELSE can do MITM attacks on HTTPS traffic of a Nokia phone?! Disgusting!

compuguybna
join:2009-06-17
Nashville, TN

compuguybna

Member

not as bad at AT&T's snooping rooms... (aka Room 641A).

StuartMW
Premium Member
join:2000-08-06

StuartMW

Premium Member

I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question.

compuguybna
join:2009-06-17
Nashville, TN

compuguybna

Member

Re: I wonder if...

Yeah, probably sent a copy of Nokia's snooping to NSA's snoop room at AT&T Room 641A! LOLOL
said by StuartMW:

I wonder if they send a copy of the decrypted traffic to the NSA/CIA/FBI/etc. Actually that's a rhetorical question.


KrK
Heavy Artillery For The Little Guy
Premium Member
join:2000-01-17
Tulsa, OK

KrK

Premium Member

Compromise most all known forms of secure communications.

odreian615
join:2006-01-18
Chicago, IL

odreian615

Member

All of their promoted phones in the US run WP7-8 which do not let OEM's to change much like the browser IE.
/There is no such thing as a Ovi(Nokia) browser on WP
//There is no such thing as a HTC browser on WP
///There is no such thing as a Samsung browser on WP
////There is no such thing as a Dell browser on WP
/////There is no such thing as a LG browser on WP
\BTW any carrier or OEM bloat can be removed for good in WP in a 2 seconds

C0deZer0
Oc'D To Rhythm And Police
Premium Member
join:2001-10-03
Tempe, AZ

C0deZer0

Premium Member

Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.

Michail
Premium Member
join:2000-08-02
Boynton Beach, FL

Michail

Premium Member

Re: Manufacturer kills the platform

said by C0deZer0:

Well, this move pretty much kills any interest there might ever be for the Windows Phone in general... now I understand why Microsoft has been switching to HTC for their lead Windows-based phone platform. This is just sleazy to the power of creepy.

But this has nothing to do WP8 Nokia phones at all.

wistlo
join:2003-01-04
New Orleans, LA

wistlo

Member

From what I can see in the original article, https works as expected. The user's device has a pre-installed certificate that essentially gives Nokia keys to all secure browser traffic.

The lesson to take away is not that https traffic is easily decrypted (it isn't), but that users must be very aware of what certificates are installed locally--either by the user, or put there by the carrier or manufacturer.