Nokia Accused of Hijacking, Decrypting User Data
Nokia Admits Doing it But Promises They Won't Peek
Security analyst Gaurang Pandya this week proclaimed that Nokia has been hijacking Internet traffic of Nokia phone users
, technically providing the company with access to all user Internet browsing activity. According to the researcher, Nokia is effectively conducting a "man in the middle attack" on its users, intercepting and temporarily decrypting HTTPS connections, giving Nokia access to all manner of protected communications. Said Pandya of Nokia's practices:
"From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature."
Nokia has since responded to the claims in a statement, acknowledging that the company does decrypt data, but only in order to speed up user browsing through compression
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner. "Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate."
In other words, Nokia admits to doing it but believes you should trust them not to peek at any of the data. In addition to intercepting and decrypting this traffic, Nokia failed to adequately inform users (in fine print or otherwise) that this was happening. While this is an ugly PR mess for Nokia, it's being overshadowed by the news that Nokia isn't doing as poorly as many had expected
, thanks in large part to the sale of 4.4 million Lumia phones during the fourth quarter of 2012.