Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nokia Redirecting Traffic On Some of Its Phones, Including HTTPS

Posted by Soulskill on from the you-can-trust-us dept.

An anonymous reader writes "On Wednesday, security professional Gaurang Pandya outlined how Nokia is hijacking Internet browsing traffic on some of its phones. As a result, the company technically has access to all your Internet content, including sensitive data that is sent over secure connections (HTTPS), such as banking credentials and pretty much any other usernames and passwords you use to login to services on the Internet. Last month, Pandya noted his Nokia phone (an Asha 302) was forcing traffic through a proxy, instead of directly hitting the requested server. The connections are either redirected to Nokia/Ovi proxy servers if the Nokia browser is used, and to Opera proxy servers if the Opera Mini browser is used (both apps use the same User-Agent)."

7 of 200 comments (clear)

  1. Opera Mini is supposed to be proxied by Anonymous Coward · · Score: 5, Informative

    The whole point of Opera Mini is to use Opera's proxies to reduce the load on the phone so complaining about that would be stupid (their other browser, Opera Mobile, is the one that doesn't use proxies). Is Nokia's browser expected to do the same as Opera Mini? (that they use the same user agent may imply so)

    1. Re:Opera Mini is supposed to be proxied by MrWeelson · · Score: 5, Informative

      Exactly!
      From http://www.opera.com/mobile/specs/

      "Opera Mini always uses Opera’s advanced server compression technology to compress web content before it gets to a device. The rendering engine is on Opera’s server."

      On the Nokia website it states outright that "Compressed pages mean lower data charges" http://www.nokia.com/gb-en/products/phone/302/

  2. Re:httpS by Above · · Score: 5, Informative

    Actually it may not be that simple without verifying the certificates.

    Many corporations for instance use products that look inside SSL streams (typically IM's) for sensitive data. The way they do this is to install a cert signed by the company on the proxy, and set the company's CA cert on your computer to always trust. Your machine makes a connection which is grabbed by the proxy, the proxy presents the valid corporate certificate. It then makes a connection off to the real service using SSL as well. Your basic man in the middle attack.

    For clients that don't show the cert (like many IM clients) there's no way to know, and on those that do the user would have to check. If they are trained to just look for the padlock it appears all is well.

    I can't tell if Nokia is doing something like that or not, but if you work at a big corporation you might want to check the cert fingerprints for say your bank and compare them to an access from home. I've been told the newer products can generate a cert per site on the fly, making the fake certs look correct (right company name and all of that). If your company is going to that length to spy on you, perhaps it's time to rethink your employer...

  3. Re:httpS by jandar · · Score: 5, Informative

    Nokia has certificates pre-installed to make a man-in-the-middle attack. From the article:

    From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse.

    So this is the worst privacy nightmare.

  4. Re:ISPs can do the same thing. by Anonymous Coward · · Score: 5, Informative

    Wrong. It requires the ISP to plant a certificate on your system that is used to perform the MITM attack. Never install software from your ISP is my motto.

    AC

  5. Yup. by Andy+Prough · · Score: 5, Informative

    Anyone who didn't realize Opera Mini was rerouting data for compression on their servers just didn't look into it before downloading and using it. It's a "feature" - supposed to get you faster browsing. Worked pretty well for me when I had it on a 3G Blackberry.

  6. Re:Traffic is *supposed to* be proxied. by miroku000 · · Score: 5, Informative

    The only thing that rises eyebrows a little is that they indeed MITM https traffic by re-encrypting the traffic and using their own certificate (which is installed as trusted on the phone) on phoneproxy communication. But this is how SSL is supposed to work - if you want to be sure about both sides you will also need client-side certificates.

    This is *not* how SSL is supposed to work. Any certificate authority that is forging certificates for other people's web servers is not one that should be trusted. Essentially, Nokia is lying to the web browser and saying that they are actually Amazon.com or whoever you are making a secure connection with. By fraudulently representing that they are Amazon.com or whoever, they are intercepting your passwords to these sites. Client side certificates would not help in this case because the client is controlled by Nokia. So, they would have a copy of your client side certificates as well.