By Tom Brewster
Nokia has rejected claims it might be spying on users’ encrypted Internet traffic, but admitted it is intercepting and temporarily decrypting HTTPS connections for the benefit of customers.
A security professional alleged Nokia was carrying out so-called man-in-the-middle attacks on its own users. Gaurang Pandya, currently infrastructure security architect at Unisys Global Services India, said in December he saw traffic being diverted from his Nokia Asha phone through to Nokia-owned proxy servers.
Pandya wanted to know if SSL-protected traffic was being diverted through Nokia servers too. Yesterday, in a blog post, Pandya said Nokia was intercepting HTTPS traffic and could have been snooping on users’ content, as he had determined by looking at DNS requests and SSL certificates using Nokia’s mobile browser.
“When checked, the DNS request was sent for ‘cloud13.browser.ovi.com’ which is same host where we had seen even HTTP traffic being sent,” he wrote.
“It is evident … that even HTTPS requests are also getting redirected to Nokia/Ovi servers, which raises a question about [the] certificate that [is] being received from Nokia’s servers and [the] trusted list of certificates in Nokia [phones].
Having checked the trusted certificates list in the phone, the researcher found Nokia had pre-configured the device to trust certificates sent from its servers. “Which is the reason why there are no security alerts being shown during this man-in-the-middle attack by Nokia,” he added.
“From the tests that were preformed, it is evident that Nokia is performing man-in-the-middle attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.”
Nokia said it was diverting user connections through its own proxy servers as part of the traffic compression feature of its browser, designed to make services speedier. It was not looking at any encrypted content, even though it did temporarily decrypt some information. This could still be defined as a man-in-the-middle attack, although Nokia says no data is being viewed by its staff.
