Astonishingly, Nokia has been found guilty of spying on its users and running a ‘Man-in-the-middle’ attack. The company has confirmed the allegations raised by a security researcher, who exposed the Finnish multinational’s gutsy ploy of channeling encrypted HTTPS traffic received from its native Xpress Browsers to their servers.
Nokia actually decrypts the received encrypted HTTPS traffic on the server side and conducts what in cryptography is known as a ‘Man-in-the-Middle’ attack. Considering the fact that HTTPS traffic carries sensitive information like banking sessions, email messages, social networking sessions, and other sensitive information, such a diabolical setup is simply unacceptable.
Though the Finnish multinational has confirmed that it decrypts the HTTPS traffic, it says it would never use customer’s sensitive data for any undue advantage. (!) That’s like saying- Yes, we would spy on you. But we won’t let anyone know.
Nokia’s diabolical setup was exposed by security researcher Gaurang Pandya, who works for Unisys Global Services in India. He explained on his blog, how his Nokia Series ‘40’ Asha phone routes the sensitive HTTPS traffic through Nokia servers.
“From the tests that were preformed, it is evident that Nokia is performing Man in the Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature” reads Gaurang’s blog,
Collection of user data clashes with Nokia’s privacy statement, which clearly emphasizes the fact that Nokia would never use/access sensitive information of its users like username, password, and credit card numbers.
Nokia, however, countered the allegations by saying that Xpress Browser, which is the default browser for Asha and Lumia series, compresses the sent traffic to reduce data costs and improved speeds. They clarified that to decompress the data on the server side, temporary decryption of HTTPS traffic is necessary.
“Importantly, the proxy servers do not store the content of web pages visited by our users or any information they enter into them,” the company said. “When temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner.
“Nokia has implemented appropriate organizational and technical measures to prevent access to private information. Claims that we would access complete unencrypted information are inaccurate.”
So, in order to provide marginally better speeds and reduce data-costs, Nokia is compromising the most vital factor- security. While there’s no harm in compressing data to offer improved speeds (browsers like Opera Mini do just that), the compression should only be limited to unencrypted traffic. As encrypted HTTPS channels carry sensitive information, they should not be pestered in any possible way.
Nokia has released an immediate update to the browser that promises to remove the ‘Man-in-the-middle’ attack. However, according to Gaurang Pandya, the update is not entirely promising.
Just upgraded my Nokia browser, the version now is 22.214.171.124.48, and as expected there is a change in HTTPS behavior. There’s both, good news and bad news. The good news is with this browser, they are no more doing Man-In-The-Middle attack on HTTPS traffic, which was originally the issue, and the bad news is the traffic is still flowing through their servers. This time they are tunneling HTTPS traffic over HTTP connection to their server.