On Sat, Jan 12, 2013 at 2:14 AM, Steve Pirk <[email protected]> wrote: > Good catch Jeffrey - The browser update apparently fixes the "bug" :) > http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/ > > The site won't load for me tonight, so I will try it in the morning, but you > nailed the issue. For completeness, Gaurang Pandya was the researcher who publicized the finding.
Also see "Death Twitches: Nokia Caught Wiretapping Encrypted Traffic From Its Handsets," http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/. Jeff > On Thu, Jan 10, 2013 at 2:15 PM, Jeffrey Walton <[email protected]> wrote: >> >> http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ >> >> After discovering that HTTP traffic from the phone is getting >> redirected through Nokia’s server farm as shown in previous post, the >> most obvious next step was to check if at least HTTPS traffic is >> getting its due respect and is being transferred without any >> intermediate host inspecting it. Due to fact that HTTPS traffic is >> encrypted before getting transmitted, it is not possible to look at >> HTTP(S) packet header in order to figure out details as was done in >> case of HTTP as per previous post. However there are two ways to get >> an idea of how traffic is flowing. >> >> Check if DNS requests are sent for requested website. >> Check certificate sent from server >> DNS Request Check >> >> The goal of this test was to find whether the phone is sending DNS >> query for site that is being requested to be browsed. To test this we >> had browsed site https://www.google.com through Nokia browser. Ideally >> the phone should have send DNS query requesting IP address for >> “www.google.com”, which would have looked normal. On the contrary when >> checked, the DNS request was sent for “cloud13.browser.ovi.com” which >> is same host where we had seen even HTTP traffic being sent as per >> previous post. Not just that, there was no attempt made to resolve >> “www.google.com”. The wireshark snapshot given below proves this fact, >> but there is no way from wireshark snapshot taken off wifi router it >> can be proved that the request was originally made for >> https://www.google.com and not for cloud13.browser.ovi.com. >> >> [image removed] >> >> Certificate Response Check >> >> It is evident from above snapshot, that even https requests are also >> getting redirected to Nokia/Ovi servers, which raises a question about >> certificate that it being received from Nokia’s servers and trusted >> list of certificates in Nokia phone in subject. Let us first look at >> certificates being received from Nokia servers during this >> transaction. Given below is packet sniff from wifi router. >> >> [image removed] >> >> When checked trusted certificates in phone it is found that Nokia has >> pre-configured the phone by trusting at least one of these >> certificates, which is the reason why there are no security alerts >> being shown during this Man In The Middle (MITM) attack by Nokia. The >> snapshot given below shows details about each of the three >> certificates that are shown in packet capture. >> >> [image removed] >> >> One more thing that should be noticed here is that the DNS request was >> send for “cloud13.browser.ovi.com” where as certificate (middle one) >> says it was issued to “cloud1.browser.ovi.com”, and still there was no >> security warning thrown on the phone. >> >> Conclusion >> >> From the tests that were preformed, it is evident that Nokia is >> performing Man In The Middle Attack for sensitive HTTPS traffic >> originated from their phone and hence they do have access to clear >> text information which could include user credentials to various sites >> such as social networking, banking, credit card information or >> anything that is sensitive in nature. In short, be it HTTP or HTTPS >> site when browsed through the phone in subject, Nokia has complete >> information unencrypted (in clear text format) available to them for >> them to use or abuse. Up on checking privacy statement in Nokia’s >> website following can be found. >> >> Websites accessed >> >> The URLs of such sites which you access with the Nokia Browser are >> stored by Nokia. However, we will not collect any personally >> identifiable information in the context of providing the service. Your >> browsing is not associated to any personally identifiable information >> and we do not collect any usernames or passwords or any related >> information on your purchase transactions, such as your credit card >> number during your browsing sessions. Also, additional parameters in >> the URL are not stored. >> For additional information on their privacy policy you may want to >> visit their Privacy Policy Page or Nokia Browser Privacy Policy Page >> >> Update of 10th January,2013 >> >> Just noticed when I tried to browse a site through Nokia browser, I >> got a message to upgrade browser. I clicked remind later as I wanted >> to something. My guess is Nokia would have fixed this. But nothing can >> be said without actually upgrading and testing. Also seeing “Update >> your browser” in browser.nokia.com. Since no date/time stamp is given >> there it can not be confirmed if this is new or old. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
