Re: [funsec] Nokia’s MITM on HTTPS traffic from their phone

[Jeffrey Walton <noloader () gmail com>]

On Sat, Jan 12, 2013 at 2:14 AM, Steve Pirk <pirkster () gmail com> wrote:
> Good catch Jeffrey - The browser update apparently fixes the "bug" :)
> http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/
>
> The site won't load for me tonight, so I will try it in the morning, but you
> nailed the issue.
For completeness, Gaurang Pandya was the researcher who publicized the finding.

Also see "Death Twitches: Nokia Caught Wiretapping Encrypted Traffic
From Its Handsets,"
http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/.

Jeff

> On Thu, Jan 10, 2013 at 2:15 PM, Jeffrey Walton <noloader () gmail com> wrote:
> > http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/
> >
> > After discovering that HTTP traffic from the phone is getting
> > redirected through Nokia’s server farm as shown in previous post, the
> > most obvious next step was to check if at least HTTPS traffic is
> > getting its due respect and is being transferred without any
> > intermediate host inspecting it. Due to fact that HTTPS traffic is
> > encrypted before getting transmitted, it is not possible to look at
> > HTTP(S) packet header in order to figure out details as was done in
> > case of HTTP as per previous post. However there are two ways to get
> > an idea of how traffic is flowing.
> >
> > Check if DNS requests are sent for requested website.
> > Check certificate sent from server
> > DNS Request Check
> >
> > The goal of this test was to find whether the phone is sending DNS
> > query for site that is being requested to be browsed. To test this we
> > had browsed site https://www.google.com through Nokia browser. Ideally
> > the phone should have send DNS query requesting IP address for
> > “www.google.com”, which would have looked normal. On the contrary when
> > checked, the DNS request was sent for “cloud13.browser.ovi.com” which
> > is same host where we had seen even HTTP traffic being sent as per
> > previous post. Not just that, there was no attempt made to resolve
> > “www.google.com”. The wireshark snapshot given below proves this fact,
> > but there is no way from wireshark snapshot taken off wifi router it
> > can be proved that the request was originally made for
> > https://www.google.com and not for cloud13.browser.ovi.com.
> >
> > [image removed]
> >
> > Certificate Response Check
> >
> > It is evident from above snapshot, that even https requests are also
> > getting redirected to Nokia/Ovi servers, which raises a question about
> > certificate that it being received from Nokia’s servers and trusted
> > list of certificates in Nokia phone in subject. Let us first look at
> > certificates being received from Nokia servers during this
> > transaction. Given below is packet sniff from wifi router.
> >
> > [image removed]
> >
> > When checked trusted certificates in phone it is found that Nokia has
> > pre-configured the phone by trusting at least one of these
> > certificates, which is the reason why there are no security alerts
> > being shown during this Man In The Middle (MITM) attack by Nokia. The
> > snapshot given below shows details about each of the three
> > certificates that are shown in packet capture.
> >
> > [image removed]
> >
> > One more thing that should be noticed here is that the DNS request was
> > send for “cloud13.browser.ovi.com” where as certificate (middle one)
> > says it was issued to “cloud1.browser.ovi.com”, and still there was no
> > security warning thrown on the phone.
> >
> > Conclusion
> >
> > From the tests that were preformed, it is evident that Nokia is
> > performing Man In The Middle Attack for sensitive HTTPS traffic
> > originated from their phone and hence they do have access to clear
> > text information which could include user credentials to various sites
> > such as social networking, banking, credit card information or
> > anything that is sensitive in nature. In short, be it HTTP or HTTPS
> > site when browsed through the phone in subject, Nokia has complete
> > information unencrypted (in clear text format) available to them for
> > them to use or abuse. Up on checking privacy statement in Nokia’s
> > website following can be found.
> >
> > Websites accessed
> >
> > The URLs of such sites which you access with the Nokia Browser are
> > stored by Nokia. However, we will not collect any personally
> > identifiable information in the context of providing the service. Your
> > browsing is not associated to any personally identifiable information
> > and we do not collect any usernames or passwords or any related
> > information on your purchase transactions, such as your credit card
> > number during your browsing sessions. Also, additional parameters in
> > the URL are not stored.
> > For additional information on their privacy policy you may want to
> > visit their Privacy Policy Page or Nokia Browser Privacy Policy Page
> >
> > Update of 10th January,2013
> >
> > Just noticed when I tried to browse a site through Nokia browser, I
> > got a message to upgrade browser. I clicked remind later as I wanted
> > to something. My guess is Nokia would have fixed this. But nothing can
> > be said without actually upgrading and testing. Also seeing “Update
> > your browser” in browser.nokia.com. Since no date/time stamp is given
> > there it can not be confirmed if this is new or old.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.