funsec mailing list archives
Re: [funsec] Nokia’s MITM on HTTPS traffic from their phone
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 12 Jan 2013 06:02:12 -0500
On Sat, Jan 12, 2013 at 2:14 AM, Steve Pirk <pirkster () gmail com> wrote:
Good catch Jeffrey - The browser update apparently fixes the "bug" :) http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/ The site won't load for me tonight, so I will try it in the morning, but you nailed the issue.
For completeness, Gaurang Pandya was the researcher who publicized the finding. Also see "Death Twitches: Nokia Caught Wiretapping Encrypted Traffic From Its Handsets," http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/. Jeff
On Thu, Jan 10, 2013 at 2:15 PM, Jeffrey Walton <noloader () gmail com> wrote:http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/ After discovering that HTTP traffic from the phone is getting redirected through Nokia’s server farm as shown in previous post, the most obvious next step was to check if at least HTTPS traffic is getting its due respect and is being transferred without any intermediate host inspecting it. Due to fact that HTTPS traffic is encrypted before getting transmitted, it is not possible to look at HTTP(S) packet header in order to figure out details as was done in case of HTTP as per previous post. However there are two ways to get an idea of how traffic is flowing. Check if DNS requests are sent for requested website. Check certificate sent from server DNS Request Check The goal of this test was to find whether the phone is sending DNS query for site that is being requested to be browsed. To test this we had browsed site https://www.google.com through Nokia browser. Ideally the phone should have send DNS query requesting IP address for “www.google.com”, which would have looked normal. On the contrary when checked, the DNS request was sent for “cloud13.browser.ovi.com” which is same host where we had seen even HTTP traffic being sent as per previous post. Not just that, there was no attempt made to resolve “www.google.com”. The wireshark snapshot given below proves this fact, but there is no way from wireshark snapshot taken off wifi router it can be proved that the request was originally made for https://www.google.com and not for cloud13.browser.ovi.com. [image removed] Certificate Response Check It is evident from above snapshot, that even https requests are also getting redirected to Nokia/Ovi servers, which raises a question about certificate that it being received from Nokia’s servers and trusted list of certificates in Nokia phone in subject. Let us first look at certificates being received from Nokia servers during this transaction. Given below is packet sniff from wifi router. [image removed] When checked trusted certificates in phone it is found that Nokia has pre-configured the phone by trusting at least one of these certificates, which is the reason why there are no security alerts being shown during this Man In The Middle (MITM) attack by Nokia. The snapshot given below shows details about each of the three certificates that are shown in packet capture. [image removed] One more thing that should be noticed here is that the DNS request was send for “cloud13.browser.ovi.com” where as certificate (middle one) says it was issued to “cloud1.browser.ovi.com”, and still there was no security warning thrown on the phone. Conclusion From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature. In short, be it HTTP or HTTPS site when browsed through the phone in subject, Nokia has complete information unencrypted (in clear text format) available to them for them to use or abuse. Up on checking privacy statement in Nokia’s website following can be found. Websites accessed The URLs of such sites which you access with the Nokia Browser are stored by Nokia. However, we will not collect any personally identifiable information in the context of providing the service. Your browsing is not associated to any personally identifiable information and we do not collect any usernames or passwords or any related information on your purchase transactions, such as your credit card number during your browsing sessions. Also, additional parameters in the URL are not stored. For additional information on their privacy policy you may want to visit their Privacy Policy Page or Nokia Browser Privacy Policy Page Update of 10th January,2013 Just noticed when I tried to browse a site through Nokia browser, I got a message to upgrade browser. I clicked remind later as I wanted to something. My guess is Nokia would have fixed this. But nothing can be said without actually upgrading and testing. Also seeing “Update your browser” in browser.nokia.com. Since no date/time stamp is given there it can not be confirmed if this is new or old.
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Nokia’s MITM on HTTPS traffic from their phone Jeffrey Walton (Jan 10)
- Message not available
- Re: [funsec] Nokia’s MITM on HTTPS traffic from their phone Jeffrey Walton (Jan 12)
- Message not available