Home page logo
/

funsec logo funsec mailing list archives

Re: [funsec] Nokia’s MITM on HTTPS traffic from the ir phone
From: Jeffrey Walton <noloader () gmail com>
Date: Sat, 12 Jan 2013 06:02:12 -0500

On Sat, Jan 12, 2013 at 2:14 AM, Steve Pirk <pirkster () gmail com> wrote:
Good catch Jeffrey - The browser update apparently fixes the "bug" :)
http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/

The site won't load for me tonight, so I will try it in the morning, but you
nailed the issue.
For completeness, Gaurang Pandya was the researcher who publicized the finding.

Also see "Death Twitches: Nokia Caught Wiretapping Encrypted Traffic
From Its Handsets,"
http://falkvinge.net/2013/01/11/death-twitches-nokia-caught-wiretapping-encrypted-traffic-from-its-handsets/.

Jeff

On Thu, Jan 10, 2013 at 2:15 PM, Jeffrey Walton <noloader () gmail com> wrote:

http://gaurangkp.wordpress.com/2013/01/09/nokia-https-mitm/

After discovering that HTTP traffic from the phone is getting
redirected through Nokia’s server farm as shown in previous post, the
most obvious next step was to check if at least HTTPS traffic is
getting its due respect and is being transferred without any
intermediate host inspecting it. Due to fact that HTTPS traffic is
encrypted before getting transmitted, it is not possible to look at
HTTP(S) packet header in order to figure out details as was done in
case of HTTP as per previous post. However there are two ways to get
an idea of how traffic is flowing.

Check if DNS requests are sent for requested website.
Check certificate sent from server
DNS Request Check

The goal of this test was to find whether the phone is sending DNS
query for site that is being requested to be browsed. To test this we
had browsed site https://www.google.com through Nokia browser. Ideally
the phone should have send DNS query requesting IP address for
“www.google.com”, which would have looked normal. On the contrary when
checked, the DNS request was sent for “cloud13.browser.ovi.com” which
is same host where we had seen even HTTP traffic being sent as per
previous post. Not just that, there was no attempt made to resolve
“www.google.com”. The wireshark snapshot given below proves this fact,
but there is no way from wireshark snapshot taken off wifi router it
can be proved that the request was originally made for
https://www.google.com and not for cloud13.browser.ovi.com.

[image removed]

Certificate Response Check

It is evident from above snapshot, that even https requests are also
getting redirected to Nokia/Ovi servers, which raises a question about
certificate that it being received from Nokia’s servers and trusted
list of certificates in Nokia phone in subject. Let us first look at
certificates being received from Nokia servers during this
transaction. Given below is packet sniff from wifi router.

[image removed]

When checked trusted certificates in phone it is found that Nokia has
pre-configured the phone by trusting at least one of these
certificates, which is the reason why there are no security alerts
being shown during this Man In The Middle (MITM) attack by Nokia. The
snapshot given below shows details about each of the three
certificates that are shown in packet capture.

[image removed]

One more thing that should be noticed here is that the DNS request was
send for “cloud13.browser.ovi.com” where as certificate (middle one)
says it was issued to “cloud1.browser.ovi.com”, and still there was no
security warning thrown on the phone.

Conclusion

From the tests that were preformed, it is evident that Nokia is
performing Man In The Middle Attack for sensitive HTTPS traffic
originated from their phone and hence they do have access to clear
text information which could include user credentials to various sites
such as social networking, banking, credit card information or
anything that is sensitive in nature. In short, be it HTTP or HTTPS
site when browsed through the phone in subject, Nokia has complete
information unencrypted (in clear text format) available to them for
them to use or abuse. Up on checking privacy statement in Nokia’s
website following can be found.

Websites accessed

The URLs of such sites which you access with the Nokia Browser are
stored by Nokia. However, we will not collect any personally
identifiable information in the context of providing the service. Your
browsing is not associated to any personally identifiable information
and we do not collect any usernames or passwords or any related
information on your purchase transactions, such as your credit card
number during your browsing sessions. Also, additional parameters in
the URL are not stored.
For additional information on their privacy policy you may want to
visit their Privacy Policy Page or Nokia Browser Privacy Policy Page

Update of 10th January,2013

Just noticed when I tried to browse a site through Nokia browser, I
got a message to upgrade browser. I clicked remind later as I wanted
to something. My guess is Nokia would have fixed this. But nothing can
be said without actually upgrading and testing. Also seeing “Update
your browser” in browser.nokia.com. Since no date/time stamp is given
there it can not be confirmed if this is new or old.
_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault