Nokia caught wiretapping encrypted traffic from its handsets ~ Richard Falkvinge

Wiretapped phoneby Richard Falkvinge

Nokia, the cellphone manufacturer, has been listening in to all encrypted communications from its handset’s web browser. Every connection advertised as secure – banking, social networks, dating, corporate secrets – has been covertly wiretapped by Nokia themselves and decrypted for analysis.

Security researcher Gaurang Pandya posted an article on January 5 about some unexpected behavior with their Nokia handset. It would appear that the traffic would get diverted through Nokia’s servers.

Then, a followup article on January 9 dropped the bomb, and the article goes into quite technical detail: It wasn’t enough that Nokia diverted all traffic from its handsets through its own servers, it also decrypted the encrypted traffic, re-encrypting it before passing it on, issuing HTTPS certificates on the fly that the Nokia phone has been instructed to trust as secure.

This means that Nokia has deliberately been wiretapping all traffic that has been advertised as encrypted on these Nokia handsets – including but not limited to banking, dating, credit card numbers, and corporate secrets – and looking at your secrets in cleartext.

This means that Nokia puts itself between your bank and you, and presents itself asYourBank, Inc. to your phone. This wouldn’t normally be possible, if it weren’t for the fact that the phone had been specifically designed for this deceptive behavior, by installing a Nokia signing certificate on the phone.

Nokia has confirmed this behavior in correspondence with TechWeek Europe (my highlights):

“The compression that occurs within the Nokia Xpress Browser means that users can get faster web browsing and more value [...blahblah...] when temporary decryption of HTTPS connections is required on our proxy servers, to transform and deliver users’ content, it is done in a secure manner”, a Nokia spokesperson told TechWeek Europe.

The issue affects at least the Nokia handsets with Nokia’s own browser, the Nokia Xpress Browser mentioned above.

So why is this a big deal?

It is a big deal because banks rely on having a secure connection all the way to you. As do corporate networks. As do news outlets’ protection of sources. Anybody listening in to the conversation in the middle breaks the whole concept of secrecy – and the phone wasspecifically designed by Nokia to allow Nokia to listen in without telling you.

My, my. Secure connections are presenting themselves as secure end-to-end, and a handset manufacturer breaches this most basic of trusts? We’d have a very hard time trusting a company that says “yes, we’re listening to all of your encrypted communications, yes, bank passwords and dating habits and all of it, but we’re not doing anything bad with it. No, really.”

If Nokia was in trouble over its handset sales already, this complete breach of trustworthiness has to be a death twitch.


About these ads

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: