Thursday, January 24, 2013

Nokia 'hijacks' mobile browser traffic, decrypts HTTPS data

Nokia has caused a stir by performing, in the words of one security researcher, "man in the middle attacks" in order to compress data and speed up the loading of Web pages on some of its phones.

Nokia Asha phones send secure HTTPS data to Nokia servers, says security researcher.
The Finnish phone giant has since admitted that it decrypts secure data that passes through HTTPS connections -- including social networking accounts, online banking, email and other secure sessions -- in order to compress the data and speed up the loading of Web pages.

But, Nokia says that there is nothing to worry about. 

Researcher Gaurang Pandya discovered that browser traffic from his Nokia (Series 40) "Asha" phone was being routed through Nokia's servers. This is no different to how Opera Mini works or even the BlackBerry browser, and remains popular in areas where the cell service is poor or in developing nations where cash doesn't grow on trees.

Nokia, however, goes one step further, the researcher says. A second post by Pandya, published this week, stated that Nokia was "man in the middle" attacking HTTPS traffic on its user's phones. In simple terms, HTTPS traffic was being routed through Nokia's servers, and could be accessed by Nokia in unencrypted form. 

From the tests that were preformed, it is evident that Nokia is performing Man In The Middle Attack for sensitive HTTPS traffic originated from their phone and hence they do have access to clear text information which could include user credentials to various sites such as social networking, banking, credit card information or anything that is sensitive in nature.
He notes that whether be it "HTTP or HTTPS sites when browsed through the phone," Nokia has "complete information unencrypted (in clear text format) available to them for them to use or abuse."

Read more: ZDnet
QR: Inline image 1

Posted via email from Jasper-Net