Sunday, March 22, 2009

Why Nokia wants my email password?


Many new Nokia S60 terminals seem to have an "email wizard" that helps the user to configure an email account to the terminal. Wizard prompts the user to give some basic information and then in most cases wizard is able to create account with all the correct settings.

Lets use Nokia 5800, an iconic device that has sold over 1.000.000 units. When you start the email wizard, you will see a screen like this



If I click "Back", wizard closes and email account is not created. Clicking "Start" will continue the wizard, but was that answer also consent to store the personal information? Anyway, there doesn't seem to be a way to create an account without this wizard.

Let's create an account for user test.user@mycompany.com (his password is "topsecret" but I will not tell it to anybody). After you have entered this information, the wizard will open a network connection and make an HTTP request to URL

https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera

Nice! I just sent to Nokia my email address, password, operator information and terminal type (in HTTP headers, not visible here). All you Nokia 5800 users around the world: did you know that? I didn't know that, nor did I like it.

Today I had an opportunity to play with a new Nokia E75, phone that's supposed to be THE email device of all business users. First impression with the device is very good, it's solid and snappy. When I checked the email client, it was behaving just as in 5800. When you create an account, wizard will send your sensitive data over the internet to Nokia's server.

When I create an email account that has absolutely nothing to do with Nokia's email services, my user credentials are sent to Nokia's server. I guess that this feature can be a show-stopper in some business environments - "hey, let's create email accounts and send our usernames and passwords to Nokia" doesn't sound that good.

According to my tests it seems that if you want to create an email account without giving your credentials to Nokia, you have two options:
  • you should give a dummy information to the wizard when it is asking for email address and password. Wizard will try to fetch settings from the internet but finally gives up and you can input the data safely.
  • put phone to offline mode when creating the account. That way phone cannot connect to any servers and when wizard notices it, you will be able to enter the email account data without sending it to the Nokia servers.

So finally, here are my questions to Nokia:
  • Why you have created an email wizard that by default sends user's email login information to your server without making that very clear and asking explicit permission to do so?
  • Why there is no option available to create an email account manually, without any wizards?
  • When user starts the wizard and continues from the first screen, does that give permission to Nokia to store my personal information?
  • If my personal information was stored to Nokia's servers because I've used email wizard to create an email account, how can I get my data removed from the server?
  • How do you use my personal data, collected from email wizard?

Update: Read also my follow up post.
Update 2: I'm trying to give answers to readers' questions here.
Update 3: Nokia's official statement is here.

//Harri

56 comments:

Benedikt said...

Wow, I did not know that. I guess it is the same with E71? Thank you for that information.

Harri Salminen said...

Hi,

I don't have an E71 here to test, but I'd guess that any device that has an email wizard is a suspect.

//Harri

m g © o said...

whoa! i'm wondering, what did nokia have to say about it?

i have an E-series now and I'm stuck with the fact that Nokia doesn't support synchronization for Linux...

but this... email privacy issue is something serious if true.

Tzer2 said...

Just wondering, did you contact Nokia directly with the questions?

If you didn't, I can try to as I work for a site that specialises in Symbian phones such as the 5800. We've asked them about controversial stuff in the past and they usually say at least something in response.

Harri Salminen said...

Yes, I have contacted Nokia about this issue, but I haven't received more information than "we are investigating this".

If you have connections to Nokia, I think you should ask them and try to get some answers to my questions.

Karri said...

In E71 the regular email client does not do this, but the new Nokia messaging client does.

I suspect that the idea is that by utilising those user credentials Nokia is able to implement a push mail to mobile devices even for those email service providers who do not support it directly.

Routing mails and instant messaging (yes, you can see the same pattern in their Ovi Contacts client) via Nokia does not sound very appealing to me so I just use the old email client in E71 and a separate instant messaging client.

Harri Salminen said...

Hi Karri,

Thanks for leaving a comment.

Like I wrote in my followup post, I understand that if a messaging proxy is used it must have access to user's credentials. However, when user wants to use direct IMAP connection to his email provider without any 3rd party proxies, it is unacceptable to send credentials to anywhere else than to the email provider.

//Harri

Mikko said...

Hey, this is just great. Now the credientals of our salesmen are transferred to Nokia. I wonder how many emails they're able to harvest before the passwords expire. I predict shitstorm.

Anonymous said...

That is absolutely insane. Thanks so much for posting this info.

Here I was ensuring all security channels were in place during sending and receiving... so much for that. Time to update my passwords.

Thanks again for posting this info.

Anonymous said...

I tried your URL with the web browser. The server replies xml version="1.0" encoding="utf-8" ccds status="0" code="121". Could the code 121 mean to Nokia phone "I've got it, thank you." ;-)

-Jani

Anonymous said...

Dim-wits...

Ramki B Ramakrishnan said...

I share the same concerns, Nokia should be answering these questions...

Anonymous said...

To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.

I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.

Apparently this has changed now when E75 ships without the original standalone email client.

So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.

Anonymous said...

Looks like serious issue. But I wonder how you are able to sniff on http traffic?
I was looking for a program to do so once but couldn't find it.

Anonymous said...

On E71, it's the same.

This is interesting:

How much does Nokia Messaging cost?

Nokia Messaging is currently provided on a trial basis. In the future, consumers will be able to acquire Nokia Messaging through an operator plan. You may incur charges in connection with the transfer and receipt of data to your mobile phone and may not be included in your flat data rate plan.

Please contact your operator to know how much you will be charged.

Anonymous said...

On E71, it's the same.
.... in case you install Nokia Messaging :)

Anonymous said...

Amazing!
Thanks for warning us!

One question. How did you realized this was happening? Did you sniffed the network traffic between your phone and your wireless router? (I guess you did)

Cheers!

DF said...

As for how to sniff the traffic from the phone:

The easiest way, as someone already pointed out, is to use the phone's wifi as the IP connection, an do the sniffing on or after the wifi AP.

Some phones also have an "IP passthrough" mode, in which they use their USB cable connection to a computer as their IP connection. In this case, you can easily do the packet capture on that computer.

BTW, it's worth pointing out that sending the credentials unencrypted would be an astoundingly irresponsible thing to do, since anyone on the path between the operator's network and the Nokia servers would be able to capture said credentials (including the operator itself). This problem would not occur if they use HTTPS instead of HTTP; this point is not clear on the original post. Or did I miss something?

Anonymous said...

Congratulations, you have just discovered how every other push e-mail system works.

Anonymous said...

"This problem would not occur if they use HTTPS instead of HTTP"

No, not really... Even if the phone uses HTTPS to send the information to Nokia, every ISP and anyone sniffing [ackets along the way will see the entire URL (https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera)

Anonymous said...

"No, not really... Even if the phone uses HTTPS to send the information to Nokia, every ISP and anyone sniffing [ackets along the way will see the entire URL"

This is not true. SSL (secure sockets layer) encrypts everything that you put through the socket. In HTTP requests the url is passed in the socket along with the data. So no one in between is able to catch the whole URL, only the domain part if sniffing for DNS.

Dave said...

If you buy a blackberry in a store intending to use it with an existing IMAP/POP account (rather than a companies own Blackberry Enterprise server) it also forwards the account information to a remote server (although I expect from Blackberry the forwarding is somewhat more secure?).
I think this is probably true of most push email systems - the nasty is how these systems are transparent and you don't realise your mail is going via another system.

Dave

nosuchuser said...

Are you sure there isn't a way to configure email accounts without using the wizard?

I've been using symbian devices for ages and going "messaging"->"options"->"settings"->"email"->"mailboxes"->"options"->"new mailbox" lets me create a new one without going through the wizard...

Harri Salminen said...

About comparing this feature to how BB works: in BB's case credentials are sent to proxy and connection to the actual email service is also routed via proxy ever after. In the case I've reported credentials are sent to Nokia upon creating the account, but after that communications go directly from terminal to email provider.

About the old-fashioned-way of creating the account without wizard: if you navigate through Messaging application and start to create an email account, wizard is opened also in that case.

//Harri

Anonymous said...

See Nokia Messaging FAQ: "Why do I have to give you my email password?"

http://email.nokia.com/account/faq.action

Harri Salminen said...

...and after you have read from Nokia's Messaging FAQ why password is needed, you can read my postings again and soon you'll understand that my case is not about that product and that referred FAQ entry is irrelevant.

//Harri

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

62.61.69.104 (ccds.serviceactivation.ext.nokia.com)
inetnum: 62.61.69.0 - 62.61.69.255
netname: CIDERONE-NET1-HEL-FI
descr: Ixonos Finland IOCT Oy
country: FI
admin-c: MA7096-RIPE
tech-c: PL4207-RIPE
status: ASSIGNED PA
mnt-by: AS702-MNT
source: RIPE # Filtered

Anonymous said...

Giving bougs account doesn't work, wizard (E75) will no continue unless it gets real account/passw. Offline works

Harri Salminen said...

Thanks for this info, the initial test was made with 5800, it seems that wizards are not identical here.

//Harri

Benjie Mouse said...

I own a Nokia 5800 and I am very thankful for your article. I also noticed another intended leak my mobile has: at some point (can't say exactly) it has also sent my phone number to a Nokia server without my consent. Since then I am getting SMS messages from Nokia every one or two weeks containing "tips" and ads for Nokia products.

The day there is a Debian-based phone, I will switch. The possibilities of closed software in electronic devices of any type seem to be too tempting for companies to use our private data just as they wish to. If companies are not as dumb as Nokia, no one will ever notice, because it would have been extremely simple for Nokia to hide their leaking credentials.

And, of course, this is my first and last Nokia product.

Harri Salminen said...

I guess some Nokia terminals ask the user during initial setup if he wants to receive such info and if the answer is yes, that generates an SMS message to Nokia, phone number can then be read from that message. Don't have a test device now available to verify this (requires restoring initial setup) ... does somebody have more info about this?

//Harri

principio said...

@Harri,

yes, that's absolutely right. With my E71 at the initial setup I was asked whether I would like to activate the "My Nokia" account, but the answers were only "Yes" and "Later". When you say yes, then the phone sends an SMS to Nokia, and you get "tips".

@Benjie Mouse
In the S60 3rd you find a "MyNokia"-Icon in the help menu, where you find the optortunity to deactivate the account (and with it the messages, I hope).

And remember that Nokia still has the linux maemo on its internet tables, so maybe your next linux phone will still be from Nokia ;-) (allthough it think it's scandalous that they don't support a Linux version of Nokia PC-Suite, but that leads away from what we are commenting here).

Anonymous said...

This might be relevant:

http://www.mseclab.com/?p=146

In a post called "Hijacking Mobile Data Connections", a video shows how data connections from mobile phones could be hijacked, by performing a man-in-the-middle attack

It is possible that even someone else could get those email and password, if their are embedded in a GET request.

Harri Salminen said...

About hijacking phone:

Client provisioning (CP) messages creating an abusive access point is certainly a possible threat. Using the same way of spoofing CP messages it is also possible to define device management (DM) server configuration that would potentially allow an attacker to remotely access private data and modify settings. I wonder when we see first reports of that kind of an attack.

It is important to understand, that these enablers (CP and DM) are valuable pieces of mobile ecosystem, but in wrong hands also potentially dangerous.

//Harri

Anonymous said...

Totally agree Harri.

Just some things to point out:
- CP clients in mobile phones are far more common than DM clients.
- not really sure.. but DM payloads are signed, while CP messages are surely not.
- The attack just spoof the first text SMS. No need to spoof the CP message, most phones won't even display the source...
- To see some attack reports, two things are needed: someone performing the attack, and victims able to recognize it.
Nothing can be said about the former, but the latter is surely a rarity :)

Rajesh said...

email password need not be disclosed to any one.
Goods Bookmarks

Nokia Themes said...

samething happened to me, I just stopped using it :)

Egy Azziera said...

Nokia 5800 steals user email password to Nokia even if user configures the email to use non-Nokia email. Nokia is aware of the problem.

Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...
This comment has been removed by a blog administrator.
Anonymous said...

Thanks for the post. Sadly, it's worse than just sending your password to Nokia. The latest version of the email client on my e71 (firmware 300.21.012) actually sets up the email accounts so that they are proxied through Nokia's email server. Nokia's central server is connecting to my Gmail account, downloading *my* email and forwarding it onto me. How nice of them. How convenient for me. NOT!!!

Anonymous said...

I just can not understand whether you're really considering yourself as important/interesting for NOKIA person? Heh!
Whether you know that Nokia's phones are NOTHING for this gigantic corporation?! Phone sales just like to receive back money for coffee, which Nokia's programmers drinking every day :)
The MONEY comes from FIREWALLS (& another security products), Nokia's OS called IPSO (Free BSD Based), & some dedicated for firewall server boxes' development. That is NOKIA. & they don't need your login/pass at all! Alas, their security division was bought by Mighty "Check Point" at 2008/9.

Harri Salminen said...

That was an interesting comment. I like coffee myself, but sales like 6.9B€ and profit 787M€ for device business last quarter equals so much coffee that I doubt any developer team can ever absorb that much caffeine.

//Harri

Romance said...

Thank You...........

Anonymous said...

Cool post you got here. I'd like to read more about that matter. The only thing it would also be great to see on this blog is some pics of any gizmos.
Kate Trider
Phone Blocker

Term Paper said...

Thanks for sharing. I really admire this.

Hamza said...

omg!!! & wow!!
now i have news for my corporate friends..i love sony ericsson & iam using it from the time i was born..thank you for providing me with another drawback of Nokia..i can never trust Nokia and will never advise any1 2 buy Nokia...
http://www.jobspert.com

mensajes claro said...

Hi,

I don't have an E71 here to test, but I'd guess that any device that has an email wizard is a suspect.

tava tea said...

Many new Nokia S60 terminals seem to have an "email wizard" that helps the user to configure an email account to the terminal. Wizard prompts the user to give some basic information and then in most cases wizard is able to create account with all the correct settings.

Anonymous said...

This privacy issue happens on Nokia C6 too. Once you have set up the account in the mobile mails will be routed through a Nokia gateway located in USA.

I have sent a mail from my mobile to an other mail account of mine. I got this mail from IP 67.220.123.36. When you try to check new mails (IMAP), I see connections from em.outgoing4.messaging.nokia.com (67.220.123.24).

Both IP addresses are registered for:

Nokia
300 Satellite Blvd
30024 Suwanee, GA
US

I also own a Nokia N900 and this device seems not to have that privacy bug. I always see the IP address of my 3G provider. Maybe because N900 runs on Linux not on Symbian, so it's opensource.

Harri Salminen said...

Hi,

Can you verify you configured your phone to use IMAP and not Nokia Messaging? I suspect that now your phone is using Nokia Messaging and that's why connections are originated from Nokia.

//Harri

Anonymous said...

@Harri Salminen

There was a wizard to setup the connection. I had to change preferences manually because it's an IMAP server of "another" ISP.

Maybe that's the reason why I was running into this privacy entrapment. I contacted Nokia as well. Since they don't offer an email address for privacy issues, I sent a snailmail *sik* to:

Nokia Corporation
c/o Privacy
Keilalahdentie 4
02150 Espoo
Finland

and ask them to remove my data from their servers. Maybe this will disable emails on my C6 as well, lets see.

mar said...

Nokia X3-02 has also that "feature". Currently, they are using 67.220.123.xxx IPs.

ner0 said...

This is really a pain in the ass and a violation of our trust as customers. I had two Nokia C05-03 within two weeks of each other, One of them allowed to setup a mail account manually (without going offline) and the second one had this stupid mandatory wizard. On top of that, Nokia Email client is so stupid that it's always overriding the connection settings and connecting on its own to a 3G connection busting your money, the setup won't even work without a 3G connection... this is a very shady move from Nokia, they should really be ashamed!! Now I want to know I do I remove my e-mail address from their servers since even after deleting the mail profiles through 'email.nokia.com' it steel keeps your address and password in their database.

Harri Salminen said...

@ner0 I don't have an idea how to permanently delete an account from Nokia server....

It really happens too often that new email account configured to Nokia device still uses their proxy even when user tries to be careful _not_ to use it. Sooner or later user will discover this when outgoing emails bounce back with strange error messages when Nokia proxy has hiccups.