Many new Nokia S60 terminals seem to have an "email wizard" that helps the user to configure an email account to the terminal. Wizard prompts the user to give some basic information and then in most cases wizard is able to create account with all the correct settings.
Lets use Nokia 5800, an iconic device that has sold over 1.000.000 units. When you start the email wizard, you will see a screen like this
If I click "Back", wizard closes and email account is not created. Clicking "Start" will continue the wizard, but was that answer also consent to store the personal information? Anyway, there doesn't seem to be a way to create an account without this wizard.
Let's create an account for user test.user@mycompany.com (his password is "topsecret" but I will not tell it to anybody). After you have entered this information, the wizard will open a network connection and make an HTTP request to URL
https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera
Nice! I just sent to Nokia my email address, password, operator information and terminal type (in HTTP headers, not visible here). All you Nokia 5800 users around the world: did you know that? I didn't know that, nor did I like it.
Today I had an opportunity to play with a new Nokia E75, phone that's supposed to be THE email device of all business users. First impression with the device is very good, it's solid and snappy. When I checked the email client, it was behaving just as in 5800. When you create an account, wizard will send your sensitive data over the internet to Nokia's server.
When I create an email account that has absolutely nothing to do with Nokia's email services, my user credentials are sent to Nokia's server. I guess that this feature can be a show-stopper in some business environments - "hey, let's create email accounts and send our usernames and passwords to Nokia" doesn't sound that good.
According to my tests it seems that if you want to create an email account without giving your credentials to Nokia, you have two options:
- you should give a dummy information to the wizard when it is asking for email address and password. Wizard will try to fetch settings from the internet but finally gives up and you can input the data safely.
- put phone to offline mode when creating the account. That way phone cannot connect to any servers and when wizard notices it, you will be able to enter the email account data without sending it to the Nokia servers.
So finally, here are my questions to Nokia:
- Why you have created an email wizard that by default sends user's email login information to your server without making that very clear and asking explicit permission to do so?
- Why there is no option available to create an email account manually, without any wizards?
- When user starts the wizard and continues from the first screen, does that give permission to Nokia to store my personal information?
- If my personal information was stored to Nokia's servers because I've used email wizard to create an email account, how can I get my data removed from the server?
- How do you use my personal data, collected from email wizard?
Update: Read also my follow up post.
Update 2: I'm trying to give answers to readers' questions here.
Update 3: Nokia's official statement is here.
44 comments:
Wow, I did not know that. I guess it is the same with E71? Thank you for that information.
Hi,
I don't have an E71 here to test, but I'd guess that any device that has an email wizard is a suspect.
//Harri
whoa! i'm wondering, what did nokia have to say about it?
i have an E-series now and I'm stuck with the fact that Nokia doesn't support synchronization for Linux...
but this... email privacy issue is something serious if true.
Just wondering, did you contact Nokia directly with the questions?
If you didn't, I can try to as I work for a site that specialises in Symbian phones such as the 5800. We've asked them about controversial stuff in the past and they usually say at least something in response.
Yes, I have contacted Nokia about this issue, but I haven't received more information than "we are investigating this".
If you have connections to Nokia, I think you should ask them and try to get some answers to my questions.
In E71 the regular email client does not do this, but the new Nokia messaging client does.
I suspect that the idea is that by utilising those user credentials Nokia is able to implement a push mail to mobile devices even for those email service providers who do not support it directly.
Routing mails and instant messaging (yes, you can see the same pattern in their Ovi Contacts client) via Nokia does not sound very appealing to me so I just use the old email client in E71 and a separate instant messaging client.
Hi Karri,
Thanks for leaving a comment.
Like I wrote in my followup post, I understand that if a messaging proxy is used it must have access to user's credentials. However, when user wants to use direct IMAP connection to his email provider without any 3rd party proxies, it is unacceptable to send credentials to anywhere else than to the email provider.
//Harri
Hey, this is just great. Now the credientals of our salesmen are transferred to Nokia. I wonder how many emails they're able to harvest before the passwords expire. I predict shitstorm.
That is absolutely insane. Thanks so much for posting this info.
Here I was ensuring all security channels were in place during sending and receiving... so much for that. Time to update my passwords.
Thanks again for posting this info.
I tried your URL with the web browser. The server replies xml version="1.0" encoding="utf-8" ccds status="0" code="121". Could the code 121 mean to Nokia phone "I've got it, thank you." ;-)
-Jani
Dim-wits...
I share the same concerns, Nokia should be answering these questions...
To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.
I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.
Apparently this has changed now when E75 ships without the original standalone email client.
So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.
Looks like serious issue. But I wonder how you are able to sniff on http traffic?
I was looking for a program to do so once but couldn't find it.
On E71, it's the same.
This is interesting:
How much does Nokia Messaging cost?
Nokia Messaging is currently provided on a trial basis. In the future, consumers will be able to acquire Nokia Messaging through an operator plan. You may incur charges in connection with the transfer and receipt of data to your mobile phone and may not be included in your flat data rate plan.
Please contact your operator to know how much you will be charged.
On E71, it's the same.
.... in case you install Nokia Messaging :)
Amazing!
Thanks for warning us!
One question. How did you realized this was happening? Did you sniffed the network traffic between your phone and your wireless router? (I guess you did)
Cheers!
As for how to sniff the traffic from the phone:
The easiest way, as someone already pointed out, is to use the phone's wifi as the IP connection, an do the sniffing on or after the wifi AP.
Some phones also have an "IP passthrough" mode, in which they use their USB cable connection to a computer as their IP connection. In this case, you can easily do the packet capture on that computer.
BTW, it's worth pointing out that sending the credentials unencrypted would be an astoundingly irresponsible thing to do, since anyone on the path between the operator's network and the Nokia servers would be able to capture said credentials (including the operator itself). This problem would not occur if they use HTTPS instead of HTTP; this point is not clear on the original post. Or did I miss something?
Congratulations, you have just discovered how every other push e-mail system works.
"This problem would not occur if they use HTTPS instead of HTTP"
No, not really... Even if the phone uses HTTPS to send the information to Nokia, every ISP and anyone sniffing [ackets along the way will see the entire URL (https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&address=test.user@mycompany.com&password=topsecret&
mcc=244&mnc=91&carrier=sonera)
"No, not really... Even if the phone uses HTTPS to send the information to Nokia, every ISP and anyone sniffing [ackets along the way will see the entire URL"
This is not true. SSL (secure sockets layer) encrypts everything that you put through the socket. In HTTP requests the url is passed in the socket along with the data. So no one in between is able to catch the whole URL, only the domain part if sniffing for DNS.
If you buy a blackberry in a store intending to use it with an existing IMAP/POP account (rather than a companies own Blackberry Enterprise server) it also forwards the account information to a remote server (although I expect from Blackberry the forwarding is somewhat more secure?).
I think this is probably true of most push email systems - the nasty is how these systems are transparent and you don't realise your mail is going via another system.
Dave
Are you sure there isn't a way to configure email accounts without using the wizard?
I've been using symbian devices for ages and going "messaging"->"options"->"settings"->"email"->"mailboxes"->"options"->"new mailbox" lets me create a new one without going through the wizard...
About comparing this feature to how BB works: in BB's case credentials are sent to proxy and connection to the actual email service is also routed via proxy ever after. In the case I've reported credentials are sent to Nokia upon creating the account, but after that communications go directly from terminal to email provider.
About the old-fashioned-way of creating the account without wizard: if you navigate through Messaging application and start to create an email account, wizard is opened also in that case.
//Harri
See Nokia Messaging FAQ: "Why do I have to give you my email password?"
http://email.nokia.com/account/faq.action
...and after you have read from Nokia's Messaging FAQ why password is needed, you can read my postings again and soon you'll understand that my case is not about that product and that referred FAQ entry is irrelevant.
//Harri
62.61.69.104 (ccds.serviceactivation.ext.nokia.com)
inetnum: 62.61.69.0 - 62.61.69.255
netname: CIDERONE-NET1-HEL-FI
descr: Ixonos Finland IOCT Oy
country: FI
admin-c: MA7096-RIPE
tech-c: PL4207-RIPE
status: ASSIGNED PA
mnt-by: AS702-MNT
source: RIPE # Filtered
Giving bougs account doesn't work, wizard (E75) will no continue unless it gets real account/passw. Offline works
Thanks for this info, the initial test was made with 5800, it seems that wizards are not identical here.
//Harri
I own a Nokia 5800 and I am very thankful for your article. I also noticed another intended leak my mobile has: at some point (can't say exactly) it has also sent my phone number to a Nokia server without my consent. Since then I am getting SMS messages from Nokia every one or two weeks containing "tips" and ads for Nokia products.
The day there is a Debian-based phone, I will switch. The possibilities of closed software in electronic devices of any type seem to be too tempting for companies to use our private data just as they wish to. If companies are not as dumb as Nokia, no one will ever notice, because it would have been extremely simple for Nokia to hide their leaking credentials.
And, of course, this is my first and last Nokia product.
I guess some Nokia terminals ask the user during initial setup if he wants to receive such info and if the answer is yes, that generates an SMS message to Nokia, phone number can then be read from that message. Don't have a test device now available to verify this (requires restoring initial setup) ... does somebody have more info about this?
//Harri
@Harri,
yes, that's absolutely right. With my E71 at the initial setup I was asked whether I would like to activate the "My Nokia" account, but the answers were only "Yes" and "Later". When you say yes, then the phone sends an SMS to Nokia, and you get "tips".
@Benjie Mouse
In the S60 3rd you find a "MyNokia"-Icon in the help menu, where you find the optortunity to deactivate the account (and with it the messages, I hope).
And remember that Nokia still has the linux maemo on its internet tables, so maybe your next linux phone will still be from Nokia ;-) (allthough it think it's scandalous that they don't support a Linux version of Nokia PC-Suite, but that leads away from what we are commenting here).
This might be relevant:
http://www.mseclab.com/?p=146
In a post called "Hijacking Mobile Data Connections", a video shows how data connections from mobile phones could be hijacked, by performing a man-in-the-middle attack
It is possible that even someone else could get those email and password, if their are embedded in a GET request.
About hijacking phone:
Client provisioning (CP) messages creating an abusive access point is certainly a possible threat. Using the same way of spoofing CP messages it is also possible to define device management (DM) server configuration that would potentially allow an attacker to remotely access private data and modify settings. I wonder when we see first reports of that kind of an attack.
It is important to understand, that these enablers (CP and DM) are valuable pieces of mobile ecosystem, but in wrong hands also potentially dangerous.
//Harri
Totally agree Harri.
Just some things to point out:
- CP clients in mobile phones are far more common than DM clients.
- not really sure.. but DM payloads are signed, while CP messages are surely not.
- The attack just spoof the first text SMS. No need to spoof the CP message, most phones won't even display the source...
- To see some attack reports, two things are needed: someone performing the attack, and victims able to recognize it.
Nothing can be said about the former, but the latter is surely a rarity :)
email password need not be disclosed to any one.
Goods Bookmarks
samething happened to me, I just stopped using it :)
Nokia 5800 steals user email password to Nokia even if user configures the email to use non-Nokia email. Nokia is aware of the problem.
Thanks for the post. Sadly, it's worse than just sending your password to Nokia. The latest version of the email client on my e71 (firmware 300.21.012) actually sets up the email accounts so that they are proxied through Nokia's email server. Nokia's central server is connecting to my Gmail account, downloading *my* email and forwarding it onto me. How nice of them. How convenient for me. NOT!!!
I just can not understand whether you're really considering yourself as important/interesting for NOKIA person? Heh!
Whether you know that Nokia's phones are NOTHING for this gigantic corporation?! Phone sales just like to receive back money for coffee, which Nokia's programmers drinking every day :)
The MONEY comes from FIREWALLS (& another security products), Nokia's OS called IPSO (Free BSD Based), & some dedicated for firewall server boxes' development. That is NOKIA. & they don't need your login/pass at all! Alas, their security division was bought by Mighty "Check Point" at 2008/9.
That was an interesting comment. I like coffee myself, but sales like 6.9B€ and profit 787M€ for device business last quarter equals so much coffee that I doubt any developer team can ever absorb that much caffeine.
//Harri
Post a Comment