Tuesday, August 18, 2009

Update to Nokiagate

After the summer it's good to catch up what has happened for "Nokiagate" lately. For those who don't know what Nokiagate is, read my posting that started it all and follow the case from here.

I did receive a couple of calls from Nokia during the summer and they were interested to hear my opinion about how they managed the situation and how their processes could be improved. I told them that it appeared as if there was no process at all to handle security reports like this and it took far too long from my initial report before action was taken. After the starting difficulties things began to go smoothly when the conversation channel was opened.

I just ran a quick test with some updated terminals I had available and here are the results (device / firmware version / result):
  • E75 / 110.48.125 / Opens connection without asking permission, content unknown.
  • 5800 / 30.0.011 / Opens connection without asking permission, content unknown.
  • N96 / 30.033 / Account can be created in offline mode, OK.
It looks that E75 and 5800 still go online without asking user's permission. However, new firmware ensures the validity of server certificate and doesn't anymore let me examine the contents, but the connection goes to ccds.serviceactivation.ext.nokia.com. Let's hope they have removed password information form the request as they earlier promised, unfortunately I cannot verify that.


No comments: