Samsung Denies That KNOX Security For Android Is ‘Completely Compromised’

Samsung has smacked down claims that a major vulnerability has been discovered in Samsung KNOX security for Android, just days after it received approval from the US Government.

Samsung KNOX is an Android-based solution specifically designed to enhance security of the current open source Android platform.

The NSA, under the agency’s Commercial Solutions for Classified Program, recently approved the use of certain Samsung Galaxy devices within the agency.

Classified data

The Samsung Galaxy 4, 5, Galaxy Note 3 and note 10.1 2014 Edition were all given the thumbs up and could be used by NSA staff to protect classified data.

Samsung CEO JK Shin had stated that “the inclusion of Samsung mobile devices on the CSfC list proves the unmatched security of Samsung Galaxy devices supported by the KNOX platform.”

Samsung’s KNOX technology allows for separate partitions on the Android devices in order to keep personal and business data separated. These partitions, sometimes referred to as containers, have their own encrypted file systems, which keep secured apps separate from applications outside the partition.

However, an unnamed researcher last week published a report online detailing how phones utilising KNOW can easily be hacked – something Samsung has refuted.

A PIN chosen by a user during setup of the KNOX App is stored in clear text on the device, the researcher claimed. Specifically, they said, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.

The PIN can be used to retrieve a password hint, the report states. If a hacker has access to the phone and can retrieve the PIN, they could use a “Password forgotten?” field to obtain a password hint that turns out to be the first and last character of the supposed secret code, in addition to the exact length of the password. This Hangman style clue is just the beginning of the problem, according to the researcher, who added: “Now it is pretty obvious that Samsung KNOX is going to store your password somewhere on the device.” The researcher even claims to have found the encryption key in a partition folder.

Samsung, the report said, buried the manner in which KNOX creates the key deep inside a myriad of Java classes and proxies. The unique Android ID for each device is also used to derive the key, it added.

The report reads: “Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mixes them for the encryption key. I would have expected from a product, called KNOX, a different approach.”

The researcher explained that the built-in Android encryption uses Password-Based Key Derivation Function (PBKDF2), which does not persist on the device.

They say: “The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device.

“There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.”

Samsung subsequently released a statement rubbishing the researcher’s claims.

Samsung said: “We analysed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions. We would like to reassure our customers that KNOX password and key management is implemented based on the best security practices. The security certifications awarded to KNOX devices provide independent validation of Samsung KNOX.”

How much do you know about Samsung? Take our quiz!

Want to keep up-to-date with all the best technology news? Sign up for our free newsletters in less than 60 seconds!

Duncan Macrae

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Recent Posts

Google Jarvis AI Extension Leaked On Chrome Store

Seemingly accidental leak reveals Google is developing Jarvis AI extension that can browse the web…

2 days ago

Amazon Mulls New Multi-Billion Dollar Investment In Anthropic – Report

Amazon is reportedly in talks to pump billions of dollars more into AI start-up Anthropic,…

3 days ago

FTX’s Caroline Ellison Begins Her Two Year Prison Sentence

Star witness for the US prosecution of FTX founder Sam Bankman-Fried, has begun her two…

3 days ago

More Layoffs For iRobot Staff After Abandoned Amazon Deal

After axing 31 percent of its workforce when it failed to be acquired by Amazon,…

3 days ago

Mozilla Foundation Confirms Layoffs, Eliminates Advocacy Division

Mozilla Foundation axes 30 percent of its staff, and is eliminating its Advocacy Division that…

3 days ago

Google To Make MFA Mandatory Next Year

Improving security. Mandatory multi-factor authentication (MFA) is coming to the Google Cloud by the end…

3 days ago