Samsung KNOX Vulnerability Probably Affects Other Android Devices


Recently, researchers from Ben-Gurion University found out that Samsung KNOX as used in Galaxy S4 leaked user data. After considering the report, Samsung restored its customers’ confidence since the discovered security hole was not crucial. The firm went ahead and joined forces with Google to address this. On the KNOX blog, Samsung confirms that the attack uses networking functions on the stock Android source tree allowing for interception of unecrypted data transfer between Android devices.

This can be prevented by app developers through encryption functions provided by Android’s code base.

Android development practices encourage that this be done by each application using SSL/TLS. Where that’s not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application.

Samsung’s post includes a quote from Professor Patrick Traynor, mobile security expert – “Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue. Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues.”

KNOX provides containers within which different mobile apps can run. This isolates application data passing through the device effectively implementing mandatory access control.

Platform features are summarized by Samsung as follows:

1. Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings. With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.

2. Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.

3. FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems. Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.