Described by the Wall Street Journal as "a vulnerability that could allow malicious software to track emails and record data communications," a potential vulnerability in Samsung's Knox platform was discovered in late December by researchers at Israel's Ben-Gurion University. The researchers said the vulnerability would allow those with malicious intent to "easily intercept" secure data from Knox users. Samsung's initial response was that the problem may be less serious than researchers implied, and that it would investigate the situation thoroughly. Resolving - or at least addressing - the issue would be an important step for Samsung, as it hopes to position its Knox-enabled devices as viable options for those in need of tight security.

Today, the South Korean manufacturer posted an official public response to the report, classifying the vulnerability as "a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data." In a post to its Knox blog, Samsung explains that it has "verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device." This basically means the "vulnerability" is not a Knox problem at all, but rather an attack on Android's existing network functions.

Essentially, Samsung explains, the vulnerability is only possible with user-installed programs that do not encrypt incoming or outgoing data. According to the post, which was written in collaboration with Google, encrypting incoming or outgoing data using SSL/TLS is recommended when developing apps. Where this isn't possible, the post says, "Android provides built-in VPN support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application."

Samsung is sure to note that Knox actually already has mechanisms in place to avoid MitM attacks which, if configured, could obviate this "vulnerability" for user-installed apps. The post gives a brief rundown of these mechanisms:

1.    Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings.  With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.

2.    Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.

3.    FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems.  Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.

The response wraps up by citing Professor Patrick Traynor from the Georgia Institute of Technology, who previously expressed concern over the researchers' findings. According to Traynor, "Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue. Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues."

Source: Samsung Knox Blog

Liam Spradlin
Liam loves Android, design, user experience, and travel. He doesn't love ill-proportioned letter forms, advertisements made entirely of stock photography, and writing biographical snippets.

  • warcaster

    I like how they present using NIST and NSA crypto suites as being a "trustworthy" thing. They probably haven't watched the news much since last year.

    • lljktechnogeek

      I'd imagine that depends on whether or not the given cryptographic algorithm is something the NSA uses internally. If they know exactly how a given method can be broken, they'd probably be less likely to want to use it for stuff they don't want other people to know about.

  • Matthew Fry


    I'll keep pointing out mistakes until you hire me as an editor :-P

    • StarNoStar

      If you keep pointing out their mistakes... you already are their editor, you just don't get paid for it. Try something like "I found [number] errors in your post as of [date/time].