Described by the Wall Street Journal as "a vulnerability that could allow malicious software to track emails and record data communications," a potential vulnerability in Samsung's Knox platform was discovered in late December by researchers at Israel's Ben-Gurion University. The researchers said the vulnerability would allow those with malicious intent to "easily intercept" secure data from Knox users. Samsung's initial response was that the problem may be less serious than researchers implied, and that it would investigate the situation thoroughly. Resolving - or at least addressing - the issue would be an important step for Samsung, as it hopes to position its Knox-enabled devices as viable options for those in need of tight security.

Today, the South Korean manufacturer posted an official public response to the report, classifying the vulnerability as "a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data." In a post to its Knox blog, Samsung explains that it has "verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device." This basically means the "vulnerability" is not a Knox problem at all, but rather an attack on Android's existing network functions.

Essentially, Samsung explains, the vulnerability is only possible with user-installed programs that do not encrypt incoming or outgoing data. According to the post, which was written in collaboration with Google, encrypting incoming or outgoing data using SSL/TLS is recommended when developing apps. Where this isn't possible, the post says, "Android provides built-in VPN support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application."

Samsung is sure to note that Knox actually already has mechanisms in place to avoid MitM attacks which, if configured, could obviate this "vulnerability" for user-installed apps. The post gives a brief rundown of these mechanisms:

1.    Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings.  With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.

2.    Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.

3.    FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems.  Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.

The response wraps up by citing Professor Patrick Traynor from the Georgia Institute of Technology, who previously expressed concern over the researchers' findings. According to Traynor, "Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue. Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues."

Source: Samsung Knox Blog