By Duncan Macrae
Samsung has smacked down claims that a major vulnerability has been discovered in Samsung KNOX security for Android, just days after it received approval from the U.S. government.
Samsung KNOX is an Android-based solution specifically designed to enhance security of the current open-source Android platform.
The Samsung Galaxy 4, 5, Galaxy Note 3 and note 10.1 2014 Edition were all given the thumbs up and could be used by NSA staff to protect classified data.
Samsung CEO JK Shin had stated that “the inclusion of Samsung mobile devices on the CSfC list proves the unmatched security of Samsung Galaxy devices supported by the KNOX platform.”
Samsung’s KNOX technology allows for separate partitions on the Android devices in order to keep personal and business data separated. These partitions, sometimes referred to as containers, have their own encrypted file systems, which keep secured apps separate from applications outside the partition.
However, an unnamed researcher last week published a report online detailing how phones using KNOX can easily be hacked—something Samsung has refuted.
A PIN chosen by a user during setup of the KNOX App is stored in clear text on the device, the researcher claimed. Specifically, they said, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
The PIN can be used to retrieve a password hint, the report states. If a hacker has access to the phone and can retrieve the PIN, they could use a “Password forgotten?” field to obtain a password hint that turns out to be the first and last character of the supposed secret code, in addition to the exact length of the password. This Hangman style clue is just the beginning of the problem, according to the researcher, who added: “Now it is pretty obvious that Samsung KNOX is going to store your password somewhere on the device.” The researcher even claims to have found the encryption key in a partition folder.
Samsung, the report said, buried the manner in which KNOX creates the key deep inside myriad Java classes and proxies. The unique Android ID for each device is also used to derive the key, it added.
The report reads: “Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end, it just uses the Android ID together with a hardcoded string and mixes them for the encryption key. I would have expected from a product, called KNOX, a different approach.”
The researcher explained that the built-in Android encryption uses Password-Based Key Derivation Function (PBKDF2), which does not persist on the device.
They say: “The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product, the password should never be stored on the device.
“There is no need for it, only if you forget your password. But then your data should be lost; otherwise they are not safe if there is some kind of recovery option.”
Samsung subsequently released a statement rubbishing the researcher’s claims.
Samsung said: “We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions. We would like to reassure our customers that KNOX password and key management is implemented based on the best security practices. The security certifications awarded to KNOX devices provide independent validation of Samsung KNOX.”