Reports have begun to circulate about a pervasive flaw in Samsung’s Knox security software for Android phones. The technology, which is the foundation of Android 5.0 Lollipop’s enhanced protections has come under fire by a lone, previously unknown researcher, previously unknown to the field, who calls the effort merely “security by obscurity.”
Samsung Knox is Samsung’s enterprise mobile security solution that addresses the needs of enterprise information technology without invading its employees’ privacy. The service, first released on the Samsung Galaxy Note 3 mobile device, provides security features that enable business and personal content to coexist on the same mobile device. Samsung claims that the product “addresses all major security gaps in Android.”
The researcher, who goes by the name Ares, has a single post to his or her name on a very newly launched Blogspot in German, but with english text. The post is detailed, generally written for the layman, and enumerates where Knox stores data, as well as how its stored. Unknown is Ares’ real name, or motivation beyond publishing the data following the US government’s reveal of Knox usage.
Beyond a PIN used to set up Knox being stored in plain, unencrypted text, Ares claims that the encryption key is generated by “Android ID together with a hardcoded string and mix them for the encryption key” which is only hidden “within hundreds of java classes, inheritance and proxies” and not in itself encrypted or protected.
Should the claim be true, breaking devices protected by Knox would be trivial for the determined. Given that the US Department of Defense (DOD) has recently approved Knox for classified work, a potential data thief would be motivated to perform the steps laid out by Ares to access the stored data, should the phone not have been remote wiped or prevented from doing so.
The flaw isn’t the first reported one with Knox, but Samsung has managed to deflect serious concern about the product. At the end of 2013, a pair of researchers found conditions where a Knox-protected device would allow a maliciously-crafted piece of software to track and record communications, including text messages and emails. An infected phone could even infect other phones within a secured network, such as those being tested by the US Department of Defense. Samsung, together with Google, called it a problem with Android, or the user, rather than an inherent flaw with the security suite.
