Samsung Knox Is Weak, Researcher Says - InformationWeek

InformationWeek is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Mobile // Mobile Applications
04:06 PM
Connect Directly

Samsung Knox Is Weak, Researcher Says

Samsung's Knox security software for Android devices handles passwords in a way that undermines encryption, an anonymous researcher says.

Wearables At Work: 7 Productivity Apps
Wearables At Work: 7 Productivity Apps
(Click image for larger view and slideshow.)

An unidentified security researcher has analyzed the design of Samsung's Knox security software for Android devices and claims that the code implements encryption in an insecure manner.

The researcher, in a blog post published under the name "Ares," cites the US government's decision to certify Knox for government use as a rationale for releasing the findings.

This week, Samsung's Galaxy S4 and S5, Galaxy Note 3, and Galaxy Note 10.1 2014 Edition were added to the Commercial Solutions for Classified (CSfC) Program run by the National Security Agency and Central Security Service. This followed the US Department of Defense's approval of Samsung Knox-enabled devices in May 2013 for use in DoD networks.

It also followed Google's announcement this year that it has partnered with Samsung to make portions of the Knox software available to the recently released Android Lollipop.

[Nobody cares about your data like you do. Read 3 Enterprise Security Tenets To Take Personally.]

The problem with Knox is a simple one: Samsung has relied on security through obscurity, a practice widely frowned on by security experts, particularly in an era of instantaneous worldwide electronic publishing.

"Ares" found that Knox writes the PIN used to initiate password recovery to an XML file in readable form -- cleartext. Entering the PIN correctly returns a password hint: the first and last character of the password, along with the length of the password. From this, "Ares" reports being able to deduce that Knox stores the user's password on the device.

So not only is Knox making the password weaker to anyone with the PIN -- and anyone can get the PIN -- by revealing information about its characters and length, but it's storing the password (in encrypted form) where it can be attacked.

Worse still, the researcher's code analysis indicates that Knox is relying on predictable strings -- a hardcoded string and the device's Android ID -- to generate the encryption key.

"Samsung really tried to hide the functionality to generate the key, following the security-by-obscurity rule," the blog post explains. "In the end it just uses the Android ID together with a hardcoded string and mix[es] them for the encryption key. I would have expected from a product called Knox a different approach."

"Ares" advises Samsung to use a key-generation function that's not predictable and not to store the password on the device. Storing it on the device enhances convenience, by making password recovery possible as a local operation, but it undermines security.

Neither Samsung nor Google responded to requests for comment.

"Knox is better than nothing and represents a first cut standard of creating a secure environment for hosting applications on Android," Philip Lieberman, president of the security software company Lieberman Software, said in an email. "A better strategy would be the use of special purpose hardware on the device itself which is the approach used by Apple and Microsoft that creates walled gardens for their ecosystems."

Knox relies on security through obscurity, Lieberman said, because stronger security would have required fundamental changes to Android's security model or special hardware. "Government users have successfully used Android for high-security applications, but the entire operating system and stack were custom built and hosted on special-purpose storage and encryption technology. The use of consumer software and hardware is a dream for commercial and government users, but to date this is still a dream, hope, and desire."

Update: Samsung on Friday challenged the researcher's claims in a blog post. "We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solutions," the company said, offering specific refutations for two of the three points raised and arguring that the storage of a password on the device is not an issue because KNOX Trusted Boot protects it.

How cloud, virtualization, mobility, and other network-altering trends impact security -- and the IT pros responsible for infrastructure protection. Get the Network Security Career Guide issue of Network Security today.

Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/28/2014 | 12:01:32 PM
This Security Researcher Is Thoroughly Incompetent
The "security researcher" thinks that the password must exist somewhere on the device, but that (a) is not true for any secure implementation, and (b) is not true for the Samsung devices that have been validated by NIAP (S4, S5, etc). The "researcher" first configured the device to be completely insecure by allowing PINs instead of passwords, and allowing password hints, neither of which is allowable under a secure configuration. 

The "researcher" is demonstrated to be even more incompetent by the fact that s/he did not even bother to check public domain documentation on the Samsung / KNOX security, which would have led him / her to realize that unlocking the user data on the device, once it has been turned off, would require physically dismantling the device and probably modifying some silicon. 

It is unfortunate that the tech media does not have the intellectual wherewithal to properly investigate such claims and instead trumpets them without understanding. Instead, attention should be properly focused on the fact that certain smartphone manufacturers rely entirely on security through obsecurity, using legal stratagems to deny *actual* security researchers the right to investigate their devices. Google "Charlie Miller" to see an example of this. 
User Rank: Ninja
10/26/2014 | 4:26:47 PM
Samsung ought to know better; Given the three ring encryption circus that is known as iOs8, informed consumers won't buy these phones simply by virtue of the fact that it has the NSA's approval, but then again, consumers who are informed aren't really a very big concern to business, and, if they were, the entire American economy would collapse.
[email protected],
User Rank: Ninja
10/26/2014 | 9:53:48 AM
Re: Surprising
These security researchers are just making life difficult. Haha. Now that Knox team has rejected the claims made, the researcher has prove himself. If the encryption is tha simple then its really haunting.
User Rank: Ninja
10/25/2014 | 3:59:33 PM
Re: Surprising
It is a bit surprising that it's a little to simple in the way it encrypts but it is better than nothing. As Jagibbons points out it is probably ok for the average user.
User Rank: Ninja
10/25/2014 | 2:01:38 PM
Good to know... I own a Samsung tablet and my wife owns a Samsung phone, but this is truly embarassing.  I'm sure Knox will be dropped in short order, but hopefully, there is a replacement that can quickly be made available.

User Rank: Apprentice
10/25/2014 | 12:29:52 AM
There is a response from Samsung
After failing to find the blogger/researcher, Samsung posted a reply which you can on the Samsung Knox blog. i'm not able to put the link here. it is on the samsungknox web site, blog link.

Disclaimer: I'm doing work for Samsung
User Rank: Ninja
10/24/2014 | 9:24:57 PM
I'm a bit surprised that the encryption is that predictable in this product. On the flipside, I realize there are tradeoffs between security and convenience. For the DOD and NSA this probably isn't sufficient. For most of the rest of us, it probably is enough security to go along with common sense use of the phone.
CIOs Face Decisions on Remote Work for Post-Pandemic Future
Joao-Pierre S. Ruth, Senior Writer,  2/19/2021
11 Ways DevOps Is Evolving
Lisa Morgan, Freelance Writer,  2/18/2021
CRM Trends 2021: How the Pandemic Altered Customer Behavior Forever
Jessica Davis, Senior Editor, Enterprise Apps,  2/18/2021
White Papers
Register for InformationWeek Newsletters
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you.
Flash Poll