Samsung Knox may not be the promised haven according to a German security researcher who pointed out numerous security flaws in Knox. In a blog named Ares, the researcher revealed that the Knox App saves the user PIN in plain text and could be accessed easily by a hacker.
Samsung Knox, is security App for android that allows users to separate personal data and files from office work. It creates a “KNOX container” where user can store business data separate from person data. With the advent of BYOD, the app is ideal for the workplace environment.
The Knox technology presents a separate home screen that requires a password to launch secured Apps and access data in the container. Other security features include, a two-factor biometric authentication, VPN support and on-device encryption.
Knox is designed to address known “security gaps” in android and compete with more secure operating systems such as iOS and Blackberry which dominate the corporate world and the lucrative government sector. Unless jail-broken, iOS is a sandboxed operating systems that is hard to crack. BlackBerry on its part uses containerization technology known as Balance, which earns it a high approval rating in the corporate world.
With the advent of BYOD, Samsung markets the Knox as the most secure workplace tool, a factor that has earned it favor among US government Agencies, who are increasing dropping traditional Blackberries and iPhones for Samsung’s Knox. A few days ago NSA, approved Knox for storage of classified data, making it the first mobile app ever approved by the US spymaster. However, Germany security researcher “Ares” believe Knox is not worth the stone it is written on. NSA either made a grave error or it is just another ploy to trick users into using a compromised App.
The problem lies with the authentication process, which requires a password and a PIN to launch secured apps and access files in the Knox container. In case the user forgets the password, they are prompted to enter an assigned PIN in order to get a password hint. According to Ares the hint is generated in a “very predictive” way that could easily aid a hacker to crack the code. The password hint generates the first and the last character of the forgotten password as well as the total number of characters. Furthermore, the PIN is stored in a non-encrypted plaintext format in one of Knox support App and could be accessed easily by a malicious hacker.
“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device.” Stated Ares
In response to Ares claims, Samsung published a statement on Knox blog saying “We analyzed these claims in detail and found the conclusions to be incorrect for KNOX enterprise solution.” The tech giant insisted Knox was in line with the best known security practices. “The security certifications awarded to KNOX devices provide independent validation of Samsung KNOX,” stated Samsung.
Samsung also dismissed claims that container’s password or key stored in the device could be easily accessed. “KNOX does save the encryption key required to auto-mount the container’s file system in TrustZone. However, unlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and KNOX Trusted Boot will lock down the container key store in the event of a system compromise.”
As for claims that KNOX enterprise containers stored an alternative PIN to help reset passwords, Samsung clarified that all password resets were done remotely through its MDM agent. However, the South Korea Tech giant acknowledged possible vulnerabilities its initial Knox 1.0 version. “KNOX 1.0’s Personal containers, designed to let consumers experience the KNOX container, were not managed by an MDM agent. Therefore, they either store an alternative PIN or use a Samsung account to recover forgotten passwords.”
In conclusion, Samsung advised is customers to update to the lasted My KNOX, promising better functionality. “KNOX 1.0’s Personal container has been replaced by My KNOX, which is derived from the KNOX enterprise container…The My KNOX console provides password reset functionality, thus removing the need for password hints,” concluded Samsung.
Top/Featured Image: By Ali Raza / Security Gladiators