samsung-knox-work-and-play

Samsung Releases Findings on KNOX Security Issue

January 10, 2014 - Written By Ray Greer

Samsung’s security feature, KNOX, has had a rough start, and continues to ride that rocky road to our approval. Finally, Samsung has come out with more than just a brief statement essentially telling us to relax, and tell us they go it under control.

Back in December of 2013, the Wall Street Journal brought to light findings from the Ben-Gurion University. Those findings were that there was a “vulnerability that could allow malicious software to track emails and record data communications.” The news spread and people’s thought of the security feature became insecure.

At the time, Samsung had very little to say in return to the findings, basically saying, the researchers were exaggerating. Samsung wanted people to feel safe, and in order to do that they figured the best way was to downplay the news, but said they would conduct their own research and fix the issues, if any.

Now, Samsung is ready to clear their name and announce their research findings and how they plan to fix the problem. What did Samsung have to say about the possible vulnerability? well, they say it’s not their fault. Samsung did put it in a more long-winded way saying they,”have verified that the exploits uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.” What all that means, is that the issue doesn’t come from KNOX itself, rather the issue already existed within Android, and has nothing to do with Knox itself. The keyword in their statement is “unencrypted”. Since some apps do not encrypt data, that “unencrypted” data leads to vulnerabilities.

KNOX

An entire post that was released solely about the KNOX issue, was written by both Samsung and Google together. The post gives some advice to app developers, asking that developers remember to encrypt data both incoming and outgoing by using SSL/TSL. If for some reason a developer can’t use SSL/TSL, Android does have built-in VPN support.

Samsung also made sure to point out that their findings have been already supported by a Professor from the Georgia Institute of Technology, Professor Patrick Traynor. Professor Traynor was quoted saying that “Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue.” Professor Traynor continued to tell Samsung they should “encourage” the users to take advantage of those available mechanisms. So with that said, Samsung put those mechanisms in a post, they are Mobile Device Management, Per-App VPN, and FIPS 140-2.

Mobile Device Management is available in the Android platform already. The purpose of MDM, according to the blog post from Samsung and Google, “is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise specific policy.”  That part seemed to be written by Google, because the next part explains how the KNOX feature enhances that already functioning part of the Android platform. Samsung said they added the ability “to lock down security-sensitive device settings.” The next thing the post brings up is the per-app VPN.

Per-app VPN is a KNOX only feature and if configured properly, allows traffic to flow only from “designated and secured application to be sent through the VPN tunnel.” The idea, is to add to security by giving more control. Lastly, there is FIPS 140-2.

FIPS 140-2, this is again, is a KNOX feature, essentially, FIPS 140-2 is a VPN client that is used for protecting data during transfer. According to the post, it is used by many enterprises to do just that, and is a NIST standard. That is all Samsung had to say about that. After knowing how Samsung has reacted to this whole issue what are your thoughts? Do you think they have done the right thing in their approach to solving the issue? Or do you think they could’ve done something a bit different?