Samsung Finally Counters Claims of Knox Security Flaws
Tech giant Samsung has finally offered a full response to claims from about two and a half weeks ago that its Knox security software for its Android devices has a security flaw. In short, Samsung claims that the flaw isn’t the result of faults in Knox, but rather comes from the combination of unencrypted data and the Android operating system’s “legitimate functions.”
According to a press release published on Samsung’s Knox website, the flaw is actually “a classic Man in the Middle attack.” Here’s the full explanation from Samsung:
“After discussing the research with the original researchers, Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device. This research did not identify a flaw or bug in Samsung KNOX or Android; it demonstrated a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data. The research specifically showed this is also possible via a user-installed program, reaffirming the importance of encrypting application data before sending it to the Internet.”
Additionally, now that Samsung’s researchers have determined that the flaw comes from such an attack, the company has identified ways that the Knox software can supposedly protect the user’s data against the attacks. Included in its list of counter-measures are Mobile Device Management (MDM), Per-App VPN, and FIPS 140-2, the last of which is a data certification standard used by the NSA to keep sensitive data from being accessed by unauthorized parties.
As for the other two countermeasures, MDM is an option offered by Knox that keeps MitM attacks from succeeding in changing security settings, while Per-App VPN gives users the ability to control where data comes from and goes to—which should, in effect, thwart the efforts of unauthorized users looking to gain access to the Knox-enabled device in the first place.
Of course, at the end of the day, a user with sensitive data on a device connected to a network is going to be more vulnerable than one that’s offline. To illustrate what I mean, I’m going to use a slightly outdated pop-culture analogy:
In Battlestar Galactica’s first episode, the Cylons launched their attack against the colonies, and everyone lost control of their technology because they were all on a network. But the Galactica didn’t because it lacked network access. The moral of that particular story is that you can’t have complete security if you’re connecting to any network that isn’t completely closed. As such, it doesn’t matter what kind of security software you put on your mobile phone—your data has more potential for compromise than if you keep it in a folder in a briefcase that you never open.