BlackBerry used to dominate the enterprise and government sectors due to their focus on security. However, in recent years, the Canadian phone company has fallen behind to competitors like Apple and Samsung, who have made significant advancements in mobile security. The U.S. government has increasingly shifted towards dropping Blackberry in favour of Apple and Samsung devices, which were approved for limited government use by the Department of Defence last year. Furthermore, just a few days ago, the National Security Agency approved Samsung’s Galaxy phones and tablets to store classified documents, as long as they’re equipped with KNOX, Samsung’s mobile security solution. This makes Samsung’s products the first consumer mobile devices to be approved for use by the NSA, perhaps the most secretive organisation on the planet. However, despite the NSA’s strict security standards, adopting Samsung’s KNOX technology may have been a mistake, as KNOX may not actually be all that secure.
“The inclusion of Samsung mobile devices on the [NSA’s Commercial Solutions for Classified Program Components List] list proves the unmatched security of Samsung Galaxy devices supported by the Knox platform.” -JK Shin, president of Samsung’s mobile division.”
However, security researcher “Ares” recently published his analysis of KNOX, detailing why the system might not actually be as secure as it seems.
Setting up KNOX requires a password and a PIN. Accessing KNOX’s secure home screen requires the password. However, in case the user forgets the password, he/she can enter the PIN to receive a password hint. The hint shows the first and last character of the password and the length of the password string. For some users, especially those particularly concerned about security like the NSA, this may be too much of a hint. Furthermore, as it happens, the PIN used to access the password hint is stored on the device in unencrypted plaintext.
However, the security concerns don’t end there. Based on the password hint, it’s clear that KNOX stores the password somewhere on the device. Upon further inspection, “Samsung didn’t make any use of code obfuscation but really tried to hide the password storage code within hundreds of java classes, inheritance and proxies.” Samsung chose to follow the “security through obscurity” principle rather than taking actual security measures to hide how the encryption key is generated. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key,” states Ares. “I would have expected from a product, called Knox, a different approach,” such as deriving the key from a Password-Based Key Derivation Function 2(PBKDF2) and never storing the password on the device.
“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely.”
This isn’t even the first time KNOX has been criticised. Back in December, researchers claimed to have found a “critical vulnerability” in the security suite.
Ares concludes with the following recommendation:
“Instead of Samsung Knox, use the built-in Android encrpytion [sic] function and encrypt the whole device. Android is using a PBKDF2 function from the encryption password you choose and never persists it on the device. Obviously you can never access the data if you forget your password, but that’s the point of a good encryption.”
As the researcher recommends, using Android’s built-in encryption appears to be more secure than KNOX. Apple and Google have even significantly strengthened on-device encryption recently (to such an extent that it’s even stumped the FBI). Both Google and Apple have detailed reports on the security of their respective operating systems here and here. However, the NSA adopting what appears to be a flawed security suite certainly raises some questions. How could the NSA have missed these issues? Or did the NSA deliberately promote what they already might have known was insecure? Are the systems we use every day really as safe as we believe?
Update: Samsung has dismissed the vulnerability claims (similar to the last time researchers claimed to have discovered a vulnerability in KNOX.) However, Samsung did confirm that encryption keys are stored on the device.
Images from Samsung and Shutterstock.
Share your thoughts about this article in the comments section below.
Last modified (UTC): October 26, 2014 19:06