NSA-Approved Samsung KNOX Stores PINs in Plaintext

Posted in: Archive
October 26, 2014 10:38 AM UTC

Mobile devices are potentially huge security vulnerabilities in enterprise and government environments. Compromised devices can result in all sorts of sensitive information being leaked.

BlackBerry used to dominate the enterprise and government sectors due to their focus on security. However, in recent years, the Canadian phone company has fallen behind to competitors like Apple and Samsung, who have made significant advancements in mobile security. The U.S. government has increasingly shifted towards dropping Blackberry in favour of Apple and Samsung devices, which were approved for limited government use by the Department of Defence last year. Furthermore, just a few days ago, the National Security Agency approved Samsung’s Galaxy phones and tablets to store classified documents, as long as they’re equipped with KNOX, Samsung’s mobile security solution. This makes Samsung’s products the first consumer mobile devices to be approved for use by the NSA, perhaps the most secretive organisation on the planet. However, despite the NSA’s strict security standards, adopting Samsung’s KNOX technology may have been a mistake, as KNOX may not actually be all that secure.

Just What is KNOX?

Samsung KNOX is a mobile security solution that allows users to use the same device for both personal and business use. Unlike iOS, Android provides the user with complete access to the file system. Since this poses a potential security vulnerability, KNOX offers a special “container” for secured apps that are separated from the user’s private apps and data in an attempt to address “all major security gaps in Android.” The system boasts a wide range of security features, including two-factor biometric authentication, VPN support, on-device encryption, and more. And with the NSA adopting KNOX technology for securing classified documents, Samsung appears to have further penetrated the lucrative government sector.

“The inclusion of Samsung mobile devices on the [NSA’s Commercial Solutions for Classified Program Components List] list proves the unmatched security of Samsung Galaxy devices supported by the Knox platform.” -JK Shin, president of Samsung’s mobile division.”

However, security researcher “Ares” recently published his analysis of KNOX, detailing why the system might not actually be as secure as it seems.

Not Really a Fort Knox

Setting up KNOX requires a password and a PIN. Accessing KNOX’s secure home screen requires the password. However,  in case the user forgets the password, he/she can enter the PIN to receive a password hint. The hint shows the first and last character of the password and the length of the password string. For some users, especially those particularly concerned about security like the NSA, this may be too much of a hint. Furthermore, as it happens, the PIN used to access the password hint is stored on the device in unencrypted plaintext.

KNOX stores the user’s PIN in plaintext on the device in a file called “pin.xml”. This file can be accessed by anyone browsing the filesystem.

However, the security concerns don’t end there. Based on the password hint, it’s clear that KNOX stores the password somewhere on the device. Upon further inspection, “Samsung didn’t make any use of code obfuscation but really tried to hide the password storage code within hundreds of java classes, inheritance and proxies.” Samsung chose to follow the “security through obscurity” principle rather than taking actual security measures to hide how the encryption key is generated. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key,” states Ares. “I would have expected from a product, called Knox, a different approach,” such as deriving the key from a Password-Based Key Derivation Function 2(PBKDF2) and never storing the password on the device.

“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely.”

This isn’t even the first time KNOX has been criticised. Back in December, researchers claimed to have found a “critical vulnerability” in the security suite.

Ares concludes with the following recommendation:

“Instead of Samsung Knox, use the built-in Android encrpytion [sic] function and encrypt the whole device. Android is using a PBKDF2 function from the encryption password you choose and never persists it on the device. Obviously you can never access the data if you forget your password, but that’s the point of a good encryption.”


As the researcher recommends, using Android’s built-in encryption appears to be more secure than KNOX. Apple and Google have even significantly strengthened on-device encryption recently (to such an extent that it’s even stumped the FBI). Both Google and Apple have detailed reports on the security of their respective operating systems here and here. However, the NSA adopting what appears to be a flawed security suite certainly raises some questions. How could the NSA have missed these issues? Or did the NSA deliberately promote what they already might have known was insecure? Are the systems we use every day really as safe as we believe?

Update: Samsung has dismissed the vulnerability claims (similar to the last time researchers claimed to have discovered a vulnerability in KNOX.) However, Samsung did confirm that encryption keys are stored on the device.

Images from Samsung and Shutterstock.

Share your thoughts about this article in the comments section below.

Last modified: June 10, 2020 4:03 PM UTC

Show comments
Neil Sardesai @neilsardesai

I enjoy keeping up with the latest stuff in science and technology and have been following Bitcoin for a few years now. I also occasionally post cool stuff on twitter.