Israeli researchers poke holes in Samsung KNOX security system

The serious vulnerabilities impact Samsung's Knox security sandbox.
Written by Charlie Osborne, Contributing Writer

A number of severe problems have been discovered within the Samsung Knox security system in Android smartphones.

Three vulnerabilities affecting Android devices running Samsung's Knox security feature were recently revealed in a paper presented by Uri Kanonov and Avishai Wool, researchers from Tel Aviv University.

The security flaws affect versions of Knox on older Samsung devices; in particular, Knox 1.0 -- 2.3 running on Android up to version 4.3. Knox was designed to cater for the professional who must use their personal device for both work and play, and so acts as a sandbox or container to securely separate different applications and data.

As noted by the Register, the researchers say that while Knox does improve security, the sandbox system also "[makes] security sacrifices in favour of user satisfaction," -- hardly a winning accolade for Samsung, which is trying to keep up with other enterprise security solutions being offered by competitors.

The first vulnerability Kanonov and Wool discovered, CVE-2016-1919, is described as "weak eCrypt key generation" based on the user password input into the Knox 1.0 system on Android 4.3.

The encryption system is applied to both the Knox container and any data stored on the device's SD cards and is based on a 32-byte AES key. ECrypt relies on a mix of both the user's password and these 32 bytes, but the vulnerability lies within how this encryption protocol is used.

Knox requires a user password of at least seven characters, and together with the flaw, a simple brute-force attack can be used against the feature to crack its encryption.

The second security flaw, CVE-2016-1920, is a shared certificate storage weakness. In Knox 1.0, the applications stored in the secure container used the same certificate store as apps outside and in the standard Android environment.

As Android allows third-party certificates to be installed -- with user authorization -- as well as create virtual private network (VPN) tunnels in the interest of security, the combination of all three could allow remote attacks to take place.

If a victim installs a malicious app which requires VPN permissions and then installs a third-party certificate, clicking on the app could create a tunnel between both which results in a VPN man-in-the-middle (MITM) attack, leading to information leaks and theft.

The researchers also note that 'red flag' warnings can be mitigated by giving the malicious app a benign name such as "Knox connectivity."

The third major bug, CVE-2016-3996, is found in not only Knox 1.0, but versions leading up to 2.3 on the Android operating system. The vulnerability was found through a service called clipboardEx which provides access to data stored on both the Knox and Android clipboard and the servers connected to the service.

Attackers attempting to access this data can launch exploit codes through a malicious app to grab the contents without needing to know user passwords due to a lack of encryption.

Samsung was notified of the vulnerabilities at the end of 2015 and all of these bugs were patched this year -- but as always in the case of Android devices, it is often up to individual vendors to issue OTA updates.

Essential smartphone, tablet apps for busy professionals

Read on: Top picks

Editorial standards