Knocking Knox: Samsung DENIES vuln claims, says mysterious blogger is a JOKER

But YES, system does store encryption key on the device


A damning security critique against Samsung's US government-approved Knox system has been dismissed by the South Korean tech giant.

Earlier this week, Knox was given the green light for use on classified Stateside government networks and data.

Samsung had became the "first consumer mobile device manufacturer validated to handle the full range of classified information in the US", the company's security unit boasted.

Days later, an anonymous, newbie German blogger attempted to spoil Samsung's g-men party with a lengthy critique of the system.

Knox, it was alleged, generates weak encryption keys, stores passwords locally and features a "security by obscurity" design full of holes.

The most glaring security mistake, the unidentified blogger claimed, came from the allegation that users logged into a Knox app using a password and PIN that was subsequently written into a "pin.xml" file in cleartext.

Samsung Knox provides a container to separate work and personal environments in order to protect enterprise data and employee privacy. The mobile security technology is integrated into Android.

The uncorroborated criticism of Samsung Knox is particularly concerning given the recent go-ahead to use smartphones and tablets that rely on the technology on US government networks.

The security certification wing (CESG) of the UK's eavesdropping nerve centre GCHQ only deems Samsung kit to be used for official government business. In other words, not for the processing of anything classified or even sensitive.

But does Samsung's clearance mean that it was permissible to use Knox technologies in ‪"sensitive but unclassified" ‬networks or is ‪it "type 1" certified to handle real secrets‬?

The Reg asked the NSA's PR team, which pointed us towards a list of "approved components for the commercial solutions for classified program components list" here. "From this site, for products that have successfully achieved compliance with CNSSP-11 (Committee on National Security Systems Policy No. 11), you can find a link to the Common Criteria Validation Report," the US spooks' spokesman explained.

Under mobile platform on this list the Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy Note 4, Galaxy Note 10.1 – all running Android 4.4.2 – appear alongside the Boeing Black, which has not completed its validation process. Samsung Galaxy devices are approved under a programme for quickly deploying commercially available technologies.

El Reg first asked Samsung Knox to respond to the criticism on Friday morning, but at time of publication it hadn't got back to us directly.

But the company has since taken to its official Knox blog to dispel the claims.

Samsung said:

We analysed these claims in detail and found the conclusions to be incorrect for Knox enterprise solutions. We would like to reassure our customers that Knox password and key management is implemented based on the best security practices. The security certifications awarded to Knox devices provide independent validation of Samsung Knox.

However, Samsung revealed that "Knox does save the encryption key required to auto-mount the container's file system in TrustZone."

The company added: "[U]nlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and Knox Trusted Boot will lock down the container key store in the event of a system compromise." ®

Similar topics


Other stories you might like

  • Experts: AI should be recognized as inventors in patent law
    Plus: Police release deepfake of murdered teen in cold case, and more

    In-brief Governments around the world should pass intellectual property laws that grant rights to AI systems, two academics at the University of New South Wales in Australia argued.

    Alexandra George, and Toby Walsh, professors of law and AI, respectively, believe failing to recognize machines as inventors could have long-lasting impacts on economies and societies. 

    "If courts and governments decide that AI-made inventions cannot be patented, the implications could be huge," they wrote in a comment article published in Nature. "Funders and businesses would be less incentivized to pursue useful research using AI inventors when a return on their investment could be limited. Society could miss out on the development of worthwhile and life-saving inventions."

    Continue reading
  • Declassified and released: More secret files on US govt's emergency doomsday powers
    Nuke incoming? Quick break out the plans for rationing, censorship, property seizures, and more

    More papers describing the orders and messages the US President can issue in the event of apocalyptic crises, such as a devastating nuclear attack, have been declassified and released for all to see.

    These government files are part of a larger collection of records that discuss the nature, reach, and use of secret Presidential Emergency Action Documents: these are executive orders, announcements, and statements to Congress that are all ready to sign and send out as soon as a doomsday scenario occurs. PEADs are supposed to give America's commander-in-chief immediate extraordinary powers to overcome extraordinary events.

    PEADs have never been declassified or revealed before. They remain hush-hush, and their exact details are not publicly known.

    Continue reading
  • Stolen university credentials up for sale by Russian crooks, FBI warns
    Forget dark-web souks, thousands of these are already being traded on public bazaars

    Russian crooks are selling network credentials and virtual private network access for a "multitude" of US universities and colleges on criminal marketplaces, according to the FBI.

    According to a warning issued on Thursday, these stolen credentials sell for thousands of dollars on both dark web and public internet forums, and could lead to subsequent cyberattacks against individual employees or the schools themselves.

    "The exposure of usernames and passwords can lead to brute force credential stuffing computer network attacks, whereby attackers attempt logins across various internet sites or exploit them for subsequent cyber attacks as criminal actors take advantage of users recycling the same credentials across multiple accounts, internet sites, and services," the Feds' alert [PDF] said.

    Continue reading

Biting the hand that feeds IT © 1998–2022