Samsung Knox, a security environment developed for Samsung Android devices, may have some serious problems. So says a mysterious German security researcher who pens a blog under the name "Ares." Samsung denies Ares' findings and insists that Knox is as secure as the fort it's named after.
Designed to help people keep business data secure on personal phones, Samsung Knox creates a secure partition, or storage space. Users can store their business information and any other sensitive data in this storage space.
But according to Ares, Samsung Knox contains some pretty dire flaws. On his blog, Ares said he looked at Knox Personal, which came preinstalled on a recently purchased Samsung Galaxy S4 and uses Knox version 2.0 — the personal, not enterprise, version of the software.
To access the contents of a phone's Samsung Knox space, a password must be entered. If owners forget their password, they can do a password reset by entering their assigned PINs (personal identification numbers). In Knox Personal, Ares said, that PIN is stored on the phone, in unencrypted plaintext written into one of the Knox support apps, and can be accessed without going into the Knox partition.
Once this PIN is entered, Ares wrote, Samsung Knox Personal will display the first and last characters of the phone owner's password, as well as the total number of characters, greatly aiding both legitimate owners and password crackers.
"It is pretty obvious that Samsung Knox is going to store your password somewhere on the device," Ares then surmised.
The password is on the device, and it's encrypted, but Ares deduced that Knox Personal generates its encryption keys in a very predictable way: the keys are based on a hard-coded string of characters stored on the individual device, and on the device's Android ID. (The Android ID, or AID, is generated upon first boot and looks like a random string of digits intermixed with the letters A-F; users can dial "*#*#8255#*#*" to find theirs.)
Most high-quality encryption programs use randomly generated numbers to make encryption keys impossible to predict. Because Samsung Knox apparently doesn't, if attackers were to acquire its preset numbers — and they're not hard to acquire — the attackers could use them to generate the encryption key and decrypt the Samsung Knox storage space.
Responding to Ares in a blog post on its Knox website, Samsung said Knox Personal had been discontinued and that users should upgrade to an app called My Knox. Ares then shot back that My Knox is compatible only with the newest Samsung devices, leaving older devices, such as 2013's Samsung Galaxy 4, still used by millions of users locked into two-year service contracts, vulnerable to attack.
Samsung's blog post did not directly refute Ares' claim that Knox Personal's password-recovery PIN was stored in plaintext. It did, however, point out that the enterprise version of Knox does not store PINs on the phones at all. Ares did not examine the enterprise version of Knox.
As for the generation of encryption keys, Samsung said that Knox 1.0 — which Ares did not examine — generated encryption keys from the user password and "a system-generated random number" (a definition that technically fits the Android ID). Regarding Knox 2.0, the version Ares tested, Samsung said the software must be secure, because it had been certified by several third-party organizations, including the United States Department of Defense. (The National Security Agency certified several Knox-enabled devices last week.)
In his blog post, Ares suggests that Samsung Knox isn't secure enough, and that Android owners instead use Android's built-in full-encryption feature.
We have reached out to Samsung for comment and are waiting on a full response.