Last month security researchers from Ben-Gurion University Cyber Security Labs claimed to have discovered a vulnerability in Samsung’s KNOX security platform. Samsung has issued a statement regarding the claims, indicating the issue identify by the Ben-Gurion researchers was really a classic Man in the Middle (MitM) attack and not a bug or flaw in KNOX or Android. Samsung indicates they reached out and discussed the issue with the security researchers and were able to verify that the exploit that was identified exists as it “uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.”
Samsung says in their statement that the exploit could be implemented via a user-installed program, but would be neutralized through the use of encryption of application data before sending it to the Internet, a practice that Google encourages through the use of SSL/TLS. If that kind of encryption is not possible, say for standards based compliance, Android’s built-in VPN could be used or any third-party VPN solution that Android supports. Either of these solutions would prevent an attack based on a user-installed local application. Samsung also pointed out that KNOX provides additional mechanisms to help thwart MitM attacks, including:
1. Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings. With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.
2. Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.
3. FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems. Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.
Professor Patrick Traynor with the Georgia Institute of Technology summarizes the results of the work by both Ben-Gurion and Samsung, “Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue. Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues.”
source: Samsung KNOX