Samsung KNOX flaw leaves Galaxy S 4 compromised say researchers
Samsung's KNOX security system on the Galaxy S 4 has a significant security hole that could allow data believed secure to be intercepted, including messages, browser use, and files transferred, researchers claim, though the South Korean company denies the seriousness of the supposed flaw. KNOX, which Samsung launched at Mobile World Congress earlier this year, is the company's attempt to take on BlackBerry in the enterprise, creating secure partitions on the phone for business and personal use. However, researchers at the Ben-Gurion University of the Negev claim to have discovered a flaw in KNOX that allows data to be easily intercepted, despite supposedly being protected by the system.
According to the university, the issue was inadvertently spotted by Ph.D. student Mordechai Guri while doing other testing on the Galaxy S 4. He found that by loading a special, compromised app on the non-secure, "personal" part of the Android smartphone, all of the data transferred by the handset – including what was used by the "secure" part – could be monitored.
Alternatively, the app – which could be disguised as a game or other simple application – could even surreptitiously inject its own code into the secure data transfer, the researchers say.
According to Guri, the fault has been replicated on several Galaxy S 4 handsets purchased through retail stores. KNOX can be downloaded to the phone, having been released earlier this year; the system is preloaded on the Galaxy Note 3. Although it carries no cost for users to download, corporations must pay a licensing fee for the various server-side components to the system.
Meanwhile, Samsung maintains that its preliminary inquiries suggest the issue is not as serious as the university researchers claim. Although conceding that a loophole exists, in a comment to the WSJ, a Samsung spokesperson argued that the original testing looked to have been done on a device not equipped with the typical security measures.
A typical enterprise user would have other software on the Galaxy S 4 which the lab team did not load, Samsung claimed, and with that in place "the core Knox architecture cannot be compromised or infiltrated by such malware" the spokesperson concluded.
Around 500 Galaxy S 4 handsets have been bought by the Defense Information Systems Agency and are undergoing testing, in collaboration with the NSA, to ascertain their potential safety for use on Pentagon systems. However, a US Department of Defense spokesperson said in response to the reported flaw, none of the handsets had been deployed, and the phone was still not approved for Pentagon use.
Samsung has already patched some holes in the KNOX system, releasing security updates as it identifies issues. The company is continuing to look into the claims made by the Israeli university.