In late December 2013, researchers from the Ben-Gurion University (BGU) of the Negev in Israel reported identifying a vulnerability in Samsung’s Knox security platform that could be leveraged to intercept communications. Samsung has issued a response on the matter after consultations with Google.Samsung says the researchers haven’t actually identified a vulnerability in Knox or Android. Instead, their exploit uses “legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device.”
The company reveals that the security experts have simply demonstrated a classic Man-in-the-Middle (MitM) attack that can be easily mitigated.
“The research specifically showed this is also possible via a user-installed program, reaffirming the importance of encrypting application data before sending it to the Internet. Android development practices encourage that this be done by each application using SSL/TLS,” Samsung noted.
The company added, “Where that's not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data.”
In addition to the Android protection, Knox itself also offers mechanisms to protect communications against MitM attacks.
For instance, the Mobile Device Management (MDM) feature ensures that a device’s security settings are locked down. The per-app VPN feature is designed to check traffic and make sure that only the one from a designated and secured app is sent through the VPN tunnel.
Furthermore, Knox uses a FIPS 140-2 Level 1 certified VPN client. FIPS 140-2 is used not only by numerous enterprises, but also by government agencies.
All of these systems are capable of mitigating an attack such as the one presented by BGU researchers.
Samsung advises security researchers who find vulnerabilities in Knox to report them at help (at) samsungknox (dot) com.