In an unusual move, Google and Samsung have released a joint statement claiming that reported flaws in the KNOX mobile security software used in Galaxy S4 Android phones are not really flaws at all. Rather, the vulnerability revealed is a man-in-the-middle (MitM) attack, the companies said. In a technology context, a MitM attack is one in which a malicious party gains access to private communication for the purpose of stealing sensitive information. These attacks can occur at any point in the network, and Samsung and Google assert that this does not necessarily reflect a flaw in either KNOX or Android.
The Flaw That Wasn’t
Ben-Gurion University Researcher Mordechai Guri reported in late December that he had discovered a hole in the Samsung enterprise mobile security software KNOX, claiming that he had found a way by which an attacker could bypass protected and encrypted data by installing an app into an unsecured compartment of the mobile device. Google and Samsung counter that Guri’s discovery simply “demonstrated a classic man-in-the-middle (MitM) attack, which is possible at any point on the network to see unencrypted application data. This research did not identify a flaw or bug in Samsung KNOX or Android.”
Furthermore, the joint statement says that while Guri uses “legitimate Android network functions in an unintended way to intercept unencrypted network connection,” no patch is called for, nor will one be forthcoming from either Google or Samsung.
Proper Configuration Can Protect Against MitM Attacks
While KNOX may not be the problem, the weakness still exists and Android users sending sensitive data over encrypted networks should ensure their devices are properly configured and that their mobile security software is always up-to-date. Samsung offers three ways to secure devices against MitM attacks, including Mobile Device Management, FIPS 140-2 VPN, and Per-App VPN.
Mobile Device Management is an Android feature designed to ensure that any device containing sensitive data will adhere to an enterprise-specified policy, including a lock on device settings, so that if an attacker attempts to change settings, the Mobile Device Manager can block the attack. KNOX also uses an FIPS 140-2 Level 1 VPN client, a standard which employs cryptographically strong security protocols to protect devices storing or transferring sensitive data. In addition, KNOX employs a Per-App VPN, which only allows traffic from secure applications to be sent through the VPN; the selectivity of this feature gives fine-grained control over device security.
Samsung and Google further assert that the findings from Ben-Gurion University reaffirm the importance of proper device configuration via standard security technologies when sending encrypted data over the Internet.
Will the news of this vulnerability make you think twice about the safety of the KNOX platform?
Image courtesy of Wikimedia Commons