Refutation on Vulnerability
Samsung Electronics made an official objection to the research results of the Ben Gurion University of Israel. The latter’s cyber security research institute claimed that it detected security vulnerabilities in KNOX, which is a smartphone security solution of Samsung.
Specifically, the institute announced late last month that the KNOX installed on the Galaxy S4, Galaxy Note 3, and the like is vulnerable to data theft. The announcement was made by the Wall Street Journal and some other media sources.
Samsung Electronics posted a reply on January 12 on the KNOX official blog, saying, “The research result means that unencrypted network connections can be intercepted between mobile devices and an application in a case when a fair Android network function is misappropriated.” It added, “It did not point out any defect on the part of the Android operating system or KNOX.”
The mock attack implemented by the university is a Man in the Middle, or MitM attack. It is characterized as a middleman intruding between two connected destinations to take a look at the communications moving between them. What the institute proved is that a MitM can be carried out even in applications installed by the users themselves.
“The result just reconfirms the importance of the encryption of application data ahead of the transmission of the data on the Internet,” Samsung Electronics said. “As such, it has nothing to do with a weak point of the Android OS or KNOX.”
It also explained that Android OS itself supports security solutions such as SSL/TLS, built-in VPNs, etc. In addition, KNOX provides protection measures against MitM attacks. Examples include Mobile Device Management (MDM) and Per-App VPN. The former is for proper setting of sensitive data on the devices according to corporate policy and blocking them in the event of an attack. The latter allows only pre-designated applications to transmit data via virtual private networks. KNOX uses the FIPS 140-2 encryption algorithm as well, which is a standard of the National Institute of Standards and Technology (NIST).