Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42869
  • Total Topics: 16078
  • Online Today: 3828
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: Samsung - 1st mobile device manufacturer validated by the US gov. ?!  (Read 9646 times)

0 Members and 2 Guests are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum


A damning security critique against Samsung's US government-approved Knox system has been dismissed by the South Korean tech giant.

Earlier this week, Knox was given the green light for use on classified Stateside government networks and data: https://www.gov.uk/government/publications/end-user-devices-security-guidance-samsung-devices-with-knox/end-user-devices-security-guidance-samsung-devices-with-knox

Samsung had became the "first consumer mobile device manufacturer validated to handle the full range of classified information in the US", the company's security unit boasted: https://www.samsungknox.com/es/blog/samsung-galaxy-devices-knox-platform-approved-us-government-classifed-use

Days later, an anonymous, newbie German blogger attempted to spoil Samsung's g-men party with a lengthy critique of the system: http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-really-fort-knox.html

Knox, it was alleged, generates weak encryption keys, stores passwords locally and features a "security by obscurity" design full of holes.

The most glaring security mistake, the unidentified blogger claimed, came from the allegation that users logged into a Knox app using a password and PIN that was subsequently written into a "pin.xml" file in cleartext.

Samsung Knox provides a container to separate work and personal environments in order to protect enterprise data and employee privacy. The mobile security technology is integrated into Android.

The uncorroborated criticism of Samsung Knox is particularly concerning given the recent go-ahead to use smartphones and tablets that rely on the technology on US government networks: https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdf

The security certification wing (CESG) of the UK's eavesdropping nerve centre GCHQ only deems Samsung kit to be used for official government business. In other words, not for the processing of anything classified or even sensitive.

But does Samsung's clearance mean that it was permissible to use Knox technologies in ‪"sensitive but unclassified" ‬networks or is ‪it "type 1" certified to handle real secrets‬?

The Reg asked the NSA's PR team, which pointed us towards a list of "approved components for the commercial solutions for classified program components list" here: https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml
"From this site, for products that have successfully achieved compliance with CNSSP-11 (Committee on National Security Systems Policy No. 11), you can find a link to the Common Criteria Validation Report," the US spooks' spokesman explained.

Under mobile platform on this list the Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy Note 4, Galaxy Note 10.1 – all running Android 4.4.2 – appear alongside the Boeing Black, which has not completed its validation process. Samsung Galaxy devices are approved under a programme for quickly deploying commercially available technologies.

El Reg first asked Samsung Knox to respond to the criticism on Friday morning, but at time of publication it hadn't got back to us directly.

But the company has since taken to its official Knox blog to dispel the claims: https://www.samsungknox.com/en/blog/response-blog-post-samsung-knox

Samsung said:

"We analysed these claims in detail and found the conclusions to be incorrect for Knox enterprise solutions. We would like to reassure our customers that Knox password and key management is implemented based on the best security practices. The security certifications awarded to Knox devices provide independent validation of Samsung Knox."

However, Samsung revealed that "Knox does save the encryption key required to auto-mount the container's file system in TrustZone."

The company added: "(U)nlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and Knox Trusted Boot will lock down the container key store in the event of a system compromise."

(ElReg)

Samker's Computer Forum - SCforum.info


devnullius

  • SCF VIP Member
  • *****
  • Posts: 3614
  • KARMA: 157
  • Gender: Female
    • SCForum.info
Everything man-made can be broken by man :)
More information about bitcoin, altcoin & crypto in general? GO TO  j.gs/7385484/btc

Cuisvis hominis est errare, nullius nisi insipientis in errore persevare... So why not get the real SCForum employees to help YOUR troubled computer!!! SCF Remote PC Assist http://goo.gl/n1ONa9

Samker's Computer Forum - SCforum.info


 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising