A damning security critique against Samsung's US government-approved Knox system has been dismissed by the South Korean tech giant.
Earlier this week, Knox was given the green light for use on classified Stateside government networks and data:
https://www.gov.uk/government/publications/end-user-devices-security-guidance-samsung-devices-with-knox/end-user-devices-security-guidance-samsung-devices-with-knox Samsung had became the "first consumer mobile device manufacturer validated to handle the full range of classified information in the US", the company's security unit boasted:
https://www.samsungknox.com/es/blog/samsung-galaxy-devices-knox-platform-approved-us-government-classifed-useDays later, an anonymous, newbie German blogger attempted to spoil Samsung's g-men party with a lengthy critique of the system:
http://mobilesecurityares.blogspot.de/2014/10/why-samsung-knox-isnt-really-fort-knox.htmlKnox, it was alleged, generates weak encryption keys, stores passwords locally and features a "security by obscurity" design full of holes.
The most glaring security mistake, the unidentified blogger claimed, came from the allegation that users logged into a Knox app using a password and PIN that was subsequently written into a "pin.xml" file in cleartext.
Samsung Knox provides a container to separate work and personal environments in order to protect enterprise data and employee privacy. The mobile security technology is integrated into Android.
The uncorroborated criticism of Samsung Knox is particularly concerning given the recent go-ahead to use smartphones and tablets that rely on the technology on US government networks:
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/251480/Government-Security-Classifications-April-2014.pdfThe security certification wing (CESG) of the UK's eavesdropping nerve centre GCHQ only deems Samsung kit to be used for official government business. In other words, not for the processing of anything classified or even sensitive.
But does Samsung's clearance mean that it was permissible to use Knox technologies in "sensitive but unclassified" networks or is it "type 1" certified to handle real secrets?
The Reg asked the NSA's PR team, which pointed us towards a list of "approved components for the commercial solutions for classified program components list" here:
https://www.nsa.gov/ia/programs/csfc_program/component_list.shtml "From this site, for products that have successfully achieved compliance with CNSSP-11 (Committee on National Security Systems Policy No. 11), you can find a link to the Common Criteria Validation Report," the US spooks' spokesman explained.
Under mobile platform on this list the Galaxy S4, Galaxy S5, Galaxy Note 3, Galaxy Note 4, Galaxy Note 10.1 – all running Android 4.4.2 – appear alongside the Boeing Black, which has not completed its validation process. Samsung Galaxy devices are approved under a programme for quickly deploying commercially available technologies.
El Reg first asked Samsung Knox to respond to the criticism on Friday morning, but at time of publication it hadn't got back to us directly.
But the company has since taken to its official Knox blog to dispel the claims:
https://www.samsungknox.com/en/blog/response-blog-post-samsung-knoxSamsung said:
"We analysed these claims in detail and found the conclusions to be incorrect for Knox enterprise solutions. We would like to reassure our customers that Knox password and key management is implemented based on the best security practices. The security certifications awarded to Knox devices provide independent validation of Samsung Knox."However, Samsung revealed that "Knox does save the encryption key required to auto-mount the container's file system in TrustZone."
The company added: "(U)nlike what is implied in the blog, the access to this key is strongly controlled. Only trusted system processes can retrieve it, and Knox Trusted Boot will lock down the container key store in the event of a system compromise."
(ElReg)