
Why Samsung Knox Isn't Really a Fort Knox - robin_reala
http://mobilesecurityares.blogspot.com/2014/10/why-samsung-knox-isnt-really-fort-knox.html?m=1
======
hbbio
It's the reason why, like many here, I have never bought a Samsung Android
device (with the exception of the old Galaxy Nexus which was clear from
Samsung total software crap).

They tend to provide good hardware features (waterproof, camera, etc.) but
they kill it with bad software. Had a few meetings with them a few years ago,
and got the impression that they thought software is cheap and not worth
improving.

~~~
lucb1e
The software on my Galaxy Note 2 was pretty fine though (this was just over a
year ago). It broke down and I had the motherboard replaced (under warranty),
when it got back it was wiped anyway so I figured I might as well try
cyanogenmod. Expected a culture shock like when switching from a windows to a
linux desktop, but it's really just the same. They ship pretty much stock
android with a load of crap that you can disable. First boot you just disable
their ChatOn and various Note pen features and you're good to go, it won't
ever bother you and you have a nice Android system. Cyanogenmod sucks more
power than the stock Samsung software did...

Re-reading this, my first sentence is "the software [...] was pretty fine",
well, I meant that they didn't mess up Android too badly. Their own software,
I don't know, I'd totally ignore Knox simply because it's closed source and
tries to do security. Now we've seen it fails, but even without that knowledge
I wouldn't have wanted to use it.

~~~
mikestew
> Their own software, I don't know,

I've ranted about this more than enough on HN, so I'll summarize: Samsung's
software is consistently complete shit. I would be truly surprised if during a
security audit Knox turned out to be secure using even the most liberal
definition of "secure".

------
nmjohn
> "The fact that they are persisting the key just for the password hint
> functionality is compromising the security of that product completely."

Ugh. How this gets through the hands of so many talented engineers boggles my
mind. It's easy to just blame the project managers, but at some point don't we
have a responsibility to say no, this is a terrible idea and completely
compromises the premise of the product?

~~~
nine_k
Saying a definite 'no' in Korean culture is often hard (as is saying a
definite 'yes'). Saying a firm 'no' to your boss, which would make him say a
firm 'no' to _his_ boss, is harder still.

/* Include a typical "that's why such things should be open-source" essay
here. */

~~~
PakG1
I attended a session at Simon Fraser University once earlier this year, hosted
by Samsung. Those guys, including a product guy, made it pretty clear that the
development work happened in their Greater Vancouver R&D lab, not in Korea.
So....

~~~
lockes5hadow
Korean culture could be heavily embedded in their Vancouver office.

~~~
milkshakes
it certainly is in their san jose "research and development center"

------
lazaroclapp
Maybe I am missing something here, but I didn't even know Samsung Knox did
storage encryption. As far as I understand, the use case for this technology
was isolating enterprise apps from user-installed/general apps. Given that, is
there any scenario in which non-Knox apps could read the password from disk
and use that to mess with apps inside the Knox container? If so, then this is
a serious threat to Knox as a technology, if not, it still sounds like a silly
way to implement passwords, but not a deal-breaker (kinda like having a plain-
text /etc/shadow in mode 600 is silly - or a sign of negligence, depending on
your standards regarding defense-in-depth - but not a full attack vector in
and of itself).

I always assumed Knox was something you used in addition to Android's whole-
system encryption, not instead of, but I could be wrong.

~~~
dmix
Apparently the pin was used with KNOX Personal not that standard KNOX
enterprise suite:
[https://twitter.com/xuf_/status/525745093064785921](https://twitter.com/xuf_/status/525745093064785921)

------
flebron
It's 2014. How are people still rolling their own, terrible, encryption
schemes?

~~~
woof
It's Samsung, they have been adding crap on top of Android for years...

~~~
joncrocks
It's interesting as they are contributing knox to core android (I think, see
[http://android-developers.blogspot.co.uk/2014/07/knox-
contri...](http://android-developers.blogspot.co.uk/2014/07/knox-contribution-
to-android.html))

~~~
scott_karana
The API has been "adapted", and the new data separation will be "analogous",
but it appears that it's an adaptation of the current AOSP/Google cryptography
to fit a similar need, _not_ a direct contribution from Samsung.

------
stusmall
Slight correction, Android used to use PBKDF2. They've moved to scrypt
recently. Cool article and good read. Thanks.

------
_ares__
Hi, I'm the author of the Knox article. I responded to the press release from
Samsung and updated my blog article:

As Samsung responded with an official press release regarding my blog article
([https://www.samsungknox.com/en/blog/response-blog-post-
samsu...](https://www.samsungknox.com/en/blog/response-blog-post-samsung-
knox)) I also want to response to their press release:

First of all as I mentioned in the paragraph below, I analysed the pre-
installed Knox Container App which is known as Knox Personal and shipped with
the Samsung S4 I bought and not Knox EMM. " Knox EMM is a enterprise cloud-
based management solution for mobile devices which was not part of this
analysis."

I investigated the following version (mentioned in the name of the apk files
on the device): KNOX_com.sec.knox.app.container_2.0_2.apk,
KNOX_com.sec.knox.containeragent_3.0_30.apk

A lot of comments and posts claimed that I have just investigated an early
developer version. I don't think that version 2.0_2 seems to be an early
developer version?!? Also Samsung why are you shipping early developer
versions of a product on customer devices?

I did the analysis about one month ago with a new Samsung S4 and all updates
installed. That doesn't seem to be an early developer version, right? Or did I
bought a fake one ;)?

Samsung mentioned the following in their press release: "Concerning the second
issue, KNOX does save the encryption key required to auto-mount the
container’s file system in TrustZone. However, unlike what is implied in the
blog, the access to this key is strongly controlled. Only trusted system
processes can retrieve it, and KNOX Trusted Boot will lock down the container
key store in the event of a system compromise."

I think Samsung speaks here about their Knox Agent. At the beginning of my
analysis I used geohots towelroot to gain root access on the Samsung device.
During the analysis the phone wanted to update some "Samsung Security
Policies". After the update the Agent blocked the root access to the phone. So
this agent seems to be working like a usual Anti-Virus tool. It can only
detect attacks if it knows the attack. And as we all know, Anti-Viruses are
useless against unknown attacks :). This is the same for their so called
"TrustZone".

All other points the press release mentioned were just about a Knox 1.0
software, which now was replaced by MyKnox. I don't know what Knox 1.0 is and
how to get it or on which devices this is installed. All I know is, the
version of Knox Container 2.0_2, which was installed on my Samsung S4 is
heavily unsecure.

------
djloche
There is a reason why the companies/.gov agencies that need it still go with
Blackberry for security purposes.

~~~
hawleyal
LOL, as if RIM does shit correctly.

~~~
JTon
Nice, great addition to the discussion. Care to share examples of how you know
this?

------
seanp2k2
When I first read "Samsung Knox" in an article merely talking about device
features, I rolled my eyes and thought "there's no way Samsung wrote a solid
piece of security software".

------
Spooky23
Knox is difficult to implement in an enterprise environment anyway -- when we
evaluated MDMs, two vendors flat out said that they were aware of zero
customers actually using it

The problem is, of course the security model for Android is a real mess,
especially in BYOD scenarios. These garbage 3rd party solutions are there
because the platform doesn't provide it.

------
sapex
Samsung has a response at [https://www.samsungknox.com/en/blog/response-blog-
post-samsu...](https://www.samsungknox.com/en/blog/response-blog-post-samsung-
knox).

I was surprised that so many people didn't have patience to think through the
logic in that original post. Since there is a function used to derive the key
from password, this must be the way Samsung handles the password. This logic
doesn't fly.

------
frankacter
The PIN issue is only in the deprecated KNOX personal. The managed KNOX
(enterprise) doesn't use a PIN.

KNOX Personal was a failed intention to promote KNOX through the end users and
only available in the early KNOX dev.

[https://twitter.com/xuf_/status/525745093064785921](https://twitter.com/xuf_/status/525745093064785921)

------
JTon
> Yes, guess what is written in the pin.xml file? The pin we had to set during
> the setup of Knox in cleartext!

Good lord. That's brutal..

~~~
drdaeman
Not really brutal. It's a PIN code, not a passphrase. Unless those are used
with HSMs (like with bank or SIM cards), their only use is to prevent
immediate access by non-technical adversary, so there's little point in
securing those beyond typical UNIX filesystem permissions (given you're not
supposed to have root access or access raw block device, huh).

------
gress
Knox is a marketing initiative as much as a technical one.

------
opendais
If you are expecting truly secure phones, you are kidding yourself in the
first place.

Phones are inherently insecure.

[http://boingboing.net/2014/09/01/fake-phone-attacking-
cell-t...](http://boingboing.net/2014/09/01/fake-phone-attacking-cell-
tow.html)

[http://boingboing.net/2013/11/13/your-smartphones-hidden-
rad...](http://boingboing.net/2013/11/13/your-smartphones-hidden-rad.html)

etc.

When you can't even trust the f'n processor running your machine, you are
hosed no matter what you do.

~~~
drdaeman
It's another kind of security Knox is about.

It's security of your device from yourself. The same kind of security idea
that doesn't provide you with root access. The idea is that your company could
be able to provide you with an app, but you won't be able to tinker with it.
The whole point is, if the thing would work as advertised, the company can
consider your device as "secure" and be not afraid of it leaking their data,
while still letting you use it.

Well, the article shows it failed, anyway.

