Researchers discover vulnerability in Samsung’s Knox BYOD software

A security vulnerability within the Knox software used by the Samsung Galaxy S4 and the Note 3 could allow a malicious app to “listen in” on data transferred within the secured environment, researchers warned.

On Jan. 9, Samsung dismissed the findings as a “man in the middle attack”.

The vulnerability was reported Tuesday by The Wall Street Journal, based on a report by Israel’s Ben-Gurion University of the Negev. Samsung officials told the Journal that the vulnerability was found in developer phones that weren’t “fully loaded with the extra software that a corporate client would use in conjunction with Knox,” the paper reported. So far, the Knox vulnerability has only been discovered on the Galaxy S4.

Like third-party apps such as NitroDesk’s TouchDown HD, Knox was developed with an eye for the so-called “BYOD” movement, where personal smartphones and other devices are allowed onto corporate networks. The problem is that those same corporate network administrators want to ensure that sensitive corporate data—which can include email, contacts, and calendar information—doesn’t wander outside the corporate firewall, intentionally or not.

Samsung’s Knox creates an encrypted, virtualized space within the smartphone, so that apps such as email, phone, contacts, and others can be loaded securely. Data can be prevented, by policy, by being moved outside of Knox.

The problem that BYOD introduced was that businesses that use Microsoft Exchange to manage email can typically request a lost or stolen phone be remotely “wiped,” or cleansed of all data; the same holds true for an employee that leaves the company. Without the secure container, the entire phone would be erased—including the employee’s music, personal contacts, phones, and other data. Knox, which is specific to Samsung, restricts the wipe to the corporate data alone, preserving what belongs to the employee.

The vulnerability that the researchers found allowed corporate data to leak through the Know secure container, the researchers reported. They also suggested that code could be injected from outside the container, into it, and run wild on the corporate network.

Samsung, however, said that its research found that the attack was a man-in-the-middle attack. “After discussing the research with the original researchers, Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device,” the company said in a statement.

Separating corporate data from personal data has been one of the selling points of the BlackBerry 10 OS. Per-app VPN technology has also been built into Apple’s iOS 7, which has its own secure workspace apps, including Divide (which is also available for Android, at $5 per user per month). TouchDown for Android costs a flat fee of $20.

Updated on Jan. 9 with a statement from Samsung.