Knox, a secure software architecture developed by Samsung for its Galaxy smartphones, contains a significant software security vulnerability that could allow an attacker to bypass all protections, capture communications and insert hostile code in a network, according to security researchers at Israel's Ben-Gurion University of the Negev. The software, which is being considered for adoption by organizations such as the United States Department of Defense, will likely require a patch and could suffer a blow to its credibility as a secure solution.
A Ph.D. student at BGU, Mordechai Guri, discovered the vulnerability while researching a separate security issue. Knox isolates select data and communications in a secure container, but a user can access all functions and information inside the container by installing a malicious app designed to bypass all security measures on the regular phone.
"To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big 'hole' exists and was left untouched," Guri stated. "The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands."
Speaking to the Wall Street Journal, Samsung said it was investigating the claims but suggested that the attack appeared to be similar to several other well-known attacks and noted that the research appeared to have been conducted on a device that lacked certain software components.
Nonetheless, any flaw in the Knox architecture could impact its reputation as a secure solution. Knox-enabled Samsung phones are currently being tested for use in the Pentagon, and a DOD spokesman told the Wall Street Journal that no new device would be implemented until proven secure. The agency currently uses BlackBerry mobile platforms, but it is working to allow a more comprehensive device policy. For software vendors, the Knox incident is an important reminder of the the need to build security into code during the development process. Mobile developers and other programmers can use tools like static analysis software to catch errors that might affect the likelihood of a program to be adopted by an organization with stringent security demands.
• Read the Enhancing Mobile Development white paper (PDF)
• Watch the webinar, Catch the Security Breach Before It’s Out of Reach
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.