Samsung Knox for Android Unsafe to Use, Researcher Says

The Samsung Knox login screen on a Galaxy S4 smartphone. Credit: Laptop Magazine.

(Image credit: The Samsung Knox login screen on a Galaxy S4 smartphone. Credit: Laptop Magazine.)

Samsung Knox, a security environment developed for Samsung Android devices, may have some serious problems. So says a mysterious German security researcher who pens a blog under the name "Ares." Samsung denies Ares' findings and insists that Knox is as secure as the fort it's named after.

Designed to help people keep business data secure on personal phones, Samsung Knox creates a secure partition, or storage space. Users can store their business information and any other sensitive data in this storage space. 

But according to Ares, Samsung Knox contains some pretty dire flaws. On his blog, Ares said he looked at Knox Personal, which came preinstalled on a recently purchased Samsung Galaxy S4 and uses Knox version 2.0 — the personal, not enterprise, version of the software.

To access the contents of a phone's Samsung Knox space, a password must be entered. If owners forget their password, they can do a password reset by entering their assigned PINs (personal identification numbers). 

In Knox Personal, Ares said, that PIN is stored on the phone, in unencrypted plaintext written into one of the Knox support apps, and can be accessed without going into the Knox partition.

Once this PIN is entered, Ares wrote, Samsung Knox Personal will display the first and last characters of the phone owner's password, as well as the total number of characters, greatly aiding both legitimate owners and password crackers.

"It is pretty obvious that Samsung Knox is going to store your password somewhere on the device," Ares then surmised.

The password is on the device, and it's encrypted, but Ares deduced that Knox Personal generates its encryption keys in a very predictable way: the keys are based on a hard-coded string of characters stored on the individual device, and on the device's Android ID. (The Android ID, or AID, is generated upon first boot and looks like a random string of digits intermixed with the letters A-F; users can dial "*#*#8255#*#*" to find theirs.)

Most high-quality encryption programs use randomly generated numbers to make encryption keys impossible to predict. Because Samsung Knox apparently doesn't, if attackers were to acquire its preset numbers — and they're not hard to acquire — the attackers could use them to generate the encryption key and decrypt the Samsung Knox storage space.

Responding to Ares in a blog post on its Knox website, Samsung said Knox Personal had been discontinued and that users should upgrade to an app called My Knox. 

Ares then shot back that My Knox is compatible only with the newest Samsung devices, leaving older devices, such as 2013's Samsung Galaxy 4, still used by millions of users locked into two-year service contracts, vulnerable to attack.

Samsung's blog post did not directly refute Ares' claim that Knox Personal's password-recovery PIN was stored in plaintext. It did, however, point out that the enterprise version of Knox does not store PINs on the phones at all. Ares did not examine the enterprise version of Knox.

As for the generation of encryption keys, Samsung said that Knox 1.0 — which Ares did not examine — generated encryption keys from the user password and "a system-generated random number" (a definition that technically fits the Android ID). 

Regarding Knox 2.0, the version Ares tested, Samsung said the software must be secure, because it had been certified by several third-party organizations, including the United States Department of Defense. (The National Security Agency certified several Knox-enabled devices last week.)

In his blog post, Ares suggests that Samsung Knox isn't secure enough, and that Android owners instead use Android's built-in full-encryption feature. (We suggest that all Android users use one of the best Android antivirus apps, and naturally the best antivirus software and best Mac antivirus software for other platforms.)

We have reached out to Samsung for comment and are waiting on a full response.

Jill Scharr is a staff writer for Tom's Guide, where she regularly covers security, 3D printing and video games. You can follow Jill on Twitter @JillScharr and on Google+. Follow us @tomsguide, on Facebook and on Google+.

Jill Scharr is a creative writer and narrative designer in the videogame industry. She's currently Project Lead Writer at the games studio Harebrained Schemes, and has also worked at Bungie. Prior to that she worked as a Staff Writer for Tom's Guide, covering video games, online security, 3D printing and tech innovation among many subjects.