Late last month, cybersecurity researchers at Israel’s Ben-Gurion University of the Negev released a report claiming to have discovered a serious security vulnerability in the Galaxy S4 and other devices that run Samsung’s Knox security software. The researchers said that this security hole could allow a malicious hacker to intercept data sent to and from Samsung phones like the Galaxy S4, including emails and other potentially sensitive data. Samsung said immediately that it was investigating the supposed vulnerability, and now the smartphone maker has issued a public response to the Ben-Gurion University researchers’ claims.
“After discussing the research with the original researchers, Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device,” Samsung said in a statement posted on its Knox website. “This research did not identify a flaw or bug in Samsung KNOX or Android; it demonstrated a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data.”
The statement continued, “The research specifically showed this is also possible via a user-installed program, reaffirming the importance of encrypting application data before sending it to the Internet. Android development practices encourage that this be done by each application using SSL/TLS. Where that’s not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application.”
Samsung went on to offer three specific measures IT professionals can take in order to ensure that their firms’ data is protected from Man in the Middle attacks like the one described by the researchers at Ben-Gurion University. The company also offered a comment from a third-party security expert, who agreed with Samsung’s assessment.
“Proper configuration of mechanisms available within KNOX appears to be able to address the previously published issue,” said mobile security expert Patrick Traynor, a professor at the Georgia Institute of Technology. “Samsung should strongly encourage all of their users to take advantage of those mechanisms to avoid this and other common security issues.”