A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency.
The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.
The agency’s approval was also seen as a solid endorsement for Samsung’s Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.
An unnamed researcher, however, on Thursday published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.
The report goes on to explain that the PIN can be used to retrieve a password hint. If an attacker has access to the phone and can retrieve the PIN, he can use a “Password forgotten?” field to get a password hint that turns out to be the first and last character of the supposed secret code, in addition to the exact length of the password.
“So now it is pretty obvious that Samsung Knox is going to store your password somewhere on the device,” the report says, adding that in fact he found the encryption key in a container folder.
Samsung, the report says, buried the manner by which Knox generates the key deep inside a myriad of Java classes and proxies. The report also said that the unique Android ID for each device is used as well to derive the key.
“Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule,” the report says. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach.”
The researcher points out that the built-in Android encryption uses Password-Based Key Derivation Function (PBKDF2) which does not persist on the device.
“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device,” the report says. “There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.”