NSA-Approved Samsung Knox Stores PIN in Cleartext

A research report claims that Samsung’s Knox containers store PIN data in clear text. The report comes shortly after the NSA endorsed Galaxy devices for agency use.

A security researcher has tossed a giant bucket of ice water on Samsung’s thumbs up from the NSA approving use of certain Galaxy devices within in the agency.

The NSA’s blessing, given under the agency’s Commercial Solutions for Classified Program, meant that the Samsung Galaxy 4, 5 and Galaxy Note 3 and note 10.1 2014 Edition cleared a number of security stipulations and could be used to protect classified data.

The agency’s approval was also seen as a solid endorsement for Samsung’s Knox technology, which provides for separate partitions, or containers, on the Android devices in order to keep personal and business data from co-mingling. The containers have their own encrypted file systems as well, keeping secured apps separate from applications outside the container.

An unnamed researcher, however, on Thursday published a lengthy report that claims a PIN chosen by the user during setup of the Knox App is stored in clear text on the device. Specifically, a pin.xml file stored in the ContainerApp stored on the device during setup contains the unencrypted PIN number.

The report goes on to explain that the PIN can be used to retrieve a password hint. If an attacker has access to the phone and can retrieve the PIN, he can use a “Password forgotten?” field to get a password hint that turns out to be the first and last character of the supposed secret code, in addition to the exact length of the password.

“So now it is pretty obvious that Samsung Knox is going to store your password somewhere on the device,” the report says, adding that in fact he found the encryption key in a container folder.

Samsung, the report says, buried the manner by which Knox generates the key deep inside a myriad of Java classes and proxies. The report also said that the unique Android ID for each device is used as well to derive the key.

“Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule,” the report says. “In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach.”

The researcher points out that the built-in Android encryption uses Password-Based Key Derivation Function (PBKDF2) which does not persist on the device.

“The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device,” the report says. “There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.”

Suggested articles

Newsmaker Interview: Scott Helme on Securing the Web

Threatpost sat down with Helme to discuss the state of web security, including certificate transparency, HTTPS deployment, Let’s Encrypt, content security policy and HTTP strict transport security.

Discussion

  • Matt J. on

    Pathetic. Truly pathetic. The NSA should have known to insist on a more obscure backdoor than that:(
  • gary on

    NSA can't access iphone ?sounds like a joke.I know someone who is on NSA bad list because of opposition of wars(yes if you oppose wars, NSA defines you as a terrorist) his iphone apps are missing,contacts get deleted them self, wifi never works, mobile connection is disabled,phone turn on and off remotely. Of course, he tried changing his iphone and google android, both got hacked and made useless courtesy of the NSA. Let us not forget NSA ability to turn on his laptop from turned off state and play a audio file.Sounds crazy? but no it is happening to people who oppose NSA or wars in any way.All this hacking happened last week so don't tell me Apple or Google stopped NSA. At end let us remember cases where NSA unlawfully interfered in American court cases of divorces,child custody,immigration matters to punish anti-war activists and has literally destroyed American family units in the name of national security.No wonder Snowden got so fed up watching these abuses.
  • Tariq AlBetairi on

    An unnamed researcher!!.>.. HUUMMM.. How far is he from Apple ??!!!
    • Nick on

      Does it really matter if the unnamed researcher works for Apple as long as the information checks out?
  • Brian on

    No, it just means that they store enough information for the hint.
07/18/18 2:00
Changes in Andariel group’s script may indicate that the #hackers may start using attack vectors other than ActiveX: https://t.co/GeGPm5ri6X

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.