Monday, 27 October 2014

Knox is broken

Update: I’m told that the UK government has accredited Knox as a security product. Haven’t time to check whether that’s true, but it’s from a source that ought to know.

Samsung's Knox security layer for Android generates weak encryption keys, stores passwords locally and gives users login hints in a fatal "security by obscurity" design "compromising the security of the product completely," a researcher has detailed.

It says here

The US government ordered lots of Samsung devices using Knox and the CEO said this “proves the unmatched security of Samsung Galaxy devices supported by the KNOX platform."

Knox uses a PIN solely to facilitate the password hint, which is used if you forget your password.  Both the PIN and the password hint are stored in plaintext on the device and the password hint is some letters from and length of your password!

See the (quite long) article for details. 

No comments:

Post a Comment