Organizations and government agencies that use Samsung’s flagship Galaxy S4 smartphone are at risk of having their confidential data including emails, file transfers and browser activity breached, according to cyber security researchers at Ben-Gurion University of the Negev (BGU).
The BGU researchers said they discovered the alleged “critical vulnerability” in the Samsung Knox software, an enterprise security solution aimed enabling business and personal data to safely coexist on the same device. The research comes as the Samsung Knox architecture is undergoing the US Department of Defense approval process.
“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ’hole‘ exists and was left untouched. The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands,” said BGU Ph.D. student Mordechai Guri who uncovered the vulnerability.
Samsung appeared to downplay the find, telling The Wall Street Journal (WSJ) it “takes all security claims very seriously” and was looking into the allegations. The WSJ said a Samsung spokesman said that the breach “appeared to have been conducted on a device that wasn’t fully loaded with the extra software a corporate client would use in conjunction with Knox.”
The BGU statement described the Knox architecture as follows: “The Knox architecture features a regular phone environment as well as a secure container that is supposed to add security protection to the phone. All data and communications that take place within the secure container are protected and even if a malicious application should attack the non-secure part all the protected data should be inaccessible under all circumstances. However, the newly found breach can be used to bypass all Knox security measures. By simply installing an “innocent” app on the regular phone (in the non-secure container) all communications from the phone can be captured and exposed.”