Researchers at the Ben-Gurion University of the Negev in Israel say they’ve discovered a major security flaw in the enterprise software of Samsung’s best-selling Galaxy S4 smartphone that could enable hackers to intercept emails and record data communications. The Galaxy S4, introduced earlier in 2013 is one of Samsung's latest Android-running smartphones.
According to the university, the alleged flaw was inadvertently spotted by Ph.D. student Mordechai Guri while doing other testing on the Galaxy S 4. He discovered the vulnerability which allows an attacker to load a compromised application onto the personal part of the Android smartphone, all of the data transferred by the handset including the data believed to be secure could be intercepted by the attackers including messages, browser use, and files transferred. Multiple handsets were tested and found to be similarly vulnerable.
“To us, Knox symbolizes state-of-the-art in terms of secure mobile architectures and I was surprised to find that such a big ‘hole’ exists and was left untouched,” Guri said Tuesday in a news release issued by the university.
“The Knox has been widely adopted by many organizations and government agencies and this weakness has to be addressed immediately before it falls into the wrong hands,” he said. “We are also contacting Samsung in order to provide them with the full technical details of the breach so it can be fixed immediately.”
Alternatively, the app which could be cloaked as a game or other simple application could even fraudulently inject its own code into the secure data transfer, researchers claim, though the spokesperson for the company claims that the issue is not as serious as researchers have made it out to be, calling the supposed flaw “equivalent to some well-known attacks.”
The Knox software provides high-level encryption, a VPN feature, and a way to segregate personal data from work data. It also empowers IT administrators to manage a mobile device through specific policies. This could be a problem for KNOX, as it is presently undergoing the U.S. Department of Defense (DOD) approval review process.
Around 500 Galaxy S 4 handsets have been purchased by the Defense Information Systems Agency and are undergoing testing, in cooperation with the NSA, to determine their potential safety for use on Pentagon systems. However, a US Department of Defense spokesperson said in response to the reported security flaw, none of the handsets had been deployed, and the phone was still not recommended for Pentagon use.
KNOX is free to download, but corporate users pay a licensing fee. The security system also comes preloaded onto Galaxy Note 3 phones. In October, six months after it was introduced, Samsung announced that it had sold 40 million Galaxy S4 handsets.
Samsung is aware of the flaw and has already patched some holes in the KNOX system, and the company has already begun preliminary investigations to look into the claims made by the Israeli university.