Last month it was reported that cybersecurity researchers have discovered a serious security vulnerability in the Galaxy S4 and other devices that run Samsung’s Knox security software. The researchers at Israel’s Ben-Gurion University of the Negev said that this security hole could allow a malicious hacker to intercept data sent to and from Samsung phones like the Galaxy S4, including emails and other potentially sensitive data. Samsung at that time said they were investigating the vulnerability. Now company has responded to those claims.

Samsung posted on its Knox blog:

Recently, there have been reports that security researchers from Ben-Gurion University Cyber Security Labs found a vulnerability on a Samsung Galaxy S4 device with the KNOX security platform.

After discussing the research with the original researchers, Samsung has verified that the exploit uses legitimate Android network functions in an unintended way to intercept unencrypted network connections from/to applications on the mobile device. This research did not identify a flaw or bug in Samsung KNOX or Android; it demonstrated a classic Man in the Middle (MitM) attack, which is possible at any point on the network to see unencrypted application data. The research specifically showed this is also possible via a user-installed program, reaffirming the importance of encrypting application data before sending it to the Internet. Android development practices encourage that this be done by each application using SSL/TLS. Where that’s not possible (for example, to support standards-based unencrypted protocols, such as HTTP), Android provides built-in VPN and support for third-party VPN solutions to protect data. Use of either of those standard security technologies would have prevented an attack based on a user-installed local application.

KNOX offers additional protections against MitM attacks. Below is a more detailed description of the mechanisms that can be configured on Samsung KNOX devices to protect against them:

1. Mobile Device Management — MDM is a feature that ensures that a device containing sensitive information is set up correctly according to an enterprise-specified policy and is available in the standard Android platform. KNOX enhances the platform by adding many additional policy settings, including the ability to lock down security-sensitive device settings. With an MDM configured device, when the attack tries to change these settings, the MDM agent running on the device would have blocked them. In that case, the exploit would not have worked.

2. Per-App VPN — The per-app VPN feature of KNOX allows traffic only from a designated and secured application to be sent through the VPN tunnel. This feature can be selectively applied to applications in containers, allowing fine-grained control over the tradeoff between communication overhead and security.

3. FIPS 140-2 — KNOX implements a FIPS 140-2 Level 1 certified VPN client, a NIST standard for data-in-transit protection along with NSA suite B cryptography. The FIPS 140-2 standard applies to all federal agencies that use cryptographically strong security systems to protect sensitive information in computer and telecommunication systems. Many enterprises today deploy this cryptographically strong VPN support to protect against data-in-transit attacks.


Samsung said there is no bug in the Knox software, but a classic Men in the Middle attack, possible due to user’s omission while configuring the Knox security feature.

Samsung went on to offer three specific measures IT professionals can take in order to ensure that their firms’ data is protected from Man in the Middle attacks like the one described by the researchers at Ben-Gurion University.