10/26/2014

the fort Knox phone by Samsung can be broken says securityresearcher

Samsung launched a Fort Knox hypersecure phone approved by NSA but its security is according to securityresearchers still lacking some fundamental features (full encryption) and makes some other mistakes. Some may think this is unfortunate while others may suppose it is deliberate.

"Samsung really tried to hide the functionality to generate the key, following the security by obscurity rule. In the end it just uses the Android ID together with a hardcoded string and mix them for the encryption key. I would have expected from a product, called Knox, a different approach:

  • The fact that they are persisting the key just for the password hint functionality is compromising the security of that product completely. For such a product the password should never be stored on the device. There is no need for it, only if you forget your password. But then your data should be lost, otherwise they are not safe if there is some kind of recovery option.
Recommendation:
Instead of Samsung Knox, use the built-in Android encrpytion function and encrypt the whole device. Android is using a PBKDF2 function from the encryption password you choose and never persists it on the device. Obviously you can never access the data if you forget your password, but that's the point of a good encryption.

http://mobilesecurityares.blogspot.co.uk/2014/10/why-sams...

Permalink | |  Print |  Facebook | | | | Pin it! |

The comments are closed.