[Cryptography] Samsung Knox
Jerry Leichter
leichter at lrw.com
Thu Oct 23 21:06:50 EDT 2014
Proving again that (a) most companies have no clue how to do security; (b) most government agencies have no clue how to audit it; we have two related bits of news:
1. Two days ago, Samsung proudly announced that "Samsung Galaxy Devices based on KNOX platform are the First Consumer Mobile Devices NIAP-Validated and Approved for U.S. Government Classified Use" -http://global.samsungtomorrow.com/?p=43522
2. And this was followed by:
http://mobilesecurityares.blogspot.co.uk/2014/10/why-samsung-knox-isnt-really-fort-knox.html?m=1
which completely demolishes Knox security. (The user's password is encrypted using a key derived from a fixed constant and a device serial number available to any app on the device.)
I would laugh if I weren't crying....
-- Jerry
More information about the cryptography
mailing list