[Cryptography] Samsung Knox

Jerry Leichter leichter at lrw.com
Thu Oct 23 21:06:50 EDT 2014


Proving again that (a) most companies have no clue how to do security; (b) most government agencies have no clue how to audit it; we have two related bits of news:

1.  Two days ago, Samsung proudly announced that "Samsung Galaxy Devices based on KNOX platform are the First Consumer Mobile Devices NIAP-Validated and Approved for U.S. Government Classified Use" -http://global.samsungtomorrow.com/?p=43522

2.  And this was followed by:
http://mobilesecurityares.blogspot.co.uk/2014/10/why-samsung-knox-isnt-really-fort-knox.html?m=1
which completely demolishes Knox security.  (The user's password is encrypted using a key derived from a fixed constant and a device serial number available to any app on the device.)

I would laugh if I weren't crying....
                                                        -- Jerry



More information about the cryptography mailing list