Samsung hasn't had the best few weeks. Security experts have disclosed three vulnerabilities in the system the company created to "enhance security" of the Android operating system.
Researchers from Israeli firm Viral Security Group exposed the flaws in Samsung's Knox system, which they say "allowed full control" of a Samsung Galaxy S6 and the Galaxy Note 5 used for testing back in June. The vulnerabilities, which require an existing flaw to operate, were reported to Samsung earlier this year.
The company says it fixed them in a recent security update. In a white paper provided and later published online (alongside proof of concept material) the researchers detail how hackers could get around the protections that are intended to protect data stored on a phone. Dubbed KNOXout, the experts exploited privilege escalation vulnerabilities within Knox's Real-time Kernel Protection (RKP). To get around the protection they used the existing kernel vulnerability CVE-2015-1805 – known as a write-what-where vulnerability.
"Once you have the existing vulnerability this one overcomes all of Samsung's protection mechanisms and gives you complete control of the device," Nimrod Ben Em, the group's founder and Lev Aronsky, head of R&D, told. When inside the kernel the security researchers were able to "explore" the protection mechanism of the RKP. They were then able to avoid protections and execute their own code.
"Samsung's Knox system is meant to provide a secure environment for their cellphones – we didn't expect to find anything," the pair said. "You can use our vulnerability to overcome the protections to Samsung Knox." Explaining one of the vulnerabilities in their paper, the researchers said: "Malicious access to the system account can be used, for instance, to replace legitimate applications with rogue versions, with access to all available permissions, without the user’s notice." Using the technique they were also able to disable additional kernel protections and "achieve root privileges".
"Overall I think this is a good paper," Zuk Avraham, founder of Zimperium, who was not involved with the research, told. "It demonstrates once again that write-what-where and arbitrary read vulnerabilities remain a challenge for mitigations." A spokesperson for Samsung said customers are encouraged to keep their software and apps updated and that updates can be downloaded wirelessly. "Samsung was made aware of this particular vulnerability and a fix was deployed as part of our May security update," the spokesperson said. The vulnerabilities aren't the first time the Knox platform has suffered from security problems. Some "relatable" research into the Android Kernel was published earlier this year, Joshua Drake, a senior director of platform research at Zimperium said.