Israeli Researchers Find Security Flaw in Samsung Galaxy S4 Smartphone

Samsung says it is looking into the problem but disputes the seriousness of the phone's security vulnerability.

A security system used by Samsung's best-selling Galaxy S4 smartphone suffers from a vulnerability that could allow malicious software to track emails and record data communications, according to cybersecurity researchers at Ben-Gurion University of the Negev. 

The alleged security flaw, which the researchers say they discovered earlier this month, comes as Samsung pitches its new security platform, called Knox, to the United States Department of Defense and other governments and corporations, in a bid to compete with BlackBerry, whose devices have been considered the gold standard among security-conscious clients for years. The Knox platform is also used by the Galaxy S4.

The discovery of he security flaw was first reported in the Wall Street Journal.

Samsung said it was looking into the allegations, but that an initial investigation showed it wasn't as serious as the Ben Gurion researchers have maintained.

Mordechai Guri, the researcher who discovered the alleged problem at the university's Cyber Security Lab, said the vulnerability would allow a hacker to "easily intercept" secure data on a Knox-enabled Galaxy smartphone.
In a worst-case scenario, he added, a hacker could modify data and even insert hostile code that could run amok within the secured network.

"The vulnerability presents a serious threat to all users of phones based on this architecture, such as the Samsung Galaxy S4," Dudu Mimran, the lab's chief technical officer, said in a statement to the Wall Street Journal.

A spokesman for Samsung said that the company "takes all security vulnerability claims very seriously" and promised to further investigate the university lab's claims.

However, a preliminary investigation by Samsung showed that "the threat appears to be equivalent to some well-known attacks," the spokesman said.
The spokesman added that the university lab's breach of the system appeared to have been conducted on a device that wasn't fully loaded with the extra software that a corporate client would use in conjunction with Knox.

"Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware," he said.

The Galaxy S4 is one of the world's most popular smartphones. While Samsung doesn't regularly release sales data for its devices, the company said in May that it sold more than 10 million units within the first month of its commercial debut.
Knox wasn't initially preloaded on Galaxy S4 devices, but any user can now download the system. The Knox program comes preloaded on Samsung's Galaxy Note 3. The system can be turned off by any user.

The university researchers said they have only discovered the problem on the Galaxy S4.

Guri said that he stumbled upon the security hole while working on an unrelated project related to mobile security. He said that his results tested out on multiple Galaxy S4 devices that had been purchased through retail stores.

It was unclear how long the vulnerability had existed, he said.

Samsung has gone to considerable lengths to integrate Knox into every aspect of its phones' hardware and software development, with the goal of enabling government and corporate employees to use their own devices at work, without security concerns.

A spokesman for the U.S. Department of Defense, said the government doesn't comment on possible security vulnerabilities, but added that no device would be used by the Pentagon until it is proven secure. The Samsung Knox security system isn't yet approved for use on Pentagon networks, though it is being tested in a pilot program.

More generally, defense officials have said in the past that they are aware security vulnerabilities have been found in the Knox platform, adding that they were working with Samsung to correct them. The company has said it is working with the Pentagon to address these issues.

In the event that the researchers at Ben-Gurion University are correct, the researchers said that the security vulnerability would be classified as a so-called "category one" vulnerability.

Several security vulnerabilities have already emerged as Samsung develops and rolls out Knox – a normal part of software development processes, according to one person familiar with the project. Samsung has said it is working to fix these issues with Knox.

Earlier this month, the company said it had released a patch to address a separate vulnerability that affected Knox on Samsung's Note 3 smartphone.

In a statement, Samsung said that the Note 3 vulnerability posed a "threat to the integrity of Knox-enabled devices," but said that it had fixed the problem and that "security patches are being rolled out for all vulnerable models."
 

Bloomberg