Israeli Researchers Find Security Flaw in Samsung Galaxy S4 Smartphone

Samsung says it is looking into the problem but disputes the seriousness of the phone's security vulnerability.

new-hdc-logo
Haaretz
Send in e-mailSend in e-mail
new-hdc-logo
Haaretz

A security system used by Samsung's best-selling Galaxy S4 smartphone suffers from a vulnerability that could allow malicious software to track emails and record data communications, according to cybersecurity researchers at Ben-Gurion University of the Negev.

The alleged security flaw, which the researchers say they discovered earlier this month, comes as Samsung pitches its new security platform, called Knox, to the United States Department of Defense and other governments and corporations, in a bid to compete with BlackBerry, whose devices have been considered the gold standard among security-conscious clients for years. The Knox platform is also used by the Galaxy S4.

The discovery of he security flaw was first reported in the Wall Street Journal.

Samsung said it was looking into the allegations, but that an initial investigation showed it wasn't as serious as the Ben Gurion researchers have maintained.

Mordechai Guri, the researcher who discovered the alleged problem at the university's Cyber Security Lab, said the vulnerability would allow a hacker to "easily intercept" secure data on a Knox-enabled Galaxy smartphone.
In a worst-case scenario, he added, a hacker could modify data and even insert hostile code that could run amok within the secured network.

"The vulnerability presents a serious threat to all users of phones based on this architecture, such as the Samsung Galaxy S4," Dudu Mimran, the lab's chief technical officer, said in a statement to the Wall Street Journal.

A spokesman for Samsung said that the company "takes all security vulnerability claims very seriously" and promised to further investigate the university lab's claims.

However, a preliminary investigation by Samsung showed that "the threat appears to be equivalent to some well-known attacks," the spokesman said.
The spokesman added that the university lab's breach of the system appeared to have been conducted on a device that wasn't fully loaded with the extra software that a corporate client would use in conjunction with Knox.

"Rest assured, the core Knox architecture cannot be compromised or infiltrated by such malware," he said.

The Galaxy S4 is one of the world's most popular smartphones. While Samsung doesn't regularly release sales data for its devices, the company said in May that it sold more than 10 million units within the first month of its commercial debut.
Knox wasn't initially preloaded on Galaxy S4 devices, but any user can now download the system. The Knox program comes preloaded on Samsung's Galaxy Note 3. The system can be turned off by any user.

The university researchers said they have only discovered the problem on the Galaxy S4.

Guri said that he stumbled upon the security hole while working on an unrelated project related to mobile security. He said that his results tested out on multiple Galaxy S4 devices that had been purchased through retail stores.

It was unclear how long the vulnerability had existed, he said.

Samsung has gone to considerable lengths to integrate Knox into every aspect of its phones' hardware and software development, with the goal of enabling government and corporate employees to use their own devices at work, without security concerns.

A spokesman for the U.S. Department of Defense, said the government doesn't comment on possible security vulnerabilities, but added that no device would be used by the Pentagon until it is proven secure. The Samsung Knox security system isn't yet approved for use on Pentagon networks, though it is being tested in a pilot program.

More generally, defense officials have said in the past that they are aware security vulnerabilities have been found in the Knox platform, adding that they were working with Samsung to correct them. The company has said it is working with the Pentagon to address these issues.

In the event that the researchers at Ben-Gurion University are correct, the researchers said that the security vulnerability would be classified as a so-called "category one" vulnerability.

Several security vulnerabilities have already emerged as Samsung develops and rolls out Knox – a normal part of software development processes, according to one person familiar with the project. Samsung has said it is working to fix these issues with Knox.

Earlier this month, the company said it had released a patch to address a separate vulnerability that affected Knox on Samsung's Note 3 smartphone.

In a statement, Samsung said that the Note 3 vulnerability posed a "threat to the integrity of Knox-enabled devices," but said that it had fixed the problem and that "security patches are being rolled out for all vulnerable models."

SmartphoneCredit: Bloomberg

Click the alert icon to follow topics:

Comments

SUBSCRIBERS JOIN THE CONVERSATION FASTER

Automatic approval of subscriber comments.

Subscribe today and save 40%

Already signed up? LOG IN

ICYMI

Palestinians search through the rubble of a building in which Khaled Mansour, a top Islamic Jihad militant was killed following an Israeli airstrike in Rafah, southern Gaza strip, on Sunday.

Gazans Are Tired of Pointless Wars and Destruction, and Hamas Listens to Them

Trump and Netanyahu at the White House in Washington, in 2020.

Three Years Later, Israelis Find Out What Trump Really Thought of Netanyahu

German soldier.

The Rival Jewish Spies Who Almost Changed the Course of WWII

Rio. Not all Jewish men wear black hats.

What Does a Jew Look Like? The Brits Don't Seem to Know

Galon. “I’m coming to accomplish a specific mission: to increase Meretz’s strength and ensure that the party will not tread water around the electoral threshold. If Meretz will be large enough, it will be the basis for a Jewish-Arab partnership.” Daniel Tchetchik

'I Have No Illusions About Ending the Occupation, but the Government Needs the Left'

Soldiers using warfare devices made by the Israeli defense electronics company Elbit Systems.

Russia-Ukraine War Catapults Israeli Arms Industry to Global Stage