Samsung Knox

Knox
Developer(s)Samsung
Initial releaseMarch 2013 (2013-03)
Stable release
3.11 / 15 February 2025 (2025-02-15)[1]
Operating systemAndroid and Tizen
Websitewww.samsungknox.com/en

Samsung Knox is a mobile device management (MBM) and trusted computing framework pre-installed on most Samsung mobile devices, and implements ARM TrustZone in hardware. It allows the management of work devices, such as employee mobile phones, interactive kiosks, and barcode scanners.[2] Like other MBMs, Knox allows organizations to control a device's pre-loaded applications, settings, boot-up animations, home screens, and lock screens.[3]

Overview

Main articles: Mobile device management and ARM TrustZone

Knox provides trusted computing and mobile device management (MDM) features. Knox's hardware is based on an implementation of ARM TrustZone, a bootloader ROM, and secure boot (similar to dm-verity and AVB).[4][5] These trusted computing environments are used to store sensitive data, like cryptographic materials and certificates.[6]

MDM allow businesses to customize their devices for their needs. IT administrators can register new devices, identify a unified endpoint management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air.[7] Knox's MDM services are registered and accessed through the web,[8] APIs, or proprietary SDKs.[9]

A few Samsung devices with Knox were approved for US governmental use in 2014, as long as they're not used to store classified data.[10]

Since Android 8, Knox is used to prevent root access to apps even after a successful rooting.[11]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code.[12]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox.[13]

Several security flaws were discovered in Knox in 2017 by Project Zero.[14][15]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:

  • The device boots with a non-Samsung signed bootloader, kernel, kernel initialization script, or data.
  • The device is rooted.
  • Custom firmware is detected on the device (such as non-Samsung Android releases).

On Galaxy Book devices starting with the Galaxy Book 4, upgrading from one Windows version to another (from 22H2 to 23H2) will not set the e-Fuse, but upgrading to a higher edition (from Home to Pro) will.

When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace.[16] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner.[17] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting.[18] In addition to voiding the warranty, tripping the e-fuse also prevents some preinstalled apps from running, such as Secure Folder and Samsung Pay. For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware.[19]

See also

References

  1. ^ "Samsung Knox 3.11 released". Samsung Knox. Retrieved 2025-03-07.
  2. ^ "Secure mobile platform and solutions". Samsung Knox. January 15, 2021. Archived from the original on December 23, 2020. Retrieved January 15, 2021.
  3. ^ "8 Steps to Customizing Mobile Devices With Knox Configure". Samsung Business Insights. 2020-01-07. Retrieved 2021-01-06.
  4. ^ "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Archived from the original on 2018-11-14. Retrieved 2018-11-13.
  5. ^ "New Samsung Galaxy Note 3 software features explained". Android Authority. 2013-09-04. Archived from the original on 2021-01-09. Retrieved 2021-01-07.
  6. ^ "Samsung TIMA Keystores".
  7. ^ "Knox for Enterprise Mobility". Samsung Knox. Retrieved 2021-01-06.
  8. ^ "Samsung Knox Documentation Ecosystem". docs.samsungknox.com. Retrieved 2021-01-06.
  9. ^ "Samsung Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-06-28.
  10. ^ Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
  11. ^ "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018.
  12. ^ Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
  13. ^ Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
  14. ^ "How we cracked Samsung's DoD- and NSA-certified Knox". ZDNet.
  15. ^ Ben (2017-02-08). "Project Zero: Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection". Project Zero. Retrieved 2025-08-02.
  16. ^ Ning, Peng (2013-12-04). "About CF-Auto-Root". Samsung. Archived from the original on 2015-09-05. The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.
  17. ^ "Just how does Knox warranty void efuse burning work?". XDA Developers Forums. 28 June 2016. Retrieved 2021-01-05.
  18. ^ Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
  19. ^ "Disable Knox on Samsung Galaxy Devices [4 Ways] | Android More". AndroidMore. Archived from the original on 2021-01-05. Retrieved 2020-12-14.
This article is issued from Wikipedia. The text is available under Creative Commons Attribution-Share Alike 4.0 unless otherwise noted. Additional terms may apply for the media files.