Samsung Knox

Last updated
Knox
Developer(s) Samsung
Initial releaseMarch 2013 (2013-03)
Stable release
3.11 / 15 February 2025;6 months ago (2025-02-15) [1]
Operating system Android and Tizen
Website www.samsungknox.com/en OOjs UI icon edit-ltr-progressive.svg

Samsung Knox is a mobile device management (MDM) and trusted computing framework pre-installed on most Samsung mobile devices, and implements ARM TrustZone in hardware. It allows the management of work devices, such as employee mobile phones, interactive kiosks, and barcode scanners. [2] Like other MBMs, Knox allows organizations to control a device's pre-loaded applications, settings, boot-up animations, home screens, and lock screens. [3]

Contents

Overview

Knox provides trusted computing and mobile device management (MDM) features. Knox's hardware is based on an implementation of ARM TrustZone, a bootloader ROM, and secure boot (similar to dm-verity and AVB). [4] [5] These trusted computing environments are used to store sensitive data, like cryptographic materials and certificates. [6]

MDM allow businesses to customize their devices for their needs. IT administrators can register new devices, identify a unified endpoint management (UEM) system, define the organizational rules that govern the use of devices, and upgrade device firmware over-the-air. [7] Knox's MDM services are registered and accessed through the web, [8] APIs, or proprietary SDKs. [9]

A few Samsung devices with Knox were approved for US governmental use in 2014, as long as they're not used to store classified data. [10]

Since Android 8, Knox is used to prevent root access to apps even after a successful rooting. [11]

In October 2014, a security researcher discovered that Samsung Knox stores PINs in plain text rather than storing salted and hashed PINs and processing them by obfuscated code. [12]

In May 2016, Israeli researchers Uri Kanonov and Avishai Wool found three vulnerabilities in specific versions of Knox. [13]

Several security flaws were discovered in Knox in 2017 by Project Zero. [14] [15]

e-Fuse

Rooted Samsung Galaxy S10e with tripped e-fuse Root Verifier (open source) screenshot on a rooted Samsung S10e.jpg
Rooted Samsung Galaxy S10e with tripped e-fuse

Samsung Knox devices use an e-fuse to indicate whether or not an "untrusted" (non-Samsung) boot path has ever been run. The e-Fuse will be set in any of the following cases:

On Galaxy Book devices starting with the Galaxy Book 4, upgrading from one Windows version to another (from 22H2 to 23H2) will not set the e-Fuse, but upgrading to a higher edition (from Home to Pro) will[ citation needed ].

When set, the text "Set warranty bit: <reason>" appears. Once the e-fuse is set, a device can no longer create a Knox Workspace container or access the data previously stored in an existing Knox Workspace. [16] In the United States, this information may be used by Samsung to deny warranty service to devices that have been modified in this manner. [17] Voiding consumer warranties in this manner may be prohibited by the Magnuson–Moss Warranty Act of 1975, at least in cases where the phone's problem is not directly caused by rooting. [18] In addition to voiding the warranty, tripping the e-fuse also prevents some preinstalled apps from running, such as Secure Folder and Samsung Pay.[ citation needed ] For some older versions of Knox, it may be possible to clear the e-fuse by flashing a custom firmware. [19]

See also

References

  1. "Samsung Knox 3.11 released". Samsung Knox. Retrieved 2025-03-07.
  2. "Secure mobile platform and solutions". Samsung Knox. January 15, 2021. Archived from the original on December 23, 2020. Retrieved January 15, 2021.
  3. "8 Steps to Customizing Mobile Devices With Knox Configure". Samsung Business Insights. 2020-01-07. Retrieved 2021-01-06.
  4. "Root of Trust | Knox Platform for Enterprise Whitepaper". docs.samsungknox.com. Archived from the original on 2018-11-14. Retrieved 2018-11-13.
  5. "New Samsung Galaxy Note 3 software features explained". Android Authority. 2013-09-04. Archived from the original on 2021-01-09. Retrieved 2021-01-07.
  6. "Samsung TIMA Keystores".
  7. "Knox for Enterprise Mobility". Samsung Knox. Retrieved 2021-01-06.
  8. "Samsung Knox Documentation Ecosystem". docs.samsungknox.com. Retrieved 2021-01-06.
  9. "Samsung Knox Developer Documentation". docs.samsungknox.com. Retrieved 2021-06-28.
  10. Ribeiro, John (2014-10-21). "NSA approves Samsung Knox devices for government use". PCWorld. Retrieved 2018-10-27.
  11. "Disable DEFEX Security to Root Samsung Galaxy Devices on Oreo". 13 October 2018.
  12. Mimoso, Michael (2014-10-24). "NSA-Approved Samsung Knox Stores PIN in Cleartext". Threatpost. Retrieved 2018-10-27.
  13. Forrest, Conner (2016-05-31). "Samsung Knox isn't as secure as you think it is". TechRepublic. Retrieved 2018-10-27.
  14. "How we cracked Samsung's DoD- and NSA-certified Knox". ZDNet.
  15. Ben (2017-02-08). "Project Zero: Lifting the (Hyper) Visor: Bypassing Samsung's Real-Time Kernel Protection". Project Zero. Retrieved 2025-08-02.
  16. Ning, Peng (2013-12-04). "About CF-Auto-Root". Samsung . Archived from the original on 2015-09-05. The sole purpose of this fuse-burning action is to memorize that a kernel or critical initialization scripts or data that is not under Samsung's control has been put on the device. Once the e-fuse bit is burned, a Samsung KNOX-enabled device can no longer create a KNOX Container or access the data previously stored in an existing KNOX Container.
  17. "Just how does Knox warranty void efuse burning work?". XDA Developers Forums. 28 June 2016. Retrieved 2021-01-05.
  18. Koebler, Jason (2016-08-17). "Companies Can't Legally Void the Warranty for Jailbreaking or Rooting Your Phone". Motherboard. Retrieved 2018-10-27.
  19. "Disable Knox on Samsung Galaxy Devices [4 Ways] | Android More". AndroidMore. Archived from the original on 2021-01-05. Retrieved 2020-12-14.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.