Three major flaws in Samsung's KNOX mobile security platform for Android allow attackers to gain "full control" of Galaxy and Note 5 smartphones, Israeli researchers have discovered.
Viral Security has posted a whitepaper and proof of concept for what the firm dubbed the KNOXout attack.
To succeed, the attack requires use of an existing write-what-where kernel vulnerability; in this case the researchers used CVE-2015-1805, a flaw in the processing of vectored pipes by the Linux kernel.
Attackers can then exploit three privilege escalation vulnerabilities within the Knox platform's real-time kernel protection to avoid its security mechanisms, execute their own code, and gain complete control of the phone.
The real-time kernel protection feature is responsible for defending against kernel exploits.
The researchers found it can be subverted to gain root privileges, and then disable additional kernel protections and load a custom, unsigned kernel module so the /system partition is remounted as writable.
"Malicious access to the system account can be used, for instance, to replace legitimate applications with rogue versions, with access to all available permissions, without the user’s notice," the researchers wrote.
Samsung told Wired the vulnerabilities had been patched in its May security update.
It's the second time in a year researchers have uncovered weaknesses with the security platform. In May, Israeli researchers Uri Kanonov and Avishai Wool posted detail of three Knox and Android vulnerabilities, which, among other things, revealed security risks in sharing Knox services with user applications.
