You’ve already patched the corporate Galaxy fleet, haven’t you?
A pair of Israeli researchers has detailed their discovery of three Android / KNOX vulnerabilities in older Samsung phones, and it makes for depressing reading.
In this paper at Arxiv, Tel Aviv University’s Uri Kanonov and Avishai Wool dissect KNOX for your enjoyment.
In particular, they write that in sharing KNOX services with user applications, there’s a distinct security risk.

The ARM TrustZone, they write, does a good job of mitigating root and kernel exploits, but only if it’s used right, and that requires “proper usage of its features in all surrounding areas to gain the promised security boost.”
For The Register, one of the killer phrases in the paper is: “we contrast KNOX 1.0 with the most recent version of KNOX: we show how the latest KNOX improves security— while also making security sacrifices in favour of user satisfaction”.

Convenience, it seems, still trumps security.
The paper describes the discovery of three vulnerabilities:

CVE-2016-1919, “Weak eCryptFS Key generation from user password on KNOX 1.0 / Android 4.3”;
CVE-2016-1920, “VPN Man-in-the-Middle due to shared certificate store on KNOX 1.0 / Android 4.3”; and
CVE-2016-3996, “KNOX clipboard data disclosure KNOX 1.0 – KNOX 2.3 / Android”.

They’re patched, but as always, when the fix lands on end user mobes is highly variable.
The VPN attack is non-trivial, but it’s a beaut. Here’s the short version from the paper:
“The attack scenario is an “Evil Maid” attack (short-term physical access) against an unlocked device (for example the attacker may ask the victim to make a quick phone call from her device).

The attack is performed as follows:

1.
Install the malicious application requiring VPN-related permissions.
2.
Install a 3rd party certificate.
3. Run the malicious application which starts a VPN connection.

This will cause a notification to appear with the icon of the malicious application and name of the VPN connection.
4.
Serve forged SSL/TLS certificates while performing MITM.

The only social engineering required, the authors note, is to present a benign-looking Knox icon for the VPN and a similarly innocuous connection name, users will probably continue past the warning. ®
Sponsored: Rise of the machines