When it comes to Android phone security, one of the best-known platforms is Samsung’s Knox, a suite for Samsung phones aimed at enterprise. It’s considered one of the best on the market, but it isn’t impregnable, as a recently uncovered exploit showed.
The exploit (SVE-2017-10086), which was fixed in the October 2017 security patch or November 2017 security patch (depending on the device model), leveraged a vulnerability in Samsung’s implementation of Media Transfer Protocol (MTP) that could allow an attacker to view all of a device’s files. It’s been nicknamed “MTPwn”, and it affects all Samsung devices running Android 4.4.x to Android 7.x.
MTPwn allows a hacker to bypass the lock state of unpatched devices even if they’re in “charging” mode, and enable MTP access from a computer. How’s that possible? Affected devices run an MTP server when a device is plugged in and in charging mode. Normally, computers can’t read the files because the phone blocks them from viewing any usable storage on the device. That works pretty well in practice, but Samsung overlooked the fact that the MTP server can receive commands — an attacker can simply force the MTP server on the device to list the device’s files, retrieve the files from its internal storage, or copy files to it.
Check out the GitHub repo of MTPwn to see how it works, and how you to test it out on your own Samsung device.