How Samsung stays one step ahead of security threats to protect your privacy with Knox
Originally published on Samsung INSIGHTS.
Eight years ago, Samsung set out on a mission to build the most trusted and secure mobile devices in the world. With the introduction of our Samsung Knox platform at MWC in 2013, we put in place the key elements of hardware-based security that would help defend Samsung mobile devices and our customers' data against increasingly sophisticated cyber threats.
Samsung Knox has since evolved into more than a built-in security platform, now encompassing a full suite of mobile management tools for enterprise IT administrators. But our mobile product planners, developers and security engineers have remained laser focused on answering the primary question: how do we remain a step ahead of hackers and keep our users safe at all times?
Samsung Knox Vault represents the latest step in that journey. It's the logical evolution of something we've been working on for years: an isolated, hardware-based and highly secure environment for the most critical information on the device.
To understand what Samsung Knox Vault is, let's first run through a quick history of how the principle of isolation has been fortifying Samsung's Knox mobile security platform.
The Evolution of the Samsung Knox Platform
In the first days of Android, the main focus was building a more open and flexible mobile operating system. Security was state-of-the-art for the time, inherited from the world of Unix and mainframe computers. But from the start, it became clear that smartphones were different; they were the most personal computers anyone had ever built.
Samsung quickly realized that we needed to think harder about the threat model on such a personal device — particularly how to give extra protection to critical information such as private keys and digital certificates. That's where the idea of using Trusted Execution Environments (TEEs) on our mobile devices came in. Within the ARM processors in our Galaxy smartphones, we pioneered the use of TEE-based protections using a feature called TrustZone.
The goal of TrustZone is to isolate the software that manages the most sensitive device data: passwords, biometrics, and cryptographic keys. It does this by running a different OS alongside Android. In this new model, when a password or fingerprint needs to be checked, Android no longer has direct access to your password or fingerprint data. Instead, Android must request a TrustZone applet to do the sensitive work on its behalf, such as decrypting data or verifying your fingerprint. With TrustZone, sensitive cryptographic and biometric data is never exposed to the Android OS or public apps.
Even with highly sophisticated malware, a successful breach of sensitive data would require much more than finding a known Android vulnerability and writing an exploit; it would require simultaneously breaking through the much stricter TrustZone protections. And since TrustZone is so focused, it’s easier to protect with few interfaces or “surfaces” to target. All this makes an attack exponentially harder.
Overall, TrustZone, combined with other Samsung Knox platform layers such as Real-Time Kernel Protection, set a new benchmark for hardware-based device security. But for Samsung engineers, security is a passion bordering on obsession and we started to look at TEEs, and asked ourselves, "How can we make this even more secure?"
Introducing Samsung Knox Vault
It's a fact that any CISO will accept: isolation increases security. TrustZone is mostly independent, but there remain overlaps and shared resources between the TrustZone and the Android OS. Critically, they share the main CPU and memory, which puts the onus on low-level software protections to keep information isolated. The more we separate sensitive data from the main OS, the more protected they will be in the event of a breach. After all, you are only as secure as your weakest link.
This is where Samsung Knox Vault comes in: a combination of security-specific hardware (a new secure processor and isolated secure memory) and new integrated software that shields your most secure data from the Android OS and applications.
The way I think of it, TrustZone was a great safe in the middle of your bank's branch office. There are a lot of people you don’t necessarily trust walking by the safe, doing day-to-day work that doesn’t require physical access to the safe. The secure processor in Samsung Knox Vault is more like Fort Knox: a safe securely placed far away from the bank, isolated from whoever walks into the branch.
With Samsung Knox Vault, we have focused on designing a secure and highly protected place for our own trusted software. Its job is solely to manage and protect the most critical information: PINs, passwords, biometrics, digital certificates, cryptographic keys and other sensitive information.
How the Secure Processor Adds Protection
Samsung Knox Vault is the natural extension of the hardware-based security that Samsung has been building within Galaxy smartphones. Our engineers looked at the problem of enhancing security as a question of trust: What pieces of the system must be trusted? Then: How can we reduce the number of things we trust so we don't have to worry about that piece being compromised? That line of questioning led us to Samsung Knox Vault and its key components like the secure processor.
Samsung Knox Vault extends upon the protection that the TrustZone offers. The secure processor operates independently from the main CPU running the Android OS, further enhancing our security posture and minimizing shared components to mitigate potential vectors for attack.
Software-based attack vectors are not the only vectors we analyzed. Samsung also took into consideration "physical" attacks on your smartphone. These are sophisticated attacks by someone who has physical possession of your phone and wants to pry out the secrets inside. When someone tries to tamper with the phone electronics directly — for example through laser light or electromagnetic fault injection — the secure information in the vault can self-destruct so that access is prevented.
For many of our customers, these kinds of physical attacks may seem far-fetched; there is a perception that smartphones are stolen because their hardware is profitable, not because they have incredibly important information stored on them. But more people are now storing highly valuable information on their smartphones — not just confidential corporate data but also their Blockchain wallet and password managers. In particular, for our enterprise or government customers who are responsible for protecting sensitive financial, healthcare or even classified defense information, advanced physical attacks are a serious concern.
We’re committed to leaving no stone unturned in mitigating security risks, including these critical edge cases. Fundamentally, Samsung Knox Vault's physical security gives you another layer of protection, so even hackers who gain physical possession of the device can't get to the information stored deep inside.
Samsung's customers have trusted us to be constantly working to improve the security of our hardware and our software, and we are grateful for that trust. Samsung Knox Vault – which is integrated for the first time on our new Galaxy S21 5G line – shows our commitment to deliver the highest level of security for their mobile devices and most sensitive data.
Author: David Thomson
David Thomson is a security expert who started his career working on Department of Defense contracts. His projects focused on protected classified data on Linux-based workstations and network appliances. He came to Samsung Research America in 2013 as a security engineer and helped bring Security Enhanced Linux (SELinux) protections to the Android OS. He has since worked as Product Manager for the core Knox security platform and now supports the Knox software and support sales team at Samsung Electronics America.