Privacy and data security are core concerns when using mobile devices in enterprise settings. However, privacy and security on mobile devices face unique and advanced threats. For example, a malicious insider or stealthy spyware could use the camera, mic, and GPS in the background to spy on meetings or to photograph sensitive data in controlled physical environments, and exfiltrate data through the cellular modem.
One underlying enabler for these threats is that mobile phones are extremely versatile devices that interact with their environment in multiple ways using peripheral devices1, such as modems, Wi-Fi, Bluetooth, cameras, microphones, GPS, NFC, and USB. However, these same peripherals also expose a wide attack surface that attackers can abuse for malicious purposes to compromise privacy and security. Such concerns have unfortunately resulted in mobile phones being disallowed in classified and secure locations, especially in government, as well as security concerns around their use by journalists and leaders who are potential targets of surveillance.
Advanced malware exploits the peripheral device attack surface
To further understand the peripheral attack surface, let us look at how advanced threats typically work (Figure 1). First, attackers infiltrate devices to execute malware code on the victim’s device. Infiltration can happen through peripherals such as USB (e.g., connecting to a malicious charger). Second, malware exploits vulnerabilities in the Android framework and the OS kernel to gain privilege and to bypass policy controls installed by an enterprise mobile device management (MDM). Third, malware collects and exfiltrates data using peripherals. For example, the device’s cameras and microphones can be hijacked to look in on and listen to a targeted individual’s environment, while the wireless radios can be leveraged for data exfiltration.
Figure 1: How advanced malware works. Specifically, advanced malware escalates its privileges using OS or Android framework vulnerabilities, and is able to stealthily access peripherals such as the camera and mic in the background.
Advanced malware bypasses OS-level peripheral device controls
These threats are addressed by effectively disabling peripherals, such as the camera, mic, USB, and modem. Most OSes, including Android, can disable application access to peripherals through settings and enterprise MDM APIs. However, as it stands today, advanced malware or a threat actor who has compromised the OS and escalated privilege has full control over the device’s hardware components, overriding the user’s selections within OS controls or the organization’s peripheral policies enforced via MDM. For example, the Pegasus spyware used a rooting exploit to escalate privileges to the OS, and bypassed Android’s access controls to surveil live audio and capture camera images stealthily. As another example, researchers demonstrated how an Android permissions bypass vulnerability allowed an app access to camera, microphone, and GPS data without having permissions to do so.
HDM: High Assurance Peripheral Device Controls
HDM is a Samsung-exclusive security layer that provides high assurance peripheral device controls to an enterprise even if the OS is compromised and across factory resets. HDM leverages ARM hardware virtualization to interpose on peripheral access, and allows or denies access according to enterprise policy (Figure 2). This policy specifies whether specific peripherals should be enabled or disabled, and also whether to trigger automatic physical lockout of peripherals upon detection of device rooting or compromise (Figure 3). HDM can control access to physical sensors (cameras and microphones), communication chips (cellular modem, Wi-Fi, Bluetooth and NFC) and other peripherals (USB, speaker and GPS) based on enterprise policy.
Figure 2: HDM mediates all accesses to peripherals even if an attacker bypasses Android OS access controls. HDM enforces access based on an enterprise policy stored in tamper-resistant secure storage that persists even across factory resets.
Figure 3: An enterprise policy specifies whether HDM should disable specific peripheral devices, and whether to trigger lockout of peripherals upon detecting device compromise.
HDM achieves strong guarantees using a unique combination of techniques:
- HDM controls are enabled before any potentially untrusted code can run. HDM starts before the OS as part of Knox’s hardware-rooted trusted boot process, which is the chain of trust that begins when the phone is powered on and ensures that each component is cryptographically validated before being loaded.
- HDM offers complete protection even in the face of OS compromise. HDM runs at a higher privilege than the OS by leveraging ARM’s hardware virtualization extensions, and therefore mediates and controls all accesses to peripherals even if the Android framework and OS is completely compromised by malware.
- HDM policy is tamper-resistant and persistent across factory resets. HDM stores its enterprise policy in device secure storage that is protected from tampering and preserved even across factory resets and flashing. Even if the secure storage itself is broken by hardware attacks, HDM can apply a default protection policy.
- HDM policy updates are cryptographically protected. HDM uses cryptographic signatures and mutual authentication for policy updates. A trusted HDM server generates and signs the enterprise policy, which is verified by HDM on-device. In turn, HDM uses its own unique, hardware-backed key to prove its identity to the server.
HDM enables several use-cases in a flexible and secure manner.
Scenario 1: Fixed hardware peripheral customization
To avoid being detected or have their position compromised during military operations, operatives often require guaranteed disablement of certain radio services such as GPS, microphone, and Wi-Fi services. Using HDM to disable these subsystems on the device before troop/device deployment provides high assurance that these services cannot be activated in the field.
Scenario 2: Dynamic context-based peripheral access
To maintain integrity and protect sensitive information or intellectual property theft, organizations restrict the usage of mobile devices in secure campuses or locations. HDM can be used to disable camera/microphone subsystems on the mobile device before entering these areas. Disabling of the hardware could happen automatically using external triggers or by tapping the device at an entry gate.
As another example, when a need arises to discuss confidential matters, mobile device users need to be able to quickly and securely restrict access to microphones and camera hardware. An on-device based HDM service can be used to enable or disable the hardware subsystems ensuring the utmost secrecy is maintained. This can be thought of as a flexible privacy sticker and supports multiple peripherals where a sticker cannot be used.
Scenario 3: Zero Trust and damage containment
A core principle of Zero Trust is “assume breach”, where enterprises have to anticipate that attackers can successfully compromise a system, and take measures to contain the breach. To meet these ambitious goals for realizing Zero Trust, enterprises require new endpoint capabilities for limiting damage and data loss in the event that a device compromise is detected. HDM enables robust disabling of peripherals such as Wi-Fi and cellular modem to prevent enterprise data exfiltration once a compromise is detected.
Peripheral devices, such as the camera, microphone, and cellular modem, are increasingly abused by malicious actors to compromise devices, to spy, and to exfiltrate data. Advanced malware exploits the operating system, thereby rendering OS-level controls ineffective. Knox HDM offers high assurance, secure, and flexible controls to gate access to peripheral devices, enabling secure achievement of a wide range of flexible use-cases such as context-based access and for zero trust.
1Peripheral devices are also simply called peripherals