Understanding Samsung’s vision of protecting us from security threats [Interview]
We had the opportunity to sit down with key figures from Samsung’s Security Team at the Samsung Developers Conference 2023 to better understand how Samsung views security in the context of its entire ecosystem and what it’s doing to make its products and services more secure. Shin-Chul Baik, Principal Engineer and Technical Program Manager of the Security Team for Samsung’s mobile division as well as Samsung principal engineer and lead on Samsung Knox Vault Bumhan Kim spoke with SamMobile about the company’s efforts to improve security across its entire ecosystem.
Before we dive into the Q&As, it’s important to understand Samsung’s vision for a secure ecosystem. True end-to-end protection, hardware-backed security, user-friendly transparency, and multi-device protection are the four pillars upon which this vision rests. After completing 10 years of Knox, the company is now looking ahead to the next 10 with exciting new improvements in the pipeline.
Openness and collaboration is central to Samsung’s vision for a secure smart home. Instead of taking a walled garden approach, Samsung thrives on collaboration with its partners that include the likes of Google, Qualcomm, Microsoft, Cisco, and others. Threat intelligence is shared across these partners to make their products and services more secure. While the interview provides a great outlook of how the Knox platform will go from strength to strength, it also provides you with an new features to look forward to, such as the blockchain-based Trust Zone.
To be more proactive, the company maintains 24/7 threat monitoring and response for its core Samsung services such as Samsung Health, Samsung Wallet, and Bixby. Runtime protection is very important for Samsung not just from a development lifecycle but on an ongoing basis where it continues to work with the security community through the bug bounty program and other partners to get information about vulnerabilities and incorporating those patches into devices as often as possible for as long as possible.
Answers have been paraphrased for brevity and clarity.
Q1: We personally feel that Samsung Knox is deserving of more praise than it receives, given how it guarantees near foolproof security across Samsung devices. How does the security team proactively assess threats, such as through activities like internal hackathons?
A: Samsung has its own red team that actively tries to hack devices in order to find vulnerabilities. We have a separate team looking at vulnerabilities within the device to proactively identify weaknesses. Beyond that, we view openness and collaboration as one of the key tools to address threats, so we also rely on threat information from our partners and also from our bug bounty program.
Q2: As we understand, it has been a few years since Google integrated Knox into core Android. Is that collaboration still ongoing, in that Google integrates updated iterations of Knox as Samsung makes them available?
A: The collaboration with Google on Samsung Knox is still ongoing. Throughout the history of Knox, once we integrate a new core feature within Knox, it ultimately blends into the overall Android security platform. We continue to innovate with Knox to differentiate our devices by providing superior security while also contributing to making the entire Android ecosystem safer.
Q3: Knox Matrix was first announced last year. We subsequently heard that the first Knox Matrix devices may not arrive until 2024. What can you share about the roadmap now, particularly with regards to mobile devices, whether we would first see it on next year’s Galaxy S or Galaxy Z flagships?
A: Some features of Knox Matrix are out already, such as end-to-end encryption whereas Passkey, a part of the credential sync component of Knox Matrix, will be available with One UI 6.0 and will be expanded to more devices next year. The Family Hub refrigerator and Tizen-powered Samsung smart TVs will get it early next year as well. Trust Sync, a key Knox Matrix feature, will be coming next year as well.
Q4: Can you provide more context as to why the rollout has been delayed? If it has been due to additional capabilities, how has Knox Matrix been further improved from what was revealed last year?
A: It was primarily due to adding more capabilities. It’s a complex operation as we’ve integrated different platforms and devices across our mobile products, TVs, etc. In terms of making sure that the security features were integrated properly, we wanted to take our time and make sure that all of the parts were in place before proceeding.
Q5: Why has the decision been made only now to expand Knox Vault to the Galaxy A series? Was it due to hardware limitations? Does this also mean that Knox Vault will be available on more affordable devices down the line?
A: Knox Vault requires a separate chip for its isolated sub-system. The architecture previously required high-end SOCs. Samsung has now made modifications to this architecture so even though it’s still a separate chip, it can now run on non-flagship devices from the Galaxy A series. This change will also enable us to expand Knox Vault to more non-flagship Galaxy phones in the future.
Q6: How does Pass Key differ from Samsung Pass, can you provide more information about how it will be integrated on Samsung’s mobile devices, and precisely how it keeps user’s login information safe?
A: Pass Key is a component within Samsung Pass. It provides passkey protection, which is also commonly known as the FIDO standard, meant as a way to ultimately provide a password-free experience. Pass Key support will enable users to use Samsung Pass on their device to log into websites and apps that support this standard. This technology is still quite new so there are only a limited number of places where you can sign into with Pass Key, these include the likes of PayPal and Google accounts. We’re working hard to bring Pass Key-enabled experiences to more sources online.
Q7: Does Samsung decide which apps Message Guard will be expanded to, and will it be made easier for all developers that could potentially benefit from it to integrate the feature in their apps?
A: Our users will see Message Guard on more third-party applications in the near future. Message Guard keeps potentially harmful messages in an isolated sandbox so that the malicious attachment that comes with them doesn’t propagate to the rest of the system, thereby ensuring that zero-click attacks can be thwarted.
Q8: How does the team feel the bug bounty program has helped make Samsung devices more secure? What has been the highest bug bounty paid by Samsung, and are you able to share the bug?
A: We feel that the bug bounty program has been tremendously helpful. It’s been one of the key sources of improving the safety of our devices. It enables us to see what the wider security community is looking at so we can identify trends based on their reports. We receive similar information from our partners such as Google so we always have a good overview of how things are moving in the security space.
The highest bug bounty paid by Samsung was close to $120,000 and it was related to a critical trust zone vulnerability.
