Enterprise
Understanding Samsung Knox Vault: Protecting the data that matters most
3/8/2021
Eight years ago, Samsung set out on a mission to build the most trusted and secure mobile devices in the world. With the introduction of our Samsung Knox platform at MWC in 2013, we put in place the key elements of hardware-based security that would help defend Samsung mobile devices and our customers’ data against increasingly sophisticated cyber threats.
Samsung Knox has since evolved into more than a built-in security platform, now encompassing a full suite of mobile management tools for enterprise IT administrators. But our mobile product planners, developers and security engineers have remained laser-focused on answering the primary question: how do we remain a step ahead of hackers and keep our users safe at all times?
Samsung Knox Vault represents the latest step in that journey. It’s the logical evolution of something we’ve been working on for years: an isolated, hardware-based and highly secure environment for the most critical information on the device.
To understand what Samsung Knox Vault is, let’s first run through a quick history of how the principle of isolation has been fortifying Samsung’s Knox mobile security platform.
The evolution of the Samsung Knox platform
In the first days of Android, the main focus was building a more open and flexible mobile operating system. Security was state-of-the-art for the time, inherited from the world of Unix and mainframe computers. But from the start, it became clear that smartphones were different; they were the most personal computers anyone had ever built.
Samsung quickly realized that we needed to think harder about the threat model on such a personal device — particularly how to give extra protection to critical information such as private keys and digital certificates. That’s where the idea of using Trusted Execution Environments (TEEs) on our mobile devices came in. Within the ARM processors in our Galaxy smartphones, we pioneered the use of TEE-based protections using a feature called TrustZone.
The goal of TrustZone is to isolate the software that manages the most sensitive device data: passwords, biometrics, and cryptographic keys. It does this by running a different OS alongside Android. In this new model, when a password or fingerprint needs to be checked, Android no longer has direct access to your password or fingerprint data. Instead, Android must request a TrustZone applet to do the sensitive work on its behalf, such as decrypting data or verifying your fingerprint. With TrustZone, sensitive cryptographic and biometric data is never exposed to the Android OS or public apps.
Even with highly sophisticated malware, a successful breach of sensitive data would require much more than finding a known Android vulnerability and writing an exploit; it would require simultaneously breaking through the much stricter TrustZone protections. And since TrustZone is so focused, it’s easier to protect with few interfaces or “surfaces” to target. All this makes an attack exponentially harder.
Overall, TrustZone, combined with other Samsung Knox platform layers such as Real-Time Kernel Protection, set a new benchmark for hardware-based device security. But for Samsung engineers, security is a passion bordering on obsession and we started to look at TEEs, and asked ourselves, “How can we make this even more secure?”
Introducing Samsung Knox Vault
It’s a fact that any CISO will accept: isolation increases security. TrustZone is mostly independent, but there remain overlaps and shared resources between the TrustZone and the Android OS. Critically, they share the main CPU and memory, which puts the onus on low-level software protections to keep information isolated. The more we separate sensitive data from the main OS, the more protected they will be in the event of a breach. After all, you are only as secure as your weakest link.
This is where Samsung Knox Vault comes in: a combination of security-specific hardware (a new secure processor and isolated secure memory) and new integrated software that shields your most secure data from the Android OS and applications.
The way I think of it, TrustZone was a great safe in the middle of your bank’s branch office. There are a lot of people you don’t necessarily trust walking by the safe, doing day-to-day work that doesn’t require physical access to the safe. The secure processor in Samsung Knox Vault is more like Fort Knox: a safe securely placed far away from the bank, isolated from whoever walks into the branch.
With Samsung Knox Vault, we have focused on designing a secure and highly protected place for our own trusted software. Its job is solely to manage and protect the most critical information: PINs, passwords, biometrics, digital certificates, cryptographic keys and other sensitive information.