Original topic:

Knox improvement

(Topic created: 09-28-2021 12:33 PM)
BobbyCarra
Galaxy
Options
Suggestions
Samsung, please consider restricting the USB-C port functionality at the firmware level If user has not authenticated in say 12h if phone is in AFU state, the state phone is most vulnerable to attempts to extract encryption keys to decrypt data. Public hacking companies are increasingly becoming more successful in breaking into phones that way and the technology is not exclusive to police, it's sold to private companies and God knows who else from there.
4 Replies
GalaxySizedRod
Cosmic Ray
Options
Suggestions
I'm pretty sure it already does. The phone won't accept usb connections unless the device is unlocked and the trust device button is pressed. The lockout period is 24 hours without a successful unlock. And there's an option in security to add a lockdown option to the power menu which disables biometrics and notifications. Last but certainly not least Secure Boot which is disabled by default is Full Disk Encryption.
0 Likes
BobbyCarra
Galaxy
Options
Suggestions
If the USB-C is active one can still attempt to exploit the port to inject malicious code, if disabled at the firmware level port does not function at all till the user authenticates in AFU mode, if in BFU then device is in complete protection so it's way more difficult to attack the device since no encryption keys are loaded yet. At that point only attack is brute-forcing device assuming you can bypass locked bootloader to get passed the monitor of failed authentication tries or the brute-forcing countermeasures.
USBetaModerator
Beta Moderator
Options
Suggestions

Hello @BobbyCarra ,

Thank you very much for your suggestion. Your suggestion has been communicated to the developer and the development project manager is reviewing the content. After reviewing your suggestions, we will apply them to the official version if your proposal matches our concept. We appreciate your contribution to the beta program.

Please note though as disabling USB C Port completely would cause issue if some tries to charge device after a long idle time and would need some evaluation on our part.

Regards,
One UI Beta Team

BobbyCarra
Galaxy
Options
Suggestions
Completely understandable. Knox team should consider USB-C restriction under certain circumstances, mainly when device is hot, or in AFU state and user hasn't authenticated in a certain period of time, consitent when the device is lost or seized. If the security processor or a protocol is to monitor the USB-C port and force restriction to incoming data packets or code then it will thwart or further strengthen Knox security and overall security of said device, especially premium, flagship devices. If you build a virtually impenetrable building like Fort Knox and put a basic lock on the front door, so much for everything else, the USB-C port can be seen as that weak, basic lock to hackers.