Samsung, please consider restricting the USB-C port functionality at the firmware level If user has not authenticated in say 12h if phone is in AFU state, the state phone is most vulnerable to attempts to extract encryption keys to decrypt data. Public hacking companies are increasingly becoming more successful in breaking into phones that way and the technology is not exclusive to police, it's sold to private companies and God knows who else from there.
I'm pretty sure it already does. The phone won't accept usb connections unless the device is unlocked and the trust device button is pressed. The lockout period is 24 hours without a successful unlock. And there's an option in security to add a lockdown option to the power menu which disables biometrics and notifications. Last but certainly not least Secure Boot which is disabled by default is Full Disk Encryption.
If the USB-C is active one can still attempt to exploit the port to inject malicious code, if disabled at the firmware level port does not function at all till the user authenticates in AFU mode, if in BFU then device is in complete protection so it's way more difficult to attack the device since no encryption keys are loaded yet. At that point only attack is brute-forcing device assuming you can bypass locked bootloader to get passed the monitor of failed authentication tries or the brute-forcing countermeasures.
Thank you very much for your suggestion. Your suggestion has been communicated to the developer and the development project manager is reviewing the content. After reviewing your suggestions, we will apply them to the official version if your proposal matches our concept. We appreciate your contribution to the beta program.
Please note though as disabling USB C Port completely would cause issue if some tries to charge device after a long idle time and would need some evaluation on our part.
Completely understandable. Knox team should consider USB-C restriction under certain circumstances, mainly when device is hot, or in AFU state and user hasn't authenticated in a certain period of time, consitent when the device is lost or seized. If the security processor or a protocol is to monitor the USB-C port and force restriction to incoming data packets or code then it will thwart or further strengthen Knox security and overall security of said device, especially premium, flagship devices. If you build a virtually impenetrable building like Fort Knox and put a basic lock on the front door, so much for everything else, the USB-C port can be seen as that weak, basic lock to hackers.
