Hardware Device Manager

The Challenge

Peripheral hardware devices, such as cameras, microphones, modems, USB, GPS, and Bluetooth and Wi-Fi devices are an increasingly significant privacy and security attack surface on mobile devices. While such peripherals allow rich user interaction with the environment and offer unique experiences on mobile phones, these same peripherals also expose a wide attack surface that attackers can abuse for malicious purposes to compromise privacy and security.

For example, a malicious insider could use the camera, mic, and GPS in the background to spy on meetings or to photograph sensitive data in controlled physical environments, and exfiltrate data through the cellular modem. Such concerns have unfortunately resulted in mobile phones being disallowed in classified and secure locations, especially in government settings, as well as security concerns around their use by journalists and leaders who are potential targets of surveillance.

While Android has permission controls for apps to access peripherals, and even allows disabling access to certain peripherals altogether, these controls can be bypassed by stealthy spyware that compromises the Android framework or the Linux kernel.

For example, the Pegasus spyware used a rooting exploit to escalate privileges to the Android operating system (OS) and bypassed Android’s access controls to surveil live audio and covertly capture camera images. As another example, researchers demonstrated how an Android permissions bypass vulnerability allowed an app access to camera, microphone, and GPS data without having permission to do so.

The Solution

Hardware Device Manager (HDM) is a Samsung-exclusive security layer that provides high assurance peripheral device controls to an enterprise even if the OS is compromised and across factory resets. HDM leverages Arm hardware virtualization to interpose on peripheral access and allows or denies access according to enterprise policy.

HDM mediates all accesses to peripherals even if an attacker bypasses Android OS access controls. Access is enforced based on an enterprise policy stored in tamper-resistant secure storage that persists even across factory resets.

This policy specifies whether specific peripherals should be enabled or disabled, and whether to trigger automatic physical lockout of peripherals upon detection of device rooting or compromise. This includes access control to physical sensors (cameras and microphones), communication chips (cellular modem, Wi-Fi, Bluetooth and NFC), and other peripherals (USB, speaker and GPS).

HDM achieves strong guarantees using a unique combination of techniques:

• Controls are enabled before any potentially untrusted code can run: HDM starts before the OS as part of Knox’s hardware-rooted trusted boot process, which is the chain of trust that begins when the phone is powered on and ensures that each component is cryptographically validated before being loaded.

• Complete protection even in the face of OS compromise: HDM runs at a higher privilege than the OS by leveraging Arm’s hardware virtualization extensions, and therefore mediates and controls all access to peripherals even if the Android framework and OS is completely compromised by malware.

• Tamper-resistant and persistent policy across factory resets: HDM stores its enterprise policy in a device secure storage that is protected from tampering and is preserved across factory resets and flashing. Even if the secure storage itself is broken by hardware attacks, HDM can apply a default protection policy.

• Policy updates are cryptographically protected: HDM uses cryptographic signatures and mutual authentication for policy updates. A trusted HDM server generates and signs the enterprise policy, which is verified by HDM on-device. In turn, HDM uses its own unique, hardware-backed key to prove its identity to the server and to cryptographically prove the hardware policy was successfully loaded.

Use cases

HDM enables several use-cases in a flexible and secure manner.

Fixed hardware peripheral customization

To avoid being detected or having their position compromised during military operations, operatives often require guaranteed disablement of certain radio services such as GPS, microphone, and Wi-Fi services. Using HDM to disable these subsystems on the device before troop or device deployment provides high assurance that these services cannot be activated in the field.

Dynamic context-based peripheral access

To maintain integrity and protect sensitive information or intellectual property theft, organizations restrict the usage of mobile devices in secure campuses or locations. HDM can be used to disable camera and microphone subsystems on the mobile device before entering these areas. Disabling of the hardware could happen automatically using external triggers or by tapping the device at an entry gate.

As another example, when a need arises to discuss confidential matters, mobile device users need to be able to quickly and securely restrict access to microphones and camera hardware. An on-device based HDM service can be used to enable or disable the hardware subsystems ensuring the utmost secrecy is maintained. This can be thought of as a flexible privacy sticker and supports multiple peripherals where a sticker cannot be used.

Zero Trust and damage containment

A core principle of Zero Trust is “assume breach”, where enterprises have to anticipate that attackers can successfully compromise a system, and take measures to contain the breach. To meet these ambitious goals for realizing Zero Trust, enterprises require new endpoint capabilities for limiting damage and data loss in the event that a device compromise is detected. HDM enables robust disabling of peripherals such as Wi-Fi and cellular modem to prevent enterprise data exfiltration once a compromise is detected.