Protecting sensitive personal data against mobile hacks

The amount of sensitive data on mobile devices is increasing as more people work remotely and use their devices for transactional purposes. Protecting the integrity of personal user data is paramount for both consumers and mobile device makers. Every network and device has numerous potential attack vectors that bad actors can use for access.

Ensuring a maximum level of security requires manufacturers and software developers to address a wide range of potential vulnerabilities, from operating systems to hardware components.

Gail-Joon “Daniel” Ahn, senior vice president of Samsung Electronics, discussed mobile device risk assessment and security during the annual Cyber Week program, a large annual international cybersecurity event hosted by Tel Aviv University in Israel.

Ahn, who is head of Samsung’s Mobile Communications Business security team, noted that a well-integrated mobile security strategy can help reduce exposure to vulnerabilities and adversarial forces looking to exploit points of weakness.

Proactively limiting attack vectors

Hackers are constantly looking for device vulnerabilities and the number and quality of attacks is on the rise, especially those targeting personal data and information. According to one recent report, more than one billion Android devices are at risk for malware attacks.

Loss of sensitive personal data can be both costly and inconvenient. In the U.S. alone, malicious cyber activity is estimated to cost more than $57 billion a year. What’s more, government regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy (CCPA) mean security breaches can result in exposure and liability.

As Ahn noted, both privacy and security need to be considered at every step in the development of a smartphone. “That sounds very simple, but it’s not,” he said. “We have to consider security and privacy requirements at all developmental phases, including design, installation, and even testing.”

Multiple encryption layers, as well as API protection, are part of an increasingly automated security process. Machine learning provides for more robust anomaly and vulnerability detection, and artificial intelligence (AI) can provide real-time analysis of data in order to identify potential threats at the network and device levels.

Starting with device-level safeguards

Good security starts by embedding safeguards into the core hardware and software architecture. Samsung, which is the world’s largest manufacturer of smartphones, has considerable expertise when it comes to device-level security.

Three foundational security features that are integrated into Samsung mobile devices are the hardware-level root of trust keys, run-time protection, and authentication protocols.

Safeguards that are hard-coded into the chipset are essential for ensuring foundational security, said Ahn. This requires root-of-trust protocols designed to secure the boot process on a device. Hardware-level authentication systems protect critical data and underlying code. Key components for root-of-trust in mobile devices include secure boot keys, rollback prevention fuses, warranty bits, and device root keys.

Building and maintaining trust is another key to foundational security in mobile devices. One example of a self-check protocol that Samsung builds into its devices. The system automatically verifies the integrity of booting components on start-up. Once the device boots up, run-time protection provides the first line of defense against code changes to the kernel and the operating system facilitates communication between the hardware and software running on a device.

Monitoring the OS ensures the integrity of the system and provides a way to make sure that critical data in the system partition has not been changed. Automated exploit mitigation can be used to identify unauthorized changes to the code on a mobile device and to block access to sensitive data.

Foundational security also requires multiple layers of authentication that prove trust, such as the use of encrypted keys and credentials – at both the operating system level and for installed apps. When hacking or unauthorized changes at the root level are detected, Samsung mobile devices do not restore the encryption key. That way, even if a bad actor has obtained the correct password, they cannot control the device.

Taking an integrated approach to security

Mobile security is an ongoing process of implementing rigorous risk assessment measures and developing proactive strategies to reduce potential vulnerabilities. Ahn said a holistic approach to monitoring is needed in order to protect inter-connected devices, systems, and services. Moreover, he said, “we need collective intelligence to monitor potential threats.

Ultimately, foundational security requires an integrated approach. “You have to build hardened software stacks so you can have multilayer security on top of the hardware root of trust,” said Ahn.

In addition to its own research and development efforts, Samsung selectively works with startups and other technology companies to improve the scope and performance of mobile security measures.

To help Samsung identify new automated security solutions for mobile devices, Samsung Next is constantly on the lookout for promising new mobile technology. As it relates to the work Ahn and his team are doing, that would include startups working on encryption, biometrics, automated vulnerability detection, and continuous multi-factor authentication (CMFA) solutions.

If your company is working on addressing some of those challenges, then I would love to hear from you. Please feel free to reach out to me at royi.benyossef@samsungnext.com.