Company also tries to salvage struggling KNOX effort after security breach

At an investor forum in Hong Kong, China this week Samsung Electronics Comp., Ltd. (KRX:005930) (KRX:005935) senior vice president Rhee In-jong stated that his company is looking at biometrics as a major focal point in its campaign to differentiate its smartphones.

He commented:

We’re looking at  various types of biometric [mechanisms] and one of things that everybody is looking at is iris detection.  We, as a market leader, are following the market trend.

I. Biometrics == Big Business for Smartphone Makers

Biometrics is a broad term that refers to technology that is used to identify a person's identity.  Commonly used techniques include:
  • fingerprint scanners
  • iris scanners
  • facial recognition
Laptops and desktop computers equipped with webcams have been using facial recognition to provide users with a semi-secure log-in for nearly a decade now.  

Android operating system (OS) developer Google Inc. (GOOG) included the feature beginning with Android v4.0 "Ice Cream Sandwich".  Google's technology is based on research from Carnegie Mellon University (CMU) and the CMU spinoff, PittPatt, which was scooped up by Google in June 2011.

Ice Cream Sandwich Face Unlock

Samsung was actually one of the first companies to make a big deal out of this feature, highlighting it in marketing for the Galaxy Nexus and the Galaxy S4, last year's flagship smartphone.

While facial recognition unlock has been slowly maturing, the hottest trend is perhaps fingerprint sensors.  Motorola Mobility made headlines back in Jan. 2011 launching the Atrix 4G, a smartphone that packed one of the first sophisticated fingerprint-scanner log-in/unlock mechanisms.  

Atrix 4G
The Motorola Atrix 4G's fingerprint scanner/power button combo
[Image Source: Team Innov8 Blog]

This Android smartphone would be followed two years later with Apple, Inc.'s (AAPLiPhone 5S (Sept. 2013) and HTC Corp.'s (TPE:2498) One Max (Oct. 2013).

Apple called its technology "Touch ID" and it was developed by Authentec, which Apple acquired for $356M USD in 2012.  The Apple scanner uses a 500 ppi (pixels-per-inch), 170 µm thick capacitive touch sensor to visualize the user's fingerprint.  

Apple iPhone 5S fingerprint
Touch ID on the iPhone 5S

The sensor reads sub-epidermal skin layers and the firmware supporting it features learning algorithms for better scans and security.  A steel ring acts as a crude heat sensor for the Apple sensor, making sure it is an actual fingerprint.  The scan data is stored locally in a secure cache on Apple's A7 system-on-a-chip, which Apple claims prevents spying on its users.

By contrast, the HTC One Max uses a similar third-party sensor made by Synaptics Inc. (SYNA).  

HTC One Max
Touch Unlock on the HTC One Max

Like Touch ID, there's an apparent steel ring, which triggers a scan by a capacitive touch sensor.  Finer technical details of that mass market sensor are not known, but reports indicate that it too had self-learning capabilities.  Reportedly it has a worse recognition rate than Touch ID initially, but eventually reached a passable rate of around 90 percent recognition success, according to reviewers.

II. GS5's Fingerprint Sensor Sees Security Headaches

Samsung was somewhat of a latecomer to the fingerprint sensor party, but it joined its fellow Android OEMs this year with the launch of the Galaxy S5 (GS5) flagship smartphone, which featured a swipe-style fingerprint sensor.

Samsung GS5

The GS5 looked to push things a step further, offering a unique SDK that allowed the fingerprint scanner to be used as a password-like confirmation for in-app purchases in third-party apps.  eBay, Inc. (EBAY) payment services firm Paypal was the first major partner for the feature, debuting a fingerprint-protected billing app at launch.

Samsung wants to roll out biometrics such as facial recognition and fingerprint scanners across its entire smartphone line, even on the low-end.  If it can do that, it could perhaps give a strong selling point, particularly on the budget side.

One ongoing concern is that most forms of biometric sensors are vulnerable to fake objects made to resemble humans.  Photographs have been able to dupe a number of facial recognition algorithms.  Likewise hackers used fake fingers to gain unauthorized access to the iPhone 5S last year, in a controlled experiment.  The fingers were formed based on fingerprints lifted off glass.  The hack led to Apple facing some tough questions.

Samsung's Galaxy S5 was the subject of a similar study earlier this year.  And it too proved vulnerable to fake fingers.  

Security Researchers with Germany's Security Research Labs, who successfully unlocked GS5s with fake fingers, complained that the security flaw could be more damaging given the access to Paypal and other billable accounts.

However, there have been no reported instances to date of iPhones, HTC One Maxes, or Galaxy S5 smartphones being actively exploited in the wild using the hack.  One reason why is the complexity.  While an expert on fingerprint sensors might be able to perform the hack with relative ease, most hackers lack the sophistication to make the detailed latex finger replicas needed for the exploit.

Further, Samsung, Apple, and others have raised the general argument that without biometrics many customers simply use no password or code lock at all.  Their argument boills down to that biometric unlocks -- while perhaps flawed -- are better than no security at all.

No smartphone maker has a mass-market iris scanner, yet.  Samsung was rumored to launch that technology with the GS5, but instead went with the safer fingerprint sensor option.

III. KNOX Struggles, Has Less Than 2 Million Enterprise Clients

Samsung is currently the world's largest smartphone maker, selling an estimated 90 million smartphones in Q1 2014.  Sales of the Galaxy S5 in Q2 2014 have reportedly been brisk, thus far, compared to the more sluggish sales of last generation's Galaxy S4.

Overall, though Samsung is still struggling to recapture the wild growth it saw in 2011 and 2012 in the smartphone space.  One point where Samsung is struggling is in the enterprise space.

At the investor summit Samsung disclosed that to date there are 87 million devices in the wild which are compatible with Samsung's KNOX.  First announced at Mobile World Congress 2013, KNOX was supposed to be the crux of the Samsung Approved For Enterprise (SAFE) project.  Samsung was hoping to capture the majority of customers departing from wounded Canadian enterprise smartphone maker BlackBerry, Ltd. (TSE:BB) whose "Balance" solution remains widely used within many organizations.

BlackBerry Balance Q10
BlackBerry Balance is the chief tightly integrated competitor to Samsung's KNOX.

In April 2013, when it announced the GS4, it suggested KNOX would be offered onboard.  But at launch the secure build of Android was not yet available.  The Samsung Galaxy Note 3, launched in Sept. 2013, finally brought the secure Android OS to market after nearly a year of delays.

Samsung followed up with the Android v4.3 "Gingerbread" Samsung Premium Suite Upgrade, which was delivered for the GS3, GS4, and Galaxy Note II late in Nov. 2013.  More devices were upgraded to that package early this year, raising the list of compatible KNOX devices.

Samsung Knox
Samsung Knox became widely available late last year.

Given the late September launch, you can quickly ascertain that the OS has been on the market for less than 9 months.  In that regard, 87 million units sounds like a pretty competitive total.  But according to Mr. In-jong only 1.8 million of the devices are actively using KNOX.  While he would not disclose who the early adopters were or what their numbers were, he did say that banks, healthcare and financial companies were among those leading pickup at present.

IV. Flaw in KNOX Nearly Handed Keys to the Kingdom, Patch Lands

The slow adoption is partly Samsung's fault, perhaps due to poor marketing and inconsistent updates.  Some Galaxy S3s and S4s in the wild remain uncompatible as carriers have yet to deliver Samsung's upgrade package to customers.

Samsung has also suffered security concerns.  Ben-Gurion University's Cyber Security Lab in Israel publicized a potential security flaw in KNOX in Dec. 2013.  The researcher who discovered that flaw -- Mordechai Guri, a Ph.D student in the lab of Professor Yuval Elovici -- reportedly stumbled across the flaw while doing general tests of the operating system.  Dudu Mimran, the lab's CTO, commented:

The new unveiled vulnerability presents a serious threat to all users of phones based on this architecture, such as users [of the GS4].

Samsung acknowledged the vulnerability, but said that it might have been mitigated by bundled software that typically was given to SAFE enterprise clients.  However, it also acted to offer "security patches are being rolled out for all vulnerable models", noting that the flaw was a bonafide "threat to the integrity of Knox-enabled devices."

Samsung KNOX apps
A flaw allowed apps to escape their sandbox in Samsung KNOX.  The flaw has since been patched.

The flaw allowed everyday apps, such as games or productivity software, to escalate their privileges and escape the sandbox for private work, snooping on the business sandbox.

The Defense Information Systems Agency (DISA) and the National Security Agency (NSA) had purchased at the time 500 GS4s to test across the Pentagon and various intelligence agencies.

If Samsung can convince critics that it is secure and an attractive exit route for BlackBerry, it still has a tremendous opportunity.  After all, only BlackBerry Balance and Samsung KNOX offer tightly integrated side-by-side secure work and play sandboxes for bring-your-own-device (BYOD) smartphone users.  Samsung claims its KNOX is secure enough even for high-presssure settings such as military or intelligence clients.

Samsung KNOX on GS5
Samsung hopes the popularity of the Galaxy S5 will stoke KNOX adoption.
[Image Source:]

A number of third party apps and services, of course, offer similar features across a number of common smartphone platforms.  But BlackBerry and Samsung remain the most tightly integrated examples of side-by-side sandboxes for BYOD devices.

Samsung must also act fast to try to win customers.  Apple -- which has seen strong enterprise interest despite lacking that kind of side-by-side environment -- has been rumored to be preparing similar features for iOS 8, which will ship with the iPhone 6 later this year.

Source: WSJ

"We basically took a look at this situation and said, this is bullshit." -- Newegg Chief Legal Officer Lee Cheng's take on patent troll Soverain

Latest Blog Posts
T-Mobile Data Problems
Saimin Nidarson - Oct 20, 2016, 10:17 AM

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki