How the “two-man rule” elevates mobile security
You may be familiar with the “two-man rule” from the movies. Used as a control mechanism for critical actions like launching a nuclear weapon, the two-man rule requires two authorized individuals to independently initiate the action, such as by simultaneously turning keys in two separate locks within a control center. This creates an extremely difficult set of hurdles for would-be attackers, as multiple layers of protection must be overcome, requiring collaboration and coordination between two separate individuals, both of whom need simultaneous access to the physical system being attacked.
Just as the two-man rule exponentially elevates physical security, a similar approach can do the same for mobile security. With key security functions architected across two, independent, hardware-based systems, one on the commercial mobile device and one off, a nation-state attacker would need to both gain access to the phone via spyware or similar advanced attack and then independently compromise the second system, exponentially increasing the difficulty level.
This powerful model for mobile security drives the new hardware-to-hardware integration between the Privoro SafeCase and Samsung Galaxy phones, with SafeCase providing trusted control over the paired phone’s cellular radio (control over additional radios and sensors will be made available later this year), as well as phone-independent microphone and camera protections.
Without the SafeCase-Galaxy solution, a threat actor who has compromised the phone’s operating system (OS) has full control over the device’s hardware components, overriding the user’s selections within OS controls or the organization’s endpoint protection policies enforced via mobile device management (MDM) software. Crucially, the device’s cameras and microphones can be hijacked to look in on and listen to a targeted individual’s environment, while the wireless radios can be leveraged for data exfiltration.
With the SafeCase-Galaxy solution, a threat actor who has successfully compromised the OS doesn’t have any visibility into or control over the protections provided by the other systems, which are required to perform active espionage.
One of these systems, Samsung’s Hardware Device Manager (HDM), is on the device but “under” the OS (i.e., with a higher privilege level than the OS). The other system, Privoro’s SafeCase, is outside the device entirely. In effect, there isn’t a feasible way to punch from the compromised OS down to HDM or out to SafeCase. This means that an attacker looking to perform active espionage would need to independently compromise both HDM and SafeCase. And because there are two separate hardware manufacturers involved, there is no overlap between codebases or system architectures, meaning a single exploit wouldn’t compromise both systems.
In effect, a SafeCase-Galaxy user can be certain that their phone’s radio and sensor hardware are truly disabled, even if the device is invisibly infected with nation-state spyware.
This two-system approach represents a sea change for targeted mobile users, including those within the Federal government. By greatly limiting the ability of attackers to gather high-value information through the devices at the center of their lives, these users – and the organizations they work for – have a newfound confidence borne of control.
And as this approach matures and gains traction, even more security functions can be kept out of reach of attackers. We will continue to drive innovation in this space to enable secure mobile use for the most targeted and discerning of customers. I look forward to sharing more developments down the road on two-system, hardware-based mobile security.
If you’d like to dig deeper into this approach, take a look at our latest white paper.