Samsung Galaxy S8, its security and the CNI

Blog

14
- Febr
2017
Posted by: Javier Tallón
[Cybersecurity & hacking tools and techniques]
Samsung Galaxy S8, its security and the CNI

Yesterday, February 13th, many articles could be read in technology oriented media, mobile phone related in particular (Xataka, Globbsecurity or Movilzona movilzona are those which we have consulted), pointing out Samsung Galaxy S8 as the most secure according to the CNI.

Several people have informally consulted us in this regard so we have decided to write this article in order to clarify what actually happened.

First of all, it is convenient to clarify that the CNI is in charge of the IT security within the Spanish administration (Bill 11/2002 May 5th). For this purpose, the National Cryptologic Centre or CCN was created inside the CNI structure (RD 421/2004, March 12th).

Among the tasks performed by the CCN, we find the following:

  1. Elaborate and spread instructions, guides and recommendations to grant the security of information technologies and the administration’s communications, like the CCN-STIC guides.
  2. Constitute the certification organism for the national evaluation scheme and IT security certifications, through which, following international standards like Common Criteria (ISO/IEC 15408) and by using specialised laboratories, all kind of products are certified.
  3. Evaluate and recognise the ability of encrypting products and IT systems, which include encryption methods, to process, store and transmit information in a secure way

Furthermore, in 2015 the National Security Scheme (ENS) was finished, forcing every entity within the Spanish administration (city councils, council offices, universities, etc.) to follow certain security policies when setting up their systems in a similar way than those proposed in international regulations like ISO 27001, establishing for each administration a threat level in accordance to how critical the information they manage is (low, medium or high).

Within the ENS there are 75 security measures, among which, the administrations with a high level (medium level sometimes) are required to use Certified Components ([OP.PL.5]):

The preference of use will be for systems, products and equipment of which security functionalities and levels have been evaluated in accordance to European or international regulations and certified by independent and properly recognised entities.

This is to say, if an administration has to chose between two similar products, it should pick the one which has been certified.

This request in regard to the use of certified products is not new, it was already present in the article 18 of the January 8th Royal Decree 3/2010 by which the National Security Scheme is regulated, giving to the Certification Organism the responsibility to determine what will be the criteria for deciding if a product is certified or not, just like we previously listed among the CCN’s responsibilities.

Summing up what we have seen so far, the Certification Organism, which is inside the CCN which in turn is part of the CNI, is responsible for deciding which products must be used within the administration in order to comply with the ENS regarding international regulations (Common Criteria).

It is important to point out as well that, because of international agreements (CCRA), a product certified as Common Criteria complying is valid worldwide independently of the certifying country

As everyone knows, IT IS NOT POSSIBLE TO DETERMINE IF A PRODUCT IS SECURE. What is possible to say, to a certain degree of confidence, is that a product meets a certain security specification

For this reason, when a product is certified under the Common Criteria regulations, it is done:

  • Against a document which contains a specification for security requirements and a given usage environment: The Security Target (ST)
  • Against a level of warranty, known as the Evaluation Assurance Level (EAL) which goes from EAL1 to EAL7.

In general terms, the ENS establishes the guides for the acquisition of certified components. (see CCN-STIC-813 ):

The main problem that this course of action entails in the acquisition of products is that every administration would have to check every certified product in the world and their Security Targets to see which of them match the security requirements and functionality for that the administration needs.

This problem is solved in many administrations around the world by using Protection Profiles, which come to be templates of kinds of products against which conformity may be declared in regard to a Security Target.

In Spain however, in order to make this even easier for the administrations, the CCN decided to create two tools:

On the one hand, the TIC Security Products Catalogue (CPSTIC) is a catalogue where the administrations can revise for every kind of product which are those that are recommended for its use depending on their category, according to the ENS.

On the other hand the taxonomy (guide CCN-STIC 140), which contains the different product categories that will appear in the CPSTIC, as well as what measures of those proposed by the ENS for an information system they contribute to.

For each family of products, the taxonomy provides an annex with the Security Functional Requirements that must be met by the products of such family, making in many cases reference to an equivalent Protection Profile, in a way that a product certified in accordance to that Profile can be introduced in the catalogue directly.

For a product of a given manufacturer to be included in the catalogue (guide CCN-STIC 106), it is necessary that it makes a request to the CCN and to match one of the following scenarios:

  • If the product is in possession of a Common Criteria certification and declares conformity against a Protection Profile that is recognised by the annex of the family which it belongs to, it will be directly added to the catalogue
  • If the product is in possession of a Commmon Criteria certification and does not declare conformity against a recognised PP but meets the Security Functional Requirements which the annex requires, it will be directly added to the catalogue.
  • If the product does not have a Common Criteria certification and is exceptionally considered of strategical interest for the administration in absence of any other certified similar product, it may be subjected to a STIC evaluation in accordance to the Security Functional Requirements required following the annex by a laboratory authorised by the Certification Organism.

Returning to the Samsung phone, this would be found within the “mobile devices” family of the taxonomy and would be applied with the requirements of Annex F.1. of the CCN-STIC-140 guide. Within this guide, there is a direct reference to the American Protection Profile “Mobile Device Fundamentals” in its version 2.0, 3.0 and 3.1 and to the Spanish Protection Profile “Protection Profile for Trusted platform for secure communications”, demanding conformity to a PP with the same requirements or a level of guarantee of EAL2 or higher.

As of today, it does not exist any product certified against the national protection profile. Nonetheless, if we search the website of the NIAP(National Information Assurance Partnership), which is the equivalent for the Spanish Certification Organism in the United States, among the products which have been verified against “Mobile Device Fundamentals” protection profiles we find the following:

Version 2.0

Version 3.0

Version 3.1

As you can see, the Samsung Galaxy devices complies with one of the Protection Profiles required by the CCN.

Pating attention to the ST, the specific models that were certified were the following, matching the first two which have been qualified within the catalogue:

Given that the certification was also carried out in a country which is part of the Common Criteria Recognition Agreement (CCRA), Samsung’s certificates are also valid in Spain.

If we look at the product’s description in the CPSTIC catalogue (December 2017 edition) we observe that the particular qualified version coincides with the first two certified models of the ST showed in the previous image.

As a part of a Common Criteria certification, it is essential to provide a guide for safe operation and configuration, and given that those provided by Samsung to the NIAP to overcome the certification are obviously in English, with a very good criterion, the CCN in collaboration with Samsung has performed a translation and adaptation of this guides for the Spanish administration, published as the Employment Procedure CCN-STIC-1601 Secure Configuration of the Samsung Galaxy S8.

Within this guide, among others the following configuration requirements are found in order to follow the CCN Recommended Configuration

  • Existence of an MDM (Mobile Device Management) solution under real control of the organisation where the phone is to be used (on-premise), with their VPN tunnels, directory and certificate services, security profile, etc.
  • Use of the TrustZone and Knox containers if segmentation is required
  • Use of Trusted Boot
  • Not allowing to move applications to the Knox container
  • Disable Google Play and Samsung Galaxy Apps or only allow applications from a list defined by the MDM administrators
  • Prevent USB debugging and storage
  • Demand internal encryption
  • Disable the SD
  • Complex passwords of at least 8 characters which must be changed every 90 days
  • Disable USB, Bluetooth and NFC unless there’s a justified need
  • Client certificate authentication for email

The CCN Recommended Configuration is focus on MDM corporation environments, not on final users, and requires disabling a lot of functionality which for a normal user would be inconceivable

It is thus clear that thanks to the CCN’s effort, the certifications field is developing in Spain, providing the means for grating better security within the administration by using certified products.

With no doubt, Samsung has made a great job by certifying its product and providing the support for performing a secure fortification of their phones.

Samsung Galaxy S8 has been one of the first products to be added to the catalogue but it won’t be the last. This CCN initiative will allow for the administration to have a stronger security in the acquisition of products

For further information on the products catalogue or Common Criteria, do not hesitate to contact us at hello [at] jtsec.es

tags
Javier Tallón/Technical Director

Expert consultant on the Common Criteria standard, and other security assurance standards in the field of the information technology (FIPS 140-2, ITSEC, ISO 27K1, SOC 2, ENS...). Javier has served as an evaluator in the Spanish CB for the country major evaluation labs. As a consultant, he has successfully accompanied national and international companies in several certification processes (to EAL5+). His experience has led him to participate as a speaker at several conferences on computer security and certification (SuperSec, Cybercamp, Navaja Negra, International Common Criteria Conference, International Cryptographic Module Conference, EUCyberact Conference). He is also Cyber Security lecturer, giving classes of Secure Software Engineering at the University of Granada and is CISSP (Certified Information Systems Security Professional) and OSCP/OSCE (Offensive Security Certified Professional & Certified Expert) certified .

In 2015 he begins to lay the foundations of what will be jtsec. He currently works as Technical Director of the evaluation lab and Chief Operations Officer (COO) of the Granada site from where the company develops most of the work. Recognized expert in various disciplines of cybersecurity (reversing, exploiting, web, ...), assumes the technical direction of most of the projects, directing and organizing the work of the team. He also leads the Research and Development area, encouraging the participation of the jtsec team in multiple Congresses.


Contact

Send us your questions or suggestions!

By sending your data you allow us to use it to resolve your doubts by sending you commercial information of interest. We will delete it when they are no longer necessary for this matter. Know your rights in our Privacy Policy.
RECENT POSTS
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
Jan 17, 2025
jtsec achieves pioneering accreditation for MEMeC cryptologic evaluation
jtsec & Applus+ Laboratories at ICCC24
Nov 14, 2024
jtsec & Applus+ Laboratories at ICCC24
How to use the CCN product catalog to improve your company's security
Oct 14, 2024
How to use the CCN product catalog to improve your company's security
Common Criteria Statistics 2023
June 17, 2024
Common Criteria Statistics 2023
How to enter ENS category high, stay in the catalog and add new versions of my product
April 23, 2024
How to enter ENS category high, stay in the catalog and add new versions of my product
jtsec - Our LINCE 2023
Febr 6, 2024
jtsec - Our LINCE 2023
We wish you a happy and cybersecure 2024
Dec 19, 2023
We wish you a happy and cybersecure 2024
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
Dec 14, 2023
How to Prepare Your Products and Services for the Quantum Era and Ensure Their Certification?
How to include your product or service in ENS ALTA.
Oct 31, 2023
How to include your product or service in ENS ALTA.
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
Sept 19, 2023
Certifications and cybersecurity methodologies are generating interest among companies and organizations at both the national and international levels.
CATEGORIES