https://doi.org/10.1016/j.diin.2018.01.008
https://www.sciencedirect.com/science/article/pii/S1742287618300409

Forensics acquisition: Analysis and circumvention of samsung secure boot enforced common criteria mode
Gunnar Alendal, Geir Olav Dyrkolbotn, StefanAxelssonab

The acquisition of data from mobile phones have been a mainstay of criminal digital forensics for a number of years now. However, this forensic acquisition is getting more and more difficult with the increasing security level and complexity of mobile phones (and other embedded devices). In addition, it is often difficult or impossible to get access to design specifications, documentation and source code. As a result, the forensic acquisition methods are also increasing in complexity, requiring an ever deeper understanding of the underlying technology and its security mechanisms. Forensic acquisition techniques are turning to more offensive solutions to bypass security mechanisms, through security vulnerabilities. Common Criteria mode is a security feature that increases the security level of Samsung devices, and thus make forensic acquisition more difficult for law enforcement. With no access to design documents or source code, we have reverse engineered how the Common Criteria mode is actually implemented and protected by Samsung’s secure bootloader. We present how this security mode is enforced, security vulnerabilities therein, and how the discovered security vulnerabilities can be used to circumvent Common Criteria mode for further forensic acquisition.

Starting From Scratch: Trusted Root in Samsung Mobile Devices
Jan 26, 2018 by Joel Snyder

Android’s decoupling of the hardware and operating system brings benefits to IT: It allows application and hardware vendors to compete on innovation, features, form factor, price and security. Samsung Knox is an example of the latter: A combination of hardware features and software enhancements to Android that increase mobile security. Not every Android phone is designed for the enterprise market. Vendors such as Samsung have evaluated the higher security requirements of enterprise customers and have responded by releasing trusted platforms: Devices with built-in hardware that establishes the integrity and identity of the platform and ensures only trusted software is loaded. With a trusted platform, bootkit and rootkit attacks by malware and curious end users are generally blocked. Additionally, data encryption is more difficult to subvert because keys are not software accessible. Today’s technology comes from the Trusted Computing Group (TCG) which publishes the Trusted Platform Module (TPM). TCG started in 2003, defining what a trusted platform would look like, and how it might be implemented and standardized. A TPM is a computer-within-a-computer, completely shielded from the main CPU. Software, whether friendly or unfriendly, can’t reach into the memory or storage of the TPM directly. In larger devices, such as laptops and desktops, the TPM is usually a separate chip.[…]

https://insights.samsung.com/2018/01/26/starting-from-scratch-trusted-root-in-samsung-mobile-devices/