Q: Please briefly introduce yourself, Samsung R&D Institute Ukraine, and the kind of work that goes on there. What projects are you currently working on?

I am Oleksii Mokhonko, Head of the Security Team at Samsung R&D Institute Ukraine (SRUKR). I joined Samsung in 2010, and since then, my whole career has been bound to the security of Samsung products. Now, my role is security research and development (R&D) coordination in four major areas: platform security development, certification, preventive services, and cutting-edge research.

SRUKR has operated in Kyiv since 2009. Our focus domains are artificial intelligence (AI), augmented reality (AR) / virtual reality (VR) and security. In the security field especially, we have contributed systems hardening components, attack detection features, certification and threat research services, online solutions for global threat monitoring, as well as several privacy features to protect our customers and meet a wide range of needs of Samsung products. Also, throughout the years, we have built a rich core tech portfolio, strong team and partnership relations with Samsung Research, mobile, and TV business units.

Our security team strives to provide a robust security baseline for our consumer electronics and online services. Also, we create product differentiation through various outstanding security features. Most of the recent deliverables include the technologies for continuous authentication in the Advanced Access Control suite of Knox SDK v3.8, PC-on-TV solution for Smart TV, system integrity, and zero-day protection on mobile phones. Various platform hardening components containing our R&D contributions can actually be found in every phone and TV. In addition, we are deeply involved in security certification works.

Q: Please tell me about the importance of your research field or technology.

Information security is very important for regular users because of privacy. Our entire lives, including daily communication, finance, and contacts, seem to be inside of our phones. We naturally expect to have safe defaults and stay in control of our data. Recent privacy-related legislation changes, AI regulations (such as the face recognition ban), and high fines indicate how society is actually concerned with privacy. This allows us to make privacy features to be different from Samsung products. Throughout the years, our team has been running various projects related to privacy-preserving biometrics, AI-based anomaly detection, private object detection, threat monitoring, data leak prevention, and data anonymization.

Privacy precondition is strong security. Public disclosure of security issues may have reputational risks, cause expensive last-minute software (SW) / hardware (HW) bug fixes, or even withdraw products from the market. And that’s another reason why security is important to the business. At SRUKR, we strive to be ahead of threats by performing emerging threat research. A lot of efforts are dedicated to security automation. Finally, the whole process is very important; considering security at every step of a product’s life cycle gives strong default baseline.

Also, there are cases where security is the business enabler or has a direct impact on sales. Independent security reviews are one example, such as the one from Consumer Reports. Compliance is another example: to sell phones to the US government, our products must pass a number of certifications. SRUKR has been involved in over 25 Common Criteria Mobile Device Fundamentals Protection Profile (MDFPP) certifications of Samsung mobile phones, including the world’s first MDFPP v1.0 in 2014 and the world’s first MDFPP v3.2 in 2022. Our team has also been a major contributor to Federal Information Processing Standards (FIPS) 140-2 cryptographic certification, with 27 certifications done in total since 2016. We are currently preparing the most recent FIPS 140-3 certification.

Q: Can you tell us about the main achievement and most rewarding moment in your research?

Starting with software protection tools, our team has expanded the mobile and TV product/service assessment area, cooperated with Samsung Research for security governance, privacy, and preventive threat analytics, and then launched security certification and operating system (OS) security solutions development. Our team has been working with biometrics a lot, including authentication and biometric cryptosystems. One of the technologies we have developed is privacy-preserving biometrics for face modality. We strive to improve upon the Security versus Usability trade-off; it would be best if a user would have to do nothing to the phone for it to know that the legitimate owner is now holding it. In general, the user already provides a lot of data, such as his/her palms/fingerprints, voice, face, iris use / swipe / typing pattern, and heartbeat, to be somehow recognized without passwords. Some on-device use cases are well-known, such as unlocking a phone using a fingerprint or with face recognition. A new class of use cases might become possible if a user could register biometrics on one device and then use them on another. The following technical challenges make it possible. To allow the same person to be able to interact with two devices, a hint must be shared. There must be no privacy issue if this hint is stolen or modified.

Furthermore, it must be possible to update this hint regularly. There are also natural constraints that limit the use of biometrics as a source of a cryptographic key; human biometrics change over time (e.g., because of aging) and have limited entropy.

Technology is required to remedy these challenges. It might enable a whole class of new market use cases where biometrics is used as a key, while there is no risk if the involved data is compromised. I think this is the most interesting and mathematically rich thing that our team has developed recently.

Q: What is your vision for the future, and what goal would you want to achieve?

Ultimate big goal is our end users' trust. So that they may buy our products because they are sure that their life, money, and activities will stay private. We strive to set product differentiation by security features that address immediate user needs, enable a new capability, or create a business opportunity.

There are also trends such as significant cost drop for HW attacks or applying AI for attacks that make sophisticated protection necessary. In preparation for this, we systematically invest in people, equipment, and the ecosystem to enhance our capability to stay on level with threats and to provide cutting-edge security solutions. To be more specific, these days, we are enriching our hardware assessment services, expanding security certification coverage, strengthening our platform security portfolio, and developing our abilities to deliver outstanding AI-based security technologies.