Consumer electronics – opportunities in the face of troubling security road blocks

On the face of it, this year's Consumer Electronics Show in Las Vegas last week continued to show the vitality and innovation that it always has, if a recent round up of embedded news out of CES is any indication. On display were a range of new devices and new technologies in not only traditional market segments such as televisions, smart phones, and automobiles, but in new wearable and consumer-oriented Internet of Things devices as well.

Included in this week'sTech Focus newsletter are articles and technical papers on some of the many embedded building blocks and tools upon which many of these consumer electronics marvels are based.

The projections released last week in the Consumer Electronics Association's semi-annual U.S. Consumer Electronics Sales and Forecasts industry report reflect the broad optimism of the players in this market. It estimates that revenues for the consumer electronics (CE) industry worldwide are projected to grow three percent in 2015 and to reach an all-time high of $223.2 billion.

According to CEA President and CEO Gary Shapiro, the forecast covers more than 100 CE products, and is based on estimates of U.S. factory sales to dealers, covering more than 100 CE products. The 2015 forecast projects that revenue for new, emerging product categories is expected to double, growing 108 percent year-over-year in 2015.

In addition to such categories as 3D printers and 4K Ultra-High Definition televisions, many of these new apps were various forms of connected apps such as internet-enabled thermostats, unmanned systems (unmanned aerial vehicles, unmanned vehicles, and home robots), IP cameras, and wearables such as health and fitness devices, smartwatches, and smart eyewear. While the emerging product categories represent less than five percent of the entire CE industry revenue forecast, they are expected to contribute almost $11 billion to overall CE revenue in 2015.

“In the blink of an eye, consumer demand has taken off for emerging categories such as wearables, unmanned aerial vehicles, and 4K Ultra HD ,” said Shapiro, “categories that were too small to track just three years ago. “

But these projections are based on the assumption that consumers will be willing to spend their hard-earned money on the latest and greatest. However, according to a just released study by International Data Corporation commissioned by Greenwave Systems, August, GK Digital Media, and NXP Semiconductors, that willingness depends only not only on their usefulness to the average consumer, but how secure many of the network connected consumer devices are. According to the report, nearly a quarter of American consumers would consider a smart home solution only if they could control it with their smartphone. At the same time, across age, gender, and income, 66 percent of the 1,005 US consumers interviewed expressed concern about privacy and security.

“Data security and identity protection are clearly top-of-mind for consumers looking at IoT products and services,” said Jack Ogawa, Sr. Director of Marketing for NXP Semiconductors. “The developing IoT industry has an opportunity to utilize state of the art software and semiconductor technology to set the standard for secure connections, both in the Cloud and in the connected IoT products themselves.”

With this wealth of opportunities comes a surfeit of security vulnerabilities that seem to be getting worse. According to a malware report from Alcatel-Lucent, as of 2013 more than 11.6 million mobile devices are infected worldwide, and 60% of them are Android smartphones. Even more concerning is that in 2013 alone, the number of Android malware samples collected for Alcatel's database ballooned by 20 times.

Making the situation even more dangerous for developers are the numbers and types of malware incidents. In a report out of North Carolina State University based on about 1,200 malware samples collected over a year, 1083 of them (or 86.0%) were repackaged versions of legitimate applications with malicious payloads. About one third (36.7%) of the collected malware samples leveraged root-level exploits to fully compromise Android security and more than 90% turned the compromised phones into botnets controlled through network or short messages.

More recent reports indicate the problems continue. A report by Sophos, security software provider, concluded that Android is still the biggest target, and another security firm, F-secure , reported that the number of mobile malware samples it collected grew from several hundreds to more than 50,000 in just two years.

Although a lot of work has already been done to make those platforms and the apps that run on them more secure, it’s clear that if embedded and consumer IoT developers are going to incorporate Android further into their applications, much more work remains to be done. Illustrating the problems to be faced are:

Countermeasures for security vulnerabilities in Androids. Ipta Thakur and Shaily Jain of Chitkara University describe a permission-based security analysis technique that does a close inspection of the behavior of the Android operating system call invocations, including IPC and RPC interactions.

Two Vulnerabilities in Android OS Kernel, by Xiali Hei, Xiaojiang Du, and Shan Lin, Temple University. The authors reveal new security pitfalls in Android's memory management that can cause severe errors and system failures

Security issues in the Android cross-layer architecture. Alessandro Armando, Alessio Merlo, and Luca Verderame look at the set of cross-layers security mechanisms that collectively constitute the Android Security Framework (ASF) and describe a vulnerability that allows a malicious application to force the system to fork an unbounded number of processes, thereby making the device unresponsive.

If viable security protections are not found, the problems facing Google, the makers of consumer IoT devices and the apps running on them – and ultimately the end user – will pale in comparison to that faced by Microsoft in the much smaller connected Windows-based desktop, laptop, and tablet market.

With desktop and laptop computing we are talking about several hundred million platforms. But with mobile devices we are talking about billions of devices. And with the market numbers that some analysts are talking about with relation to consumer and other Internet of Things, we are talking about possibly tens of billions of devices, at the very least.

To address this growing challenge, researchers continue to explore a variety of security strategies for mobile platforms. Some work focuses on the analysis, detection, and evaluation of malicious applications using static and dynamic analysis techniques, or both. Other work focuses on designs meant to improve data security—for example, controlling permission usage or isolating the execution environment. Several articles a in a recent special issue of IEEE Computer are worth paying attention to if you are considering the use of Android in any connected consumer application.

In “RootGuard: Protecting Rooted Android Phones ,” Yuru Shao, Xiapu Luo, and Chenxiong Qian propose a custom app to complement standard root-privilege management tools on the Android OS. They then explain how RootGuard intercepts system calls from processes started via a superuser and then applies several default or user defined policies to them. Their tool—evaluated on realistic malware and handwritten demo exploits—is shown to provide a more secure environment for rooted devices.

In “Smart AppStore: Expanding the Frontiers of Smartphone Ecosystems” by Félix Gómez Mármol, Gregor Rozinaj, Sebastian Schumann, Ondrej Lábaj, and Juraj Kacur describe a device-agnostic approach how apps on smartphones and other connected devices, such as smart TV, can be both user friendly and hacker unfriendly through a combination of advanced security, biometric authentication, multilevel authorization, gesture navigation, application reputation scoring, and identity management.

In “Thwarting Obfuscated Malware via Differential Fault Analysis,” Guillermo, Suarez-Tangil, Juan Tapiador, Flavio Lombardi, and Roberto Di Pietro propose a tool called Alterdroid that identifies obfuscated malicious components in an app package. It does this by first selecting the suspicious components using statistical analysis against predefined models. It then injects a fault into a randomly selected suspicious component and repackages the modified component with the original application.

The tool runs both the modified and original app in the Android containers and detects malicious behavior by comparing the execution traces using differential analysis. The approach is similar to fuzzing, but instead of manipulating program input, the authors manipulate the program directly to uncover malicious activity. Site Editor Bernard Cole is also editor of the twice-a-week newsletters as well as a partner in the TechRite Associates editorial services consultancy. If you want to see a calendar of topics for the weekly Tech Focus newsletter or have a topic you would like to see covered, he welcomes your feedback. Send an email to , or call 928-525-9087.

See more articles and column like this one on up for s ubscriptions and newsletters . Copyright © 2015 UBM–All rights reserved.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.