Assess and Mitigate Vulnerabilities in Embedded Devices

By Lawrence C. Miller, Peter H. Gregory

Embedded devices encompass the wide variety of systems and devices that are Internet connected. Mainly, we’re talking about devices that are not human connected in the computing sense. Examples of such devices include

  • Automobiles and other vehicles.
  • Home appliances, such as clothes washers and dryers, ranges and ovens, refrigerators, thermostats, televisions, video games, video surveillance systems, and home automation systems.
  • Medical care devices, such as IV infusion pumps and patient monitoring.
  • Heating, ventilation, and air conditioning (HVAC) systems.
  • Commercial video surveillance and key card systems.
  • Automated payment kiosks, fuel pumps, and automated teller machines (ATMs).
  • Network devices such as routers, switches, modems, firewalls, and so on.

These devices often run embedded systems, which are specialized operating systems designed to run on devices lacking computer-like human interaction through a keyboard or display. They still have an operating system that is very similar to that found on endpoints like laptops and mobile devices.

Some of the design defects in this class of device include

  • Lack of a security patching mechanism. Most of these devices utterly lack any means for remediating security defects that are found after manufacture.
  • Lack of anti-malware mechanisms. Most of these devices have no built-in defenses at all. They’re completely defenseless against attack by an intruder.
  • Lack of robust authentication. Many of these devices have simple, easily-guessed default login credentials that cannot be changed (or, at best, are rarely changed by their owners).
  • Lack of monitoring capabilities. Many of these devices lack any means for sending security and event alerts.

Because the majority of these devices cannot be altered, mitigation of these defects typically involves isolation of these devices on separate, heavily guarded networks that have tools in place to detect and block attacks.

Many manufacturers of embedded, network-enabled devices do not permit customers to alter their configuration or apply security settings. This compels organizations to place these devices on separate, guarded networks.