INSECURE Magazine Issue 14 – Attacking Consumer Embedded Devices

Recently I had the opportunity (privilege actually) of writing an article for INSECURE Magazine which appeared in issue 14 and is titled “Attacking Consumer Embedded Devices”. It covers reasons why you would want to attack embedded devices, the goals of exploitation, example vulnerabilities and exploits, discovering vulnerabilities, and finally defense.
In researching and writing this article I had some thoughts that I will share (for those still reading this posting and not INSECURE magazine issue 14 :). First, its somewhat sad that the security industry as a whole is heavily focused on vulnerabilities and exploits, instead of attacks methodologies and protection of information. I think that far too many vendors, and the community as a whole, puts too much time and effort into what ultimately boils down to software bugs/vulnerabilities. I know this is true because so many times I go into the first meeting with a customer to discuss a security assessment and they automatically think that I should just be scanning the network for vulnerabilities. When in reality their organization, and most importantly their information, may be at risk due to other insufficient security measures such as poor physical security, end-users that will click on anything, and weak passwords. None of those problems can be solved by the latest and greatest intrusion prevention system, firewall, or vulnerability scanner. The best example that I can give is in the form of a question, if you can entice users to click a link and install software, why do you need a vulnerability to be present? This idea was underscored in “Tactical Exploitation” by HD Moore and Valsmith. I believe this is some of the most signifigant research/presentation to come out of the latest onslaught of conferences, including Blackhat, Defcon, and Toorcon.
So go check out this months INSECURE mag, and remember that software vulnerabilities are but a small part of the problem we must face as security professionals.

Paul Asadoorian

Paul Asadoorian is currently the Principal Security Evangelist for Eclypsium, focused on firmware and supply chain security awareness. Paul’s passion for firmware security extends back many years to the WRT54G hacking days and reverse engineering firmware on IoT devices for fun. Paul and his long-time podcast co-host Larry Pesce co-authored the book “WRTG54G Ultimate Hacking” in 2007, which fueled the firmware hacking fire even more. Paul has worked in technology and information security for over 20 years, holding various security and engineering roles in a lottery company, university, ISP, independent penetration tester, and security product companies such as Tenable. In 2005 Paul founded Security Weekly, a weekly podcast dedicated to hacking and information security. In 2020 Security Weekly was acquired by the Cyberrisk Alliance. Paul is still the host of one of the longest-running security podcasts, Paul’s Security Weekly, he enjoys coding in Python & telling everyone he uses Linux.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.