vege - Fotolia

Problem solve Get help with specific problems with your technologies, process and projects.

What strategies are best to ensure a secure embedded system?

Planning ahead in security testing helps to ensure a secure embedded system.

What strategies can I use to ensure embedded software is as secure as traditional application software? Is there extra security testing that should be done when working with embedded software systems?

There can certainly be a lot more to lose when embedded systems are attacked, but that shouldn't change your approach to how the software is developed. Regardless of the language, OS or hardware platform, the same strategies apply for application security. It all starts with the design. Threat modeling is key. This means looking at the overall system and determining everything from attack points to the specific exploits that can be carried out against the application.

Don't get too far off in the weeds worrying about embedded specifics. In the end, embedded system vulnerabilities are no different from those we see in traditional computer systems, such as:

  • Weak communication channels (e.g., known vulnerable versions of SSL)
  • Weak password and authentication mechanisms
  • Weak data storage methods

Every minute you plan in advance for the resiliency of your embedded systems, you'll see payoffs of often five- or tenfold. Take your time and do it properly.

When testing for embedded system security flaws, the general hacking methodology still applies:

  • Locate
  • Enumerate
  • Identify vulnerabilities
  • Exploit/demonstrate

That said, the specific means for finding and testing for embedded security flaws can be different than they are in traditional application security testing. In the case of embedded systems, you might still use traditional network and Web vulnerability scanners. However, depending on the embedded system platform, you might need more niche tool set including such as network analyzers, Bluetooth scanners, and Wi-Fi analysis tools. Exploit tools such as Metasploit can be beneficial as well. Being comfortable with an OS command prompt will help.

In the end, embedded systems are fair game for security testing -- and malicious hacking. Do what you can to find (and fix) the flaws before someone calls you out on them and creates problems for others.

Next Steps

Learn more about embedded operating systems

Printer vulnerabilities shed light on embedded systems security

Discover the seven deadly sins of embedded software development and testing

Dig Deeper on Topics Archive

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What challenges has your enterprise faced with planning a secure embedded system?
We have embedded systems security, but haven't done much with it yet. Securing embedded systems used to be something that only agencies with three-letter initials could do anything with or about, but now you have more attacks coming, and the level of sophistication of the attack is dropping. But the tools to address these threats are once again lagging behind the attackers.
Thanks for the feedback. I feel like security tools are always lagging behind the attackers. They shift the attack, we shift the defense, they shift the attack, and the dance continues.
Very true, James.

We may lack certain security controls but there are plenty of ways to actually find/exploit the's no different than any other network host or application.