Skip to main content

Demystifying Hardware Security – Part I

May 24, 2013

The Risk

Competent information security professionals are constantly learning and adapting to the changing threat landscape. However, embedded device security is the elephant in the room that many seem to ignore. These devices generally take a back seat to the security concerns of the software running on servers and workstation machines, but they are becoming one of the leading information security concerns of our time. An embedded device can generally be categorized as an application-specific electronic device that is controlled by one or more microprocessors executing machine code.

It can be seen all around us. Humans are increasingly relying on embedded devices to assist us with daily tasks, often critical ones. Here is a brief list of things people use which are controlled by embedded devices:

  • Commercial Devices
    • Point-of-Sale Machines
    • Automatic Teller Machines
    • Vending Machines
    • Parking Meters
    • Utility Meters
    • Hotel Room Doors
    • X-Ray Machines
  • Consumer Devices
    • Cellular Phones
    • Televisions/Set Top Boxes
    • Gaming Consoles
    • Wireless Headsets/Keyboards/Mice
    • Home Security Systems
    • Printers
    • Wireless Access Points/Routers/Modems
  • Medical Devices
    • Pacemakers
    • Insulin Pumps
    • Glucose Monitors
  • Vehicles
    • Automobiles, Aircraft, etc.

Exploitable vulnerabilities in automobiles, printers, hotel room doors, pacemakers, televisions, utility meters, insulin pumps, cell phones, networking equipment, gaming consoles and other network-enabled devices have been publicly demonstrated. Some are local attacks while others can be conducted remotely. The consequences of these exploits include compromise of functionality, unauthorized physical access, theft of intellectual property, disclosure of personal information, financial loss and even injury or death to the user. These are negative outcomes for the end user as well as the company that produced the device, and they are reflections of the poor state of embedded device security.

Introducing PVED

The biggest hurdle for information security practitioners wanting to get involved with embedded device security is the steep learning curve in understanding the concepts. The barrier to entry is high compared to conventional information security assessment because the levels of abstraction that exist in general-purpose computers are simply not applicable to most embedded devices.

Working with embedded device security requires knowledge of low-level computer engineering concepts, the specifics of which vary from device to device. This is the security by obscurity that some vendors rely on instead of investing resources to properly secure their devices throughout their development lifecycles. Vendors may not even be aware of how certain design decisions will affect the security of the device. To make matters worse, it is far more difficult to deploy large-scale security patches to embedded devices as compared to traditional computers.

It is crucial that we as information security professionals have the skills to meet the needs of our society. To help address this problem, I created an open-source learning tool called Purposely Vulnerable Embedded Device (PVED). This device is intended to assist in learning hardware security assessment techniques that are used for low-level auditing of other devices with embedded software. These skills can be used to master the inner-workings of embedded devices and uncover the security vulnerabilities they may contain.

   Demystifying 3Demystifying 2

Some of the skills that can be taught with PVED include:

  • Basic circuit theory and analysis
  • Use of a microcontroller programmer
  • Use of a Saleae logic analyzer
  • Use of the multipurpose interfacing tool known as a Bus Pirate

In the next part of this series, I will demonstrate the use of the Saleae logic analyzer on the PVED. The analyzer will be used to intercept low-level communications within the hardware to expose stored user credentials.

Related Blogs

September 25, 2014

"Shellshock" Vulnerability in Bash Allows Unauthorized, Remote Code Execution

On September 24, a critical vulnerability - CVE-2014-6271 - was made public. This vulnerability, dubbed “Shellshock,” exposes a weakness in which cert...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy


July 21, 2015

Network Security Solutions

Learn how we help protect your environment while maintaining connectivity.

See Details

August 24, 2017

Enterprise Incident Management Brief

Learn how Optiv’s workshop helps security leaders evolve their technical incident response practices to broad scope enterprise incident management.

See Details

October 06, 2017

Managed Security Services - Service Guide

Learn about our flexible and scalable services to improve your security capabilities.

See Details

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.