Ask HN: Thoughts on Embedded Device Security?

3 points by mlmitch 4 years ago | 2 comments

I’m thinking of pursuing a project to improve embedded device security for enterprises. It seems like a weak spot in cyber security to me.

However, I’m looking for some insight into how enterprise security people and embedded developers think about this topic before I dive in.

Replies here would be awesome and much appreciated. However, I’m hoping I can tempt you into a deeper conversation over email with the following… First, I haven’t written a line of code so I don’t have anything to sell (yet). Second, I’m an experienced software developer on cyber security products so I should be able to contribute to an interesting conversation on the topic.

Thanks for reading. My email is in my bio.

AnimalMuppet 4 years ago |

You want much of the conversation to happen here, not in email. The magic is in people replying who weren't you or the top-level commenter.

My two cents: Embedded systems don't usually get managed like computers, so their updates happen slower (or not at all). When a new exploit is announced, IT races to patch the computers, but often doesn't think of the embedded systems.

Worse, the embedded system manufacturer may be more likely to go out of business than the computer manufacturer, and almost certainly is more likely to go out of business than the OS vendor. Updates simply may not be coming for the embedded system, so it may remain vulnerable forever.

mlmitch 4 years ago | |

Fair enough regarding the conversation happening here. There can definitely be positives to it. The reason I ask for email is that it’s hard to gauge peoples backgrounds (and the value of the information they provide) without a more intimate and in-depth conversation.

I generally agree with the impression you gave. When you say “IT … doesn’t think of the embedded systems”. Do they actually not think of them? Or is there just not much that they can do at the moment so there isn’t much effort put towards it?

Maybe there’s some other compensating strategy being used like very intense network segregation for embedded devices because of the current state of affairs?