Security checklist for embedded devices

• Don't assume that an embedded device is too dumb or too obscure to be compromised — don't take embedded security for granted.
• Completely configure and harden connected embedded devices before hooking them up to your local network.
• Keep devices under development on private, isolated networks — developer hacking can facilitate unwelcome cracking from without or within.
• Inventory and understand the ports and services available on a given device or from an embedded OS. Enable only those your application truly needs and disable the rest.
• Consider placing embedded devices outside your corporate firewall; let them access corporate network resources through selected ports or, better, via secure services like SSL (Web interface), SSH or over a VPN.
• Take extra care to secure wireless interfaces on embedded devices (for example, 802.11b): Use available security native to the protocol; harden access points (e.g., restrict wireless connections by MAC addresses); place access points outside your firewall, if possible.
• Anticipate future software-update needs on deployed devices to apply security patches (via OSGI and so on) onto flash or other rewritable storage media.
• For remote update, download and data logging, consider using pull-only access, where devices connect intermittently to "phone home," instead of pushing data onto always-connected and thereby exploitable devices.
• Begin thinking about embedded devices like any other enterprise asset on a network.

— Bill Weinberg, MontaVista Software Inc.