Embedded device hacking is the exploiting of vulnerabilities in embedded software to gain control of the device.
Attackers have hacked embedded systems to spy on the devices, to take control of them or simply to disable (brick) them. Embedded systems exist in a wide variety of devices including Internet and wireless access points, IP cameras, security systems, pace makers, drones and industrial control systems. The hacking may carried out on flashable ROM chips or – as is more commonly the current practice -- on firmware.
Traditionally, many of the hardware and hardware systems controlled by embedded software have not been easily interfaced with. This fact, along with the number of embedded operating systems, once provided relative security through obscurity. Because they were not considered prominent attack targets, embedded system security has not always been a prime concern. However, as more and more embedded devices are exposed to the Internet because of driving forces like the Internet of Things (IoT) and remotely-controlled industrial systems, the number of targets is increasing all the time.
Before the extensible firmware interface came about, flashable BIOS ROMs could be infected with viruses. However, live updating has made forged or forced flashing through code exploits more common.
The Misfortune Cookie flaw, discovered in late 2014, allows an attacker to hack routers and gateway devices. Even more serious is Stuxnet, a worm targeting a rootkit exploit designed to compromise logic controllers in SCADA systems, which are used for nuclear power, water and sewage plants, as well as in telecommunications and oil and gas refining.