On This Page

Embedded Device Security Assessments for the Rest of Us

Security Weekly | August 1-2 & 3-4


The first day of this course will take a look at the embedded systems landscape, the different types of devices, various industries which use them, and some common embedded hardware and software platforms. While there are several different types of embedded systems, there are certain commonalities that are important to point out. Firmware layout will be covered in-depth, allowing you to understand the popular ways in which firmware is constructed, such that you can apply that knowledge to all different types of devices. We will also run labs to analyze firmware components and run firmware in emulation mode; setting you up to do some further analysis.

Module 1: What is an embedded system?

  • Examples of embedded systems in various categories
  • Why we should care about embedded systems security
  • Anatomy of Embedded Systems Vulnerabilities & Attacks
  • Attack Examples

Module 2: What is firmware?

  • Examples of various embedded systems firmware and operating systems
  • Firmware layout and operating systems
  • Introduction to binwalk
  • Lab #1.1: Obtaining & Analyze Firmware (binwalk)
  • Embedded Systems Hardware Overview
  • Embedded Processors Overview
  • Homework: Download Firmware From The Internet and Analyze The Structure

Module 3: Analyzing Firmware Offline

  • Running Firmware in Emulation
  • Introduction to Qemu
  • Lab #3.1: Running OpenWrt in Qemu
  • Introduction to the Firmware Modification Toolkit
  • Lab #4.1: Using The Firmware Modification Toolkit
  • "Scanning" Embedded Systems
  • Lab #5.: Nmap Scanning Embedded Systems
  • Discovering Authentication Backdoors Lab
  • #6: Scan live targets!
  • Homework: Scan an Embedded System You Own (or have permission to scan)

Day 2 of this course will focus on more in-depth means of vulnerability identification. We will review some of the common file system types and extract them from firmware. Mounting the file system is the first step, as once mounted you will learn ways in which to discover more vulnerabilities and information about the device. Building on your skills learned in this course we will extract and run binaries from the firmware. Web applications will also be covered, allowing the students to learn and develop attacks specific to web applications running on embedded systems. The day will come to a close with a discussion of defensive techniques organizations and vendors can implement to apply more security to embedded systems.

This day will include several "Capture the flag" exercises, applying what you learned in Day 1! (Complete with prize giveaways!)

  • Analyzing Firmware: More In-Depth
  • Embedded System Filesystem Types
  • Extracting & Mounting File Systems
  • Lab #2.1: Locating, Extracting, File Systems
  • Finds binary files from firmware
  • Extracting binaries from firmware
  • Building the environments for binaries
  • Lab #2.2: Locating, Extracting & Running Binaries

  • Updating Firmware
  • Embedded Systems Hardening
  • Authentication Management
  • Common Embedded Systems Protocols (Attack & Defense)
  • Review the "Top Ten Embedded Systems Security Elements"

Who Should Take this Course

  • Individuals responsible for securing systems in an organization, especially embedded systems
  • Consultants performing penetration testing for clients
  • Systems administrators who are responsible for maintaining embedded systems

Student Requirements

Knowledge and Experience with Linux-based Operating Systems. No really, we are serious about this one. If you are not familiar with using the Linux command line (Bash), editing files in Linux (vi is the editor), you may want to consider taking other courses that teach these skills before taking this course. Having familiarity with embedded systems hardware, firmware constructs, and scripting languages is helpful, it is not a requirement. However, in order to learn about embedded systems, you must have familiarity with Linux, as the embedded systems covered in this course will primarily run Linux, and given the small environment we have to work with, the most basic set of Linux tools is all that is available to us.

Basic knowledge of TCP/IP and various common protocols (Such as HTTP, TELNET, etc.)

What Students Should Bring

VMware Player or VMware Workstation is required for the class. If you plan to use a Macintosh, please make sure you bring VMware Fusion.


The course includes a VMware image file of a guest Linux system that is larger than 2 GB. Therefore, you need a file system with the ability to read and write files that are larger than 2 GB, such as NTFS on a Windows machine.

IMPORTANT NOTE: You will also be required to disable your anti-virus (or any other host-based protection) tools temporarily for some exercises, so make sure you have the anti-virus administrator permissions to do so. DO NOT plan on just killing your anti-virus service or processes because most anti-virus tools still function even when their associated services and processes have been terminated. For many enterprise-managed clients, disabling your anti-virus tool may require a different password than the Administrator account password. Please bring that administrator password for your anti-virus tool.

Enterprise VPN clients may interfere with the network configuration required to participate in the class. If your system has an enterprise VPN client installed, you may need to uninstall it for the exercises in class.


You will use VMware to run a Linux operating system simultaneously when performing exercises in class. You must have either the free VMware Player 3 or later or the commercial VMware Workstation 6 or later installed on your system prior to coming to class.

Alternatively, if you want a more flexible and configurable tool, you can download a free 30-day trial copy of VMware Workstation. VMware will send you a time- limited license number for VMware Workstation if you register for the trial at their Web site. No license number is required for VMware Player.

We will give you a USB full of attack tools to experiment with during the class and take home for later analysis. We will also provide a Linux image with all of our tools pre-installed that runs within VMware Player or VMware Workstation.


You do not need to bring a Linux system if you plan to use our Linux image in VMware. However, you are required to bring VMware Workstation or VMware Player. The class does not support VirtualPC or other non-VMware virtualization products.

Mandatory Laptop Hardware Requirements

  • x86- or x64-compatible 1.5 GHz CPU Minimum or higher
  • DVD Drive (not a CD drive)
  • A usable USB port (This is important, USB drives will be used to distribute the VM required for class!)
  • 2 GB RAM minimum with 4 GB or higher recommended
  • Ethernet adapter (A wired connection is required in class. If your laptop supports only wireless, please make sure to bring an Ethernet adapter with you.)
  • 5 GB available hard drive space
  • During the workshop, you will be required to connect to a network with your classmates (which could be one of the most hostile networks on planet Earth!) Your laptop might be attacked, despite our script warnings that students refrain from this activity. Do not have any sensitive data stored on the system.

By bringing the right equipment and preparing in advance, you can maximize what you'll see and learn as well as have a lot of fun.

What Students Will Be Provided With

  • A Virtual Machine (Linux-Based Ubuntu Distribution) configured with all of the tools required for class on a USB thumb drive (which students get to keep)
  • Several different firmware distributions to analyze and run


Paul Asadoorian, Founder & CEO, Security Weekly I have been researching embedded systems vulnerabilities for several years. In 2007 we published a book on hacking Linksys WRT54G routers. That experience provided me with a foundation for understanding embedded systems vulnerabilities and exploits, and I have been "hooked" ever since. The market has exploded with all sorts of embedded systems, everything from remote management devices inside your servers, to home smoke detectors. Devices of today, also dubbed "The Internet of Things"(IoT) are commonplace. However, the security landscape remains unchanged for the past 10 years or more. I was intrigued by printer vulnerabilities 10 years ago, and many of the vulnerabilities being reported today existed in devices back then. It is clear that things need to change, and my goal of this course is two-fold: 1) Teach people how embedded systems work and how to discover common vulnerabilities 2) raise awareness in the community such that we are poised to affect change in the industry and be able to purchase more secure embedded systems in the future.