I’m not going into too much detail here as they’re well covered in other material. Consider attacks on:
The physical device – what physical controls does the device to prevent tampering?
Tamper switches
Locks
Armor (e.g. safes)
Network interfaces
Particularly those with no encryption – Nordic, BLE, Zigbee
Web interfaces
Software interfaces
Social engineering (your staff)
Cryptographic protocols. Many embedded systems use cryptosystems with known attacks, very short key lengths, or simply incorrect implementations. Because you have control over the host hardware, timing attacks are also much easier to execute.
Extracting firmware
The chief weakness of an embedded device is that it’s physically not in your control. The attacker has total control of a single device, and if they learn enough about the software stack, they can develop exploits that work across many devices.
Bypassing microcontroller code locks
RAM/parallel bus sniffing
Read firmware through the bootloader
Reading a serial flash chip without removing it from the PCB
Reading code from microcontrollers
Remove a flash chip from the PCB
SPI bus sniffing
Extracting keys
Many embedded devices carry valuable private crypto keys. Methods to extract these include:
Acoustic key extraction from chips
Differential power analysis
Glitching
Attacks on chips
Very few ICs are designed with security in mind. They contain valuable firmware and crypto keys. Methods to attack them include:
Decapping
Microprobing
Optical key extraction from chip backside
Optical ROM extraction
Partial flash reprogramming through light exposure
Other
The hardware of embedded devices can be manipulated in interesting ways to expose security problems.
Connecting debuggers
Device cloning (by manufacturer or third party)
Finding JTAG ports
Finding serial ports
Identity cloning by connecting multiple devices to the same legitimate identity chip
Inhibiting clocks
Inhibiting reset
Manipulating RTCs
Modifying serial numbers and identity chips
Firmware analysis
Firmware can be obtained from a running device or as an update package from the vendor. The challenge, then, is to make sense of it and find security flaws.
Binary analysis is well covered in the existing reverse engineering literature, but there are some embedded-specific tools available.
