top | item 12252129

(no title)

wadetandy | 9 years ago

Anyone you're likely to classify as a "script kiddy" is not going to be able to read the kind of code going into embedded devices like a pacemaker to a deep enough level to find any problems. And if they can the software is really problematic, most likely.

Security by obscurity is never a good idea, but especially not when it might prevent a white hat from finding a bug that would allow a malicious actor to remotely STOP MY HEART.

discuss

smallnamespace|9 years ago

I agree with you in general, but since we're talking about embedded devices that can't be updated, here's a concrete scenario:

1) White hat finds a vulnerability in the source code which applies to a large number of devices. 2) Source is patched but vulnerable devices exist in wild

Now all an attacker needs to do is find a vulnerable device; because the source code is public like OP suggests, figuring out which devices are vulnerable is trivial.

Unless I'm missing something drastic, this is actually a problem in the embedded space where obscurity seems to help.