Family system, a computer or a simple LAN, used to be just out-bound connection node, from which family users initialize only out-going requests to download music, upload pictures or just surf web.

But things changed recently with the embedded system evolution and IP based service expansion. The family system starts to take in-bound connection to handle requests. Typical application for such in-bound connection can be found in P2P games, VOIP and IP video surveillance.

Take IP video surveillance as example, a web server running in an embedded device and server the in-coming request for real time video, snapshot, recorded images or administration tasks. Service is supposed to be more vulnerable than non service application because it will open more ports and take in information from outside, which can be malicious.

An embedded device running open service such as ftp, web deployed in family environment can impose great security threat on regular family users. The reasons can be briefly summed as following:

1. Family system is the least protected end point in the WWWW world. No professional system admin, no commercial grade firewall, no password and security policy.
2. Family users are regulars users without much knowledge how to protect their network, and how to detect the attack.
3. Most services running in embedded system are implemented loosely  without security in the first place
4. For an embedded system, the end to end connection channel protection is impossible. The standard SSL just does not work for embedded system, the reason for that SSL related to Domain name and there is impossible to deploy SSL certificate in embedded system with a dynamic IP address, also there  is no one will  pay and renew certificate after the device is shipped.

No matter how an IP camera brag its security feature, it can be very easily to be tampered if somebody really want to, because if there is no protection in the whole transportation channel, the device is regarded no protection. Same for other embedded device with open services running.

However, the security flaw for embedded is not really this significant as it sounds. The reason is the limited ability for an embedded system, because a tampered embedded system won’t be harmful as a desktop system.