Embedded devices are thought to be more secure than other systems as their code is often “burned” into hardware and not as easily replaced by attackers that essentially hijack systems to perform or used to assist them in performing a malicious attack. However, this very nature of consistency in embedded devices results in deployments that often use the same administrative passwords to manage them. Attackers have lists of the default administrative credential used in many embedded devices and they can use these lists to gain access to the administrative consoles and then make use of the device without replacing any code.
Additionally, the commonly consistent network configurations used to support embedded devices, once learned, leave many of them even more vulnerable to attack as each duplicated network configuration is easier to understand and to navigate by an attacker once a device password operating on the network is known. Be sure to always change or be sure that your embedded device vendor always changes the default administrative passwords before putting an embedded device into use.