Default Configuration Analysis

The security paradigm Secure by Default is not specific to hardware-related assets/embedded systems/mobile computing devices, however, comparable to Secure Code Review, is often neglected on those systems for various reasons.

Hence developers should ship releases with a secure default configuration, with particular regard to enforced authentication, supported strong authentication mechanisms, use of encryption features and reliable authorization components.

These publications illustrate the limitations and deviations from security best practices when it comes to hardware-related functions/embedded devices, thus motivating the need to require strong defaults despite any limitations:

https://www.atmia.com/files/Best%20Practices/ATMIA%20Best%20Practices%20v3.pdf
http://www.darkreading.com/perimeter/the-secret-behind-the-nsa-breach-network-infrastructure-is-the-next-target/a/d-id/1326729

https://downloads.cloudsecurityalliance.org/assets/research/internet-of-things/future-proofing-the-connected-world.pdf

Default Configuration Analysis

Further Reading: