Embedded Expertise

Become a partner >>

You’re Not Special: The Fallacy of Not Being a Cybertarget

Every few months, I sit across from a customer explaining why their connected product doesn’t need real cybersecurity. “It’s not a target,” they say with confidence, often followed by a knowing shrug, like they’ve just closed the case with common sense.

It’s a beautiful moment, really. A perfect blend of wishful thinking, budget fatigue, and selective memory. But let’s unpack this comfortable illusion.

Who would ever want to hack this?

The logic seems sound, at first glance. Your product isn’t handling credit card numbers, it’s not guarding state secrets, it doesn’t even have a screen. Who would waste their time?

Well, the internet doesn’t work that way. In reality, devices don’t get attacked because they’re important. They get attacked because they’re available. Because they’re connected. Because they’re vulnerable. It’s not personal. It’s statistical.

If you leave your shed unlocked in the woods, maybe no one breaks in for months. That doesn’t mean you’ve invented a new security model — it just means nobody stumbled upon it yet.

True Story

No Network, No Problem — Still DoS’d

Do you believe a network or physical access is required to compromise a device? Nope.

One of my clients had a basic setup: a light barrier tracking engine rotation, connected to a microcontroller. Each time the beam was cut, an interrupt captured a free-running counter. A little math, and voilà — RPM.

Then someone fired a spark plug nearby. At high frequency. The microcontroller was instantly swamped by parasitic interrupts. It was unable to compute the RPM, as well as all the other services. An offline Denial of Service, brought to you by electromagnetic chaos.

Fix? Add a real CEM filter, and redesign the logic: let the light barrier increment a hardware counter, and sample it at a steady pace. No more interrupt storms. No more DoS. No attacker in sight — just thoughtful basic engineering.

The Anatomy of a Breach Waiting to Happen

People often confuse low value with low risk. But that’s a dangerous shortcut.

In reality, a breach doesn’t require your system to guard gold bars. It just needs four things to align:

  • Stake – What’s at risk if it fails? It could be user safety, business continuity, brand damage, or legal exposure.

  • Vulnerability – Is there a flaw that can be exploited, even accidentally?

  • Opportunity – Is the system accessible? Is it connected? Can it be probed, even indirectly?

  • Vector – Is there a path for the exploit to reach its target?

And let’s not forget the motivation — because attackers don’t just attack for fun (well, sometimes they do). They do it for money (ransomware, crypto mining, botnets), prestige (look what I broke), revenge, hacktivism, or sometimes just out of pure curiosity.

Your product might not be interesting — until it becomes the perfect stepping stone to something that is.

You may think that compromising your device is harmless anyway (it’s usually not). But consider this: a compromised device is a foot in the networking door. From there, it can scan, pivot, listen, exfiltrate — quietly doing the dirty work while the real prize sits somewhere else on the same subnet.

So no, you’re probably not the target. But you might be a target. And that’s all it takes.

But It Never Happened!

This is another favorite. No breach has occurred, so therefore none ever will.

By that logic, the Titanic didn’t need lifeboats on its maiden voyage. And that’s the thing: security isn’t retrospective. It’s not about fixing what already blew up — it’s about preventing yourself from becoming the cautionary tale others cite.

Do you really want to be the first?

The Bear Rule

Here’s a fun analogy: If you’re camping and a bear attacks, you don’t have to be faster than the bear. You just have to be faster than your friend.

Cybersecurity follows the same rule. You don’t have to build an unbreachable fortress (spoiler: you can’t). You just have to be harder to breach than the next guy.

Attackers are rational — or at least lazy. They don’t like effort. If your device is patched, authenticated, and monitored — even imperfectly — while someone else’s is a Telnet-loving relic from 2003, guess whose product ends up in a botnet?

You Need a Roadmap, Not a Miracle

Now, I’m not suggesting you go full paranoia and halt development to harden every line of code. That’s not realistic. But what’s dangerous is treating security like a checkbox — or worse, a luxury add-on.

Security isn’t a product tier. It’s not a firmware patch you push once a journalist calls. It has to be there from the start.

Incorporate cybersecurity into the nominal features of your product — not as an aftersales plug-in. Every feature, from the boldest system capability to the smallest GPIO interaction, should be examined through a security lens. From the cloud backend down to the gate pin, each piece deserves scrutiny.

Too late? Already exposed? Having a security epiphany after your product is in the field? Overwhelmed by your 1234-lines CVE report? Don’t panic. Exploits don’t rain down every second. You have time — if you act. Identify the threats. Build your security roadmap as part of your regular feature release plan. And eat the elephant one bite at a time.

Security is a process. Again: Know your threats. Prioritize what matters. Build a roadmap and evolve it.

You don’t need to outrun the bear every day — just when it matters. But you do need your shoes laced.

Not Sure Where to Start?

If you’re suddenly wondering where your product stands — or realizing you might be wearing flip-flops in bear country — we can help.

From quick audits to long-term roadmaps and maintenance programs, we work with teams to identify vulnerabilities, prioritize fixes, and bake security into actionable product plans, not wishlists. No judgment, no panic — just pragmatic, engineering-first advice.

Get in touch if you’d like to start running faster than the other guy.

Contact