You can find router firmware sourcecode online and find pretty egregious vulnerabilities if you're really trying to learn.
Alot of embedded stuff is outsourced and doesn't want to waste the computing power for stuff like stack canaries. I recall the following from making a tool for a dlink? router?
//Reads a file name
foo ReadFilePath()
{
// Get file name
// TICKET 21321: Fixed crash by increasing buffer size
char FilePath[100];
ReadFileName(&FilePath);
}
It sticks out to me, since the crash was clearly from a buffer overflow, and they had this documented in the source code that increasing the buffer size fixes it. What they didn't realize was that the bug would still happen and you could get a buffer overflow from this and do whatever you wanted. This is the level of programmer you're dealing with who's writing embedded software in an overseas sweatshop. And the talent isn't even there domestically since they're severely underpaid compared to someone writing simple javascript.
The people who actually can do it are not underpaid. These days they are brought in to do cleanup. They can name their price and pick their assignments.
Only if you’re looking for top dollar when you graduate. Which unfortunately a lot of people are. It makes sense, most people pick this field for the salary and not out of passion (like the vast majority of professions).
But if you take a couple C/assembly/systems electives, look for internships at hardware companies, build a couple of toy projects on the side, and graduate with even a modicum of embedded experience, there will be companies that will hire you, pretty much guaranteed. You won’t be making 250k out of the gate, but you should still be making a more-than-livable salary (and frequently in a lower cost of living area than, say, the Bay), and if you pick companies correctly, you can be working with and learning from some truly genius engineers.
The pipeline’s there, it’s just not attractive (read: $$$$$$$) enough to pull in most people in the industry.
Alot of embedded stuff is outsourced and doesn't want to waste the computing power for stuff like stack canaries. I recall the following from making a tool for a dlink? router?
//Reads a file name foo ReadFilePath() { // Get file name // TICKET 21321: Fixed crash by increasing buffer size char FilePath[100]; ReadFileName(&FilePath); }
It sticks out to me, since the crash was clearly from a buffer overflow, and they had this documented in the source code that increasing the buffer size fixes it. What they didn't realize was that the bug would still happen and you could get a buffer overflow from this and do whatever you wanted. This is the level of programmer you're dealing with who's writing embedded software in an overseas sweatshop. And the talent isn't even there domestically since they're severely underpaid compared to someone writing simple javascript.