Via US CERT, the Internet Crime Complaint Center (IC3) has a new document on embedded device security risks:

IC3 Issues Alert on IoT Devices:  The Internet Crime Complaint Center (IC3) has issued an alert to individuals and businesses about the security risks involved with the Internet of Things (IoT). IoT refers to the emerging network of devices (e.g., smart TVs, home automation systems) that connect to one another via the Internet, often automatically sending and receiving data. US-CERT encourages individuals and businesses to review the IC3 Alert for more information regarding IoT vulnerabilities and mitigation techniques.

Excerpt:

What are the IoT Risks? Deficient security capabilities and difficulties for patching vulnerabilities in these devices, as well as a lack of consumer security awareness, provide cyber actors with opportunities to exploit these devices. Criminals can use these opportunities to remotely facilitate attacks on other systems, send malicious and spam e-mails, steal personal information, or interfere with physical safety. The main IoT risks include:
* An exploitation of the UPnP protocol to gain access to many IoT devices. The UPnP describes the process when a device remotely connects and communicates on a network automatically without authentication. UPnP is designed to self-configure when attached to an IP address, making it vulnerable to exploitation. Cyber actors can change the configuration, and run commands on the devices, potentially enabling the devices to harvest sensitive information or conduct attacks against homes and businesses, or engage in digital eavesdropping;
* An exploitation of default passwords to send malicious and spam e-mails, or steal personally identifiable or credit card information;
* Compromising the IoT device to cause physical harm;
* Overloading the devices to render the device inoperable;
* Interfering with business transactions.

Full announcement:
https://www.us-cert.gov/ncas/current-activity/2015/09/11/IC3-Issues-Alert-IoT-Devices-0