Embedded devices (including the so-called Internet of Things) pose unique problems for those responsible for managing and assessing their security. The devices tend to be less transparent and more tightly integrated than typical software and generally lack the host-based security controls (privilege separation, host firewalls, etc.) found on desktop or server applications. This talk will cover some of the unique constraints for threat modeling and assessing these devices, then walk through an assessment of a VoIP phone and discuss the issues found there, including potential mitigations that can be applied if a device cannot be updated.